aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main-8.0.x
main
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'd62a212fa2'
${ noResults }
suricata/doc/userguide/rule-management/oinkmaster.rst

188 lines
4.6 KiB
ReStructuredText
Raw Blame History

Rule Management with Oinkmaster
===============================
It is possible to download and install rules manually, but there is a
much easier and quicker way to do so. There are special programs which
you can use for downloading and installing rules. There is for example
`Pulled Pork <https://github.com/shirkdog/pulledpork>`_ and
`Oinkmaster <http://oinkmaster.sourceforge.net/>`_. In this documentation
the use of Oinkmaster will be described.
To install Oinkmaster, enter:
::
sudo apt-get install oinkmaster
There are several rulesets. There is for example Emerging Threats (ET)
Emerging Threats Pro and VRT. In this example we are using Emerging
Threats.
Oinkmaster has to know where the rules an be found. These rules can be found at:
::
https://rules.emergingthreats.net/open/suricata-3.2/emerging.rules.tar.gz
open oinkmaster.conf to add this link by entering:
::
sudo nano /etc/oinkmaster.conf
Place a # in front of the url that is already there and add the new url like this:
.. image:: oinkmaster/oinkmasterconf.png
(Close oinkmaster.conf by pressing ctrl x, followed by y and enter. )
The next step is to create a directory for the new rules. Enter:
::
sudo mkdir /etc/suricata/rules
Next enter:
::
cd /etc
sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
In the new rules directory a classification.config and a
reference.config can be found. The directories of both have to be
added in the suricata.yaml file. Do so by entering:
::
sudo nano /etc/suricata/suricata.yaml
And add the new file locations instead of the file locations already
present, like this:
.. image:: oinkmaster/suricata_yaml.png
To see if everything works as pleased, run Suricata:
::
suricata -c /etc/suricata/suricata.yaml -i wlan0 (or eth0)
You will notice there are several rule-files Suricata tries to load,
but are not available. It is possible to disable those rule-sets in
suricata.yaml by deleting them or by putting a # in front of them. To
stop Suricata from running, press ctrl c.
Emerging Threats contains more rules than loaded in Suricata. To see
which rules are available in your rules directory, enter:
::
ls /etc/suricata/rules/*.rules
Find those that are not yet present in suricata.yaml and add them in
yaml if desired.
You can do so by entering :
::
sudo nano /etc/suricata/suricata.yaml
If you disable a rule in your rule file by putting a # in front of it,
it will be enabled again the next time you run Oinkmaster. You can
disable it through Oinkmaster instead, by entering the following:
::
cd /etc/suricata/rules
and find the sid of the rule(s) you want to disable.
Subsequently enter:
::
sudo nano /etc/oinkmaster.conf
and go all the way to the end of the file.
Type there:
::
disablesid 2010495
Instead of 2010495, type the sid of the rule you would like to
disable. It is also possible to disable multiple rules, by entering
their sids separated by a comma.
If you run Oinkmaster again, you can see the amount of rules you have
disabled. You can also enable rules that are disabled by default. Do
so by entering:
::
ls /etc/suricata/rules
In this directory you can see several rule-sets
Enter for example:
::
sudo nano /etc/suricata/rules/emerging-malware.rules
In this file you can see which rules are enabled en which are not.
You can not enable them for the long-term just by simply removing
the #. Because each time you will run Oinkmaster, the rule will be
disabled again. Instead, look up the sid of the rule you want to
enable. Place the sid in the correct place of oinkmaster.config:
::
sudo nano /etc/oinkmaster.conf
do so by typing:
::
enablesid: 2010495
Instead of 2010495, type the sid of the rule you would like to to
enable. It is also possible to enable multiple rules, by entering
their sids separated by a comma.
In oinkmaster.conf you can modify rules. For example, if you use
Suricata as inline/IPS and you want to modify a rule that sends an
alert when it matches and you would like the rule to drop the packet
instead, you can do so by entering the following:
::
sudo nano oinkmaster.conf
At the part where you can modify rules, type:
::
modifysid 2010495 “alert” | “drop”
The sid 2010495 is an example. Type the sid of the rule you desire to
change, instead.
Rerun Oinkmaster to notice the change.
Updating your rules
~~~~~~~~~~~~~~~~~~~
If you have already downloaded a ruleset (in the way described in this
file), and you would like to update the rules, enter:
::
sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
It is recommended to update your rules frequently. Emerging Threats is
modified daily, VRT is updated weekly or multiple times a week.
Reference in New Issue View Git Blame Copy Permalink