Different directories for different purposes.
/usr/share/suricata/rules
are read only rules that are provided with the Suricata package. These rules typically alert on anomalies while decoding packets and protocols. They remain static for a particular Suricata release, which is why they are placed in /usr/share
- this is a pretty common practice under Linux (and unix-like systems).
/var/lib/suricata
is where suricata-update
places rules that change periodically, such as rulesets that you may download/update on a daily basis.
Suricata-Update will load all the engine provided rules from /usr/share/…, then go through and load rules from configured sources and output the full set into /var/lib/suricata/rules/suricata.rules
, which Suricata then reads. Think of this file as the compiled set of all rules Suricata-Update knows about.