I am new to suricata so please excuse my questions. We are running suricata 8.0.3 on an opnsense fw in an air gapped environment and need some help. What is the best way to import the rules file from et open to suricata ?
We tried to copy the unzipped rule file (emerging-all.rules) into the path /usr/local/etc/suricate/opnsense.rules and /usr/local/etc/suricate/rules
The rule files are visible in the gui but in the suricata logfile we see the following warning: “1 rule files specified, but no rules were loaded!” and " No rule files math the pattern /usr/local/etc/suricata/opnsense.rules/suricata.rules"
We also tried to use the command suricata-update --local “path_to_rules_file” --output /usr/local/etc/suricate/opnsense.rules --no-test. The error message in the log file is still “1 rule files specified, but no rules were loaded!” and no rules are visible in the gui.
Use the custom file that has been updated for 26.x and the suricata config, specify your own implementation/path to the ET Open rules file, and restart as necessary
Further… OPNSense has their own Policy feature for managing the updating, enabling, and light modification to the rules. It works okay if it can access publicly viewable files.
The Suricata package for the OPNSense has suricata-update by default which works much better… and I am late to update the following guide for 26.x but if you read through it you likely can not only understand OPNSense and Suricata better, but you should be able to improve how suricata uses rules. Extra - suricata-update allows you to edit via regex rules, it is quite nice.
Once you are managing your disable/enable/updates/drops rules via suricata-update, you can go further and have your rules output to one file (plus a few extra files usually), have a suricata Docker container create the rules file(s) and make it available to your air gaped router. This will take extra scripts, but this is what I’ve done, and now the same rules file and extra files are downloaded for Suricata on more than just my OPNSense. Good luck!