It is possible to download and install rules manually, but there is a much easier and quicker way to do so. There are special programs which you can use for downloading and installing rules. For example, Pulled Pork and Oinkmaster. Here I’m going to show how to install & use Oinkmaster.
To install Oinkmaster, enter:
sudo apt-get install oinkmaster
There are several rulesets available. There are Emerging Threats (ET), ET Pro and VRT. In this example we are using ET Free edition.
Oinkmaster need to know where these rules can be found. These rules can be found at:
http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
To configure your Oinkmaster rules location, open oinkmaster.conf and add the link/url as below:
sudo nano /etc/oinkmaster.conf Then add this line below: url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
In the new rules directory, a file named classification.config and reference.config can be found. The directories of both need to be added into suricata.yaml file. Do so by entering as below:
sudo nano /etc/suricata/suricata.yaml
Add this line below:
classification-file: /etc/suricata/rules/classification.config reference-config-file: /etc/suricata/rules/reference.config
Let’s try run the Oinkmaster:
sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
The rules in locate at /etc/suricata/rules.
- https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster
- https://web.nsrc.org/workshops/2015/pacnog17-ws/raw-attachment/wiki/Track2Agenda/ex-suricata-rules.htm