"/var/lib/suricata/rules" directory or "/usr/share/suricata/rules/" directory?

Different directories for different purposes.

/usr/share/suricata/rules are read only rules that are provided with the Suricata package. These rules typically alert on anomalies while decoding packets and protocols. They remain static for a particular Suricata release, which is why they are placed in /usr/share - this is a pretty common practice under Linux (and unix-like systems).

/var/lib/suricata is where suricata-update places rules that change periodically, such as rulesets that you may download/update on a daily basis.

Suricata-Update will load all the engine provided rules from /usr/share/…, then go through and load rules from configured sources and output the full set into /var/lib/suricata/rules/suricata.rules, which Suricata then reads. Think of this file as the compiled set of all rules Suricata-Update knows about.

2 Likes