[prev in list] [next in list] [prev in thread] [next in thread]
List: oisf-users
Subject: Re: [Oisf-users] Updating suricata rules
From: David Wharton <oisf () davidwharton ! us>
Date: 2017-10-30 15:49:23
Message-ID: f9691c57-bebd-4746-c59f-4e60c4fdcd73 () davidwharton ! us
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
You can also use rulecat (part of py-idstools --
https://github.com/jasonish/py-idstools) or Pulled Pork
(https://github.com/shirkdog/pulledpork).
I like rulecat for Suricata rules since it is straightforward and
written in Python.
-David
On 10/30/2017 11:08 AM, dbogenre wrote:
>
> There are at least two other ways of which I'm aware you can use for
> rule management (full disclosure, I wrote one of them):
>
> Scirius (Scirius Community Edition is a web interface dedicated to
> Suricata ruleset management. It handles the rules file and update
> associated files.):
>
> https://github.com/StamusNetworks/scirius
>
> Mob-Boss (Github centric no frills rule management especially for
> clustered environments):
>
> https://github.com/codeweaver33/mob-boss
>
>
> *Dillon Bogenreif*
> University Information Security
> University of Minnesota
> dbogenre@umn.edu
> 612-624-5762 (office)
> GWAPT, GPEN
> On 10/25/2017 02:52 PM, dev wrote:
>> Hi,
>> I usually update my rules with oinkmaster. I am getting errors[1] today
>> becuase the "disablesid" lines in oinkmaster.conf are no longer in the
>> downloaded ruleset. I don't think Oinkmaster is a suricata project
>> so I will forego asking about that here and rather ask:
>>
>> What is the best way to stay current to update rules for suricata ?
>> Thanks
>>
>>
>> [1]
>> # oinkmaster -vC /etc/oinkmaster.conf -o /etc/suricata/rules
>> ...
>> Processing downloaded rules...
>> disablesid 11, enablesid 0, modifysid 0, localsid 0, total rules 24093
>> WARNING: attempt to use "disablesid" on non-existent SID 2522828
>> ...
>> WARNING: attempt to use "disablesid" on non-existent SID 2523106
>> WARNING: attempt to use "disablesid" on non-existent SID 2522234
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
[Attachment #5 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>You can also use rulecat (part of py-idstools --
<a class="moz-txt-link-freetext" \
href="https://github.com/jasonish/py-idstools">https://github.com/jasonish/py-idstools</a>) \
or Pulled Pork
(<a class="moz-txt-link-freetext" \
href="https://github.com/shirkdog/pulledpork">https://github.com/shirkdog/pulledpork</a>).<br>
</p>
I like rulecat for Suricata rules since it is straightforward and
written in Python.<br>
<br>
-David<br>
<br>
<div class="moz-cite-prefix">On 10/30/2017 11:08 AM, dbogenre wrote:<br>
</div>
<blockquote type="cite"
cite="mid:514de092-ce37-b928-b3ed-0eed42b09ee7@umn.edu">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<p>There are at least two other ways of which I'm aware you can
use for rule management (full disclosure, I wrote one of them):</p>
<p>Scirius (Scirius Community Edition is a web interface dedicated
to Suricata ruleset management. It handles the rules file and
update associated files.):<br>
</p>
<p><a class="moz-txt-link-freetext"
href="https://github.com/StamusNetworks/scirius"
moz-do-not-send="true">https://github.com/StamusNetworks/scirius</a></p>
<p>Mob-Boss (Github centric no frills rule management especially
for clustered environments):<br>
</p>
<p><a class="moz-txt-link-freetext"
href="https://github.com/codeweaver33/mob-boss"
moz-do-not-send="true">https://github.com/codeweaver33/mob-boss</a><br>
</p>
<p><br>
</p>
<div class="moz-signature"><b>Dillon Bogenreif</b><br>
University Information Security<br>
University of Minnesota<br>
<a class="moz-txt-link-abbreviated"
href="mailto:dbogenre@umn.edu" \
moz-do-not-send="true">dbogenre@umn.edu</a><br> 612-624-5762 (office)<br>
GWAPT, GPEN</div>
<div class="moz-cite-prefix">On 10/25/2017 02:52 PM, dev wrote:<br>
</div>
<blockquote type="cite"
cite="mid:2cd62767-a7ca-1c6d-2a04-8be7595151ed@gmail.com">
<pre wrap="">Hi,
I usually update my rules with oinkmaster. I am getting errors[1] today
becuase the "disablesid" lines in oinkmaster.conf are no longer in the
downloaded ruleset. I don't think Oinkmaster is a suricata project
so I will forego asking about that here and rather ask:
What is the best way to stay current to update rules for suricata ?
Thanks
[1]
# oinkmaster -vC /etc/oinkmaster.conf -o /etc/suricata/rules
...
Processing downloaded rules...
disablesid 11, enablesid 0, modifysid 0, localsid 0, total rules 24093
WARNING: attempt to use "disablesid" on non-existent SID 2522828
...
WARNING: attempt to use "disablesid" on non-existent SID 2523106
WARNING: attempt to use "disablesid" on non-existent SID 2522234
_______________________________________________
Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" \
href="mailto:oisf-users@openinfosecfoundation.org" \
moz-do-not-send="true">oisf-users@openinfosecfoundation.org</a>
Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org" \
moz-do-not-send="true">http://suricata-ids.org</a> | Support: <a \
class="moz-txt-link-freetext" href="http://suricata-ids.org/support/" \
moz-do-not-send="true">http://suricata-ids.org/support/</a>
List: <a class="moz-txt-link-freetext" \
href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" \
moz-do-not-send="true">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
Conference: <a class="moz-txt-link-freetext" href="https://suricon.net" \
moz-do-not-send="true">https://suricon.net</a>
Trainings: <a class="moz-txt-link-freetext" href="https://suricata-ids.org/training/" \
moz-do-not-send="true">https://suricata-ids.org/training/</a></pre> </blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" \
href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>
Site: <a class="moz-txt-link-freetext" \
href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a \
class="moz-txt-link-freetext" \
href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>
List: <a class="moz-txt-link-freetext" \
href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
Conference: <a class="moz-txt-link-freetext" \
href="https://suricon.net">https://suricon.net</a>
Trainings: <a class="moz-txt-link-freetext" \
href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a></pre>
</blockquote>
<br>
</body>
</html>
[Attachment #6 (text/plain)]
_______________________________________________
Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic