1
Intrusion Detection and Prevention / About suricata rules
« on: June 21, 2019, 10:14:09 am »
Hi , i had installed Suricata 4.1.4 on my ubuntu server 18.4 .
in suricata.yaml ,my default-rule-path related line is;
i run this command ;
1)Can i activate both suricata.rules and emerging.rules from oinkmaster same time ?
2)Which rule set is better?
3)when i run suricata-update, i take output;
This command,is the only look /var/lib/suricata/rules file?
in suricata.yaml ,my default-rule-path related line is;
Quote
default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rules
##
## Advanced rule file configuration.
##
## If this section is completely commented out then your configuration
## is setup for suricata-update as it was most likely bundled and
## installed with Suricata.
##
default-rule-path: /etc/suricata/rules
rule-files:
- botcc.rules
- botcc.portgrouped.rules
- ciarmy.rules
- compromised.rules
- drop.rules
- dshield.rules
- emerging-activex.rules
- emerging-attack_response.rules
- emerging-chat.rules
- emerging-current_events.rules
- emerging-dns.rules
- emerging-dos.rules
- emerging-exploit.rules
- emerging-ftp.rules
- emerging-games.rules
- emerging-icmp_info.rules
- emerging-icmp.rules
- emerging-imap.rules
- emerging-inappropriate.rules
- emerging-info.rules
- emerging-malware.rules
- emerging-smtp.rules
- emerging-snmp.rules
- emerging-sql.rules
- emerging-telnet.rules
- emerging-tftp.rules
- emerging-trojan.rules
- emerging-user_agents.rules
- emerging-voip.rules
- emerging-web_client.rules
i run this command ;
Code: [Select]
sudo /usr/bin/suricata -D -c /etc/suricata/suricata.yaml -i eth0 --init-errors-fatal
output is;Quote
21/6/2019 -- 11:05:44 - <Info> - Configuration node 'default-rule-path' redefined.
21/6/2019 -- 11:05:44 - <Info> - Configuration node 'rule-files' redefined.
21/6/2019 -- 11:05:44 - <Notice> - This is Suricata version 4.1.4 RELEASE
1)Can i activate both suricata.rules and emerging.rules from oinkmaster same time ?
2)Which rule set is better?
3)when i run suricata-update, i take output;
Quote
root@xxx:~# suricata-update
21/6/2019 -- 11:08:30 - <Info> -- Using data-directory /var/lib/suricata.
21/6/2019 -- 11:08:30 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
21/6/2019 -- 11:08:30 - <Info> -- Using /etc/suricata/rules for Suricata provided rules.
21/6/2019 -- 11:08:30 - <Info> -- Found Suricata version 4.1.4 at /usr/bin/suricata.
21/6/2019 -- 11:08:30 - <Info> -- Loading /etc/suricata/enable.conf.
21/6/2019 -- 11:08:30 - <Info> -- Loading /etc/suricata/suricata.yaml
21/6/2019 -- 11:08:30 - <Info> -- Disabling rules with proto modbus
21/6/2019 -- 11:08:30 - <Info> -- Disabling rules with proto enip
21/6/2019 -- 11:08:30 - <Info> -- Disabling rules with proto dnp3
21/6/2019 -- 11:08:30 - <Info> -- Checking https://rules.emergingthreats.net/open/suricata-4.1.4/emerging.rules.tar.gz.md5.
21/6/2019 -- 11:08:31 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-4.1.4/emerging.rules.tar.gz.
100% - 2384995/2384995
21/6/2019 -- 11:08:34 - <Info> -- Done.
21/6/2019 -- 11:08:34 - <Info> -- Checking https://sslbl.abuse.ch/blacklist/sslblacklist.rules.md5.
21/6/2019 -- 11:08:34 - <Warning> -- Failed to check remote checksum: HTTP Error 404: Not Found
21/6/2019 -- 11:08:34 - <Info> -- Fetching https://sslbl.abuse.ch/blacklist/sslblacklist.rules.
100% - 842503/842503
21/6/2019 -- 11:08:35 - <Info> -- Done.
21/6/2019 -- 11:08:35 - <Info> -- Checking https://openinfosecfoundation.org/rules/trafficid/trafficid.rules.md5.
21/6/2019 -- 11:08:36 - <Warning> -- Failed to check remote checksum: HTTP Error 404: Not Found
21/6/2019 -- 11:08:36 - <Info> -- Fetching https://openinfosecfoundation.org/rules/trafficid/trafficid.rules.
100% - 9855/9855
21/6/2019 -- 11:08:37 - <Info> -- Done.
21/6/2019 -- 11:08:37 - <Info> -- Checking https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz.md5.
21/6/2019 -- 11:08:37 - <Info> -- Remote checksum has not changed. Not fetching.
21/6/2019 -- 11:08:37 - <Info> -- Loading distribution rule file /etc/suricata/rules/app-layer-events.rules
21/6/2019 -- 11:08:37 - <Info> -- Loading distribution rule file /etc/suricata/rules/decoder-events.rules
21/6/2019 -- 11:08:37 - <Info> -- Loading distribution rule file /etc/suricata/rules/dnp3-events.rules
21/6/2019 -- 11:08:37 - <Info> -- Loading distribution rule file /etc/suricata/rules/dns-events.rules
21/6/2019 -- 11:08:37 - <Info> -- Loading distribution rule file /etc/suricata/rules/files.rules
21/6/2019 -- 11:08:37 - <Info> -- Loading distribution rule file /etc/suricata/rules/http-events.rules
21/6/2019 -- 11:08:37 - <Info> -- Loading distribution rule file /etc/suricata/rules/ipsec-events.rules
21/6/2019 -- 11:08:37 - <Info> -- Loading distribution rule file /etc/suricata/rules/kerberos-events.rules
21/6/2019 -- 11:08:37 - <Info> -- Loading distribution rule file /etc/suricata/rules/modbus-events.rules
21/6/2019 -- 11:08:37 - <Info> -- Loading distribution rule file /etc/suricata/rules/nfs-events.rules
21/6/2019 -- 11:08:37 - <Info> -- Loading distribution rule file /etc/suricata/rules/ntp-events.rules
21/6/2019 -- 11:08:37 - <Info> -- Loading distribution rule file /etc/suricata/rules/smb-events.rules
21/6/2019 -- 11:08:37 - <Info> -- Loading distribution rule file /etc/suricata/rules/smtp-events.rules
21/6/2019 -- 11:08:37 - <Info> -- Loading distribution rule file /etc/suricata/rules/stream-events.rules
21/6/2019 -- 11:08:37 - <Info> -- Loading distribution rule file /etc/suricata/rules/tls-events.rules
21/6/2019 -- 11:08:37 - <Info> -- Ignoring file rules/emerging-deleted.rules
21/6/2019 -- 11:08:40 - <Info> -- Loaded 28200 rules.
21/6/2019 -- 11:08:40 - <Info> -- Disabled 14 rules.
21/6/2019 -- 11:08:40 - <Info> -- Enabled 2030 rules.
21/6/2019 -- 11:08:40 - <Info> -- Modified 0 rules.
21/6/2019 -- 11:08:40 - <Info> -- Dropped 0 rules.
21/6/2019 -- 11:08:40 - <Info> -- Enabled 13 rules for flowbit dependencies.
21/6/2019 -- 11:08:40 - <Info> -- Backing up current rules.
21/6/2019 -- 11:08:43 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 28200; enabled: 25208; added: 18; removed 0; modified: 1249
21/6/2019 -- 11:08:47 - <Info> -- Done.
This command,is the only look /var/lib/suricata/rules file?