Update et open rules in air gapped environment

[rob9999]

Hello community,

I am new to suricata so please excuse my questions. We are running suricata 8.0.3 on an opnsense fw in an air gapped environment and need some help. What is the best way to import the rules file from et open to suricata ?

We tried to copy the unzipped rule file (emerging-all.rules) into the path /usr/local/etc/suricate/opnsense.rules and /usr/local/etc/suricate/rules

The rule files are visible in the gui but in the suricata logfile we see the following warning: "1 rule files specified, but no rules were loaded!" and " No rule files math the pattern /usr/local/etc/suricata/opnsense.rules/suricata.rules"

We also tried to use the command suricata-update --local "path_to_rules_file" --output /usr/local/etc/suricate/opnsense.rules --no-test. The error message in the log file is still "1 rule files specified, but no rules were loaded!" and no rules are visible in the gui.

Thanks.

[adgyhya]

You've got a path and structure issue, not a rule problem.
Suricata on OPNsense expects rules inside a directory with a valid suricata.yaml reference, not a single file dropped randomly. Also your path has a typo: it should be /usr/local/etc/suricata/ (not suricate).bitlife
Quick fix:


Put your rules in: /usr/local/etc/suricata/rules/emerging-all.rules


Make sure suricata.yaml includes:
rule-files:  - emerging-all.rules


Or better: use
suricata-update --local /path/to/emerging-all.rules


Then restart Suricata.
The error "no rules were loaded" usually means wrong path or rule-files not referenced, not that the rules themselves are invalid.