"/var/lib/suricata/rules" directory or "/usr/share/suricata/rules/" directory?

Hello,
In my Suricata-IDS configuration I defined the rules path as below:

default-rule-path: /var/lib/suricata/rules

But why “suricata-update” command looking at “/usr/share/suricata/rules/” ?

# suricata-update 
6/10/2020 -- 20:14:46 - <Info> -- Using data-directory /var/lib/suricata.
6/10/2020 -- 20:14:46 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
6/10/2020 -- 20:14:46 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
6/10/2020 -- 20:14:46 - <Info> -- Found Suricata version 5.0.3 at /sbin/suricata.
6/10/2020 -- 20:14:46 - <Info> -- Loading /etc/suricata/suricata.yaml
6/10/2020 -- 20:14:46 - <Info> -- Disabling rules for protocol modbus
6/10/2020 -- 20:14:46 - <Info> -- Disabling rules for protocol dnp3
6/10/2020 -- 20:14:46 - <Info> -- Disabling rules for protocol enip
6/10/2020 -- 20:14:46 - <Info> -- No sources configured, will use Emerging Threats Open
6/10/2020 -- 20:14:46 - <Info> -- Last download less than 15 minutes ago. Not downloading https://rules.emergingthreats.net/open/suricata-5.0.3/emerging.rules.tar.gz.
6/10/2020 -- 20:14:46 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules
6/10/2020 -- 20:14:46 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules
6/10/2020 -- 20:14:46 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules
6/10/2020 -- 20:14:46 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules
6/10/2020 -- 20:14:46 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dns-events.rules
6/10/2020 -- 20:14:46 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/files.rules
6/10/2020 -- 20:14:46 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/http-events.rules
6/10/2020 -- 20:14:46 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ipsec-events.rules
6/10/2020 -- 20:14:46 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/kerberos-events.rules
6/10/2020 -- 20:14:46 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/modbus-events.rules
6/10/2020 -- 20:14:46 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/nfs-events.rules
6/10/2020 -- 20:14:46 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ntp-events.rules
6/10/2020 -- 20:14:46 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/smb-events.rules
6/10/2020 -- 20:14:46 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules
6/10/2020 -- 20:14:46 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/stream-events.rules
6/10/2020 -- 20:14:46 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/tls-events.rules
6/10/2020 -- 20:14:46 - <Info> -- Ignoring file rules/emerging-deleted.rules
6/10/2020 -- 20:14:49 - <Info> -- Loaded 28008 rules.
6/10/2020 -- 20:14:49 - <Info> -- Disabled 14 rules.
6/10/2020 -- 20:14:49 - <Info> -- Enabled 0 rules.
6/10/2020 -- 20:14:49 - <Info> -- Modified 0 rules.
6/10/2020 -- 20:14:49 - <Info> -- Dropped 0 rules.
6/10/2020 -- 20:14:49 - <Info> -- Enabled 145 rules for flowbit dependencies.
6/10/2020 -- 20:14:49 - <Info> -- Backing up current rules.
6/10/2020 -- 20:14:52 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 28008; enabled: 21041; added: 0; removed 0; modified: 0
6/10/2020 -- 20:14:52 - <Info> -- No changes detected, exiting.

What is the correct directory?

Thank you.

Different directories for different purposes.

/usr/share/suricata/rules are read only rules that are provided with the Suricata package. These rules typically alert on anomalies while decoding packets and protocols. They remain static for a particular Suricata release, which is why they are placed in /usr/share - this is a pretty common practice under Linux (and unix-like systems).

/var/lib/suricata is where suricata-update places rules that change periodically, such as rulesets that you may download/update on a daily basis.

Suricata-Update will load all the engine provided rules from /usr/share/…, then go through and load rules from configured sources and output the full set into /var/lib/suricata/rules/suricata.rules, which Suricata then reads. Think of this file as the compiled set of all rules Suricata-Update knows about.

2 Likes

Thus, It is OK and configuration is OK too?

Which directory must be use for extra rules?

If it’s okay depends on what you want to achieve. Jason explained the different purposes, you need to decide which is the right one for your use case.

There is no directory for extra rules, just make sure that in the configured directory are the rules you want to have active.

2 Likes

I know this is a little late, however, the directory for “extra rules” is defined in the update.yaml config file. See the “local” example config file here, https://suricata-update.readthedocs.io/en/latest/update.html#example-configuration-file-etc-suricata-update-yaml

These static/custom rules will be loaded in addition to any sources defined.

1 Like