rulecat

Synopsis

idstools-rulecat [OPTIONS]

Description

idstools-ruleset aims to be a simple to use rule download and management tool for Suricata. It can also be used for Snort when no SO rule stub generation is required.

Options

-h, --help

Show help.

-v, --verbose

Be more verbose.

-t <directory>, --temp-dir=<directory>

Temporary working directory (default: /var/tmp/idstools-rulecat). This is where downloaded files will be stored.

--suricata=<path>

The path to the Suricata program used to determine which version of the ET pro rules to download if not explicitly set in a –url.

--force

Force remote rule files to be downloaded if they otherwise wouldn’t be due to just recently downloaded, or the remote checksum matching the cached copy.

-o

The directory where rule individual rules files will be written to. One of -o or --merged is required.

--yaml-fragment=<filename.yaml>

Output a fragment of YAML containing the rule-files section will all downloaded rule files listed for inclusion in your suricata.yaml.

--merged=<filename>

Write a single file containing all rules. This can be used in addition to -o or instead of -o.

--url=<url>

A URL to download rules from. This option can be used multiple times.

--etopen

Download the ET open ruleset. This is the default if --url or --etpro are not provided.

If one of etpro or --url is also specified, this option will at the ET open URL to the list of remote ruleset to be downloaded.

--etpro=<code>

Download the ET pro ruleset using the provided code.

--sid-msg-map=<filename>

Output a v1 style sid-msg.map file.

--sid-msg-map-2=<filename>

Output a v2 style sid-msg.map file.

-q, --quiet

Run quietly. Only warning and error message will be displayed.

--dump-sample-configs

Output sample configuration files for the --disable, --enable, --modify and --threshold-in commands.

--disable=<disable.conf>

Specify the configuration file for disabling rules.

--enable=<enable.conf>

Specify the configuration file for enabling rules.

--modify=<modify.conf>

Specify the configuration file for rule modifications.

--threshold-in=<threshold.conf.in>

Specify the threshold.conf input template.

--threshold-out=<threshold.conf>

Specify the name of the processed threshold.conf to output.

--post-hook=<command>

A command to run after the rules have been updated; will not run if not change to the output files was made. For example:

--post-hook=sudo kill -USR2 $(cat /var/run/suricata.pid)

will tell Suricata to reload its rules.

Examples

Download ET open rules for the version of Suricata found on the path, saving the rules in /etc/suricata/rules:

idstools-rulecat -o /etc/suricata/rules

Download ET pro rules for the version of Suricata found on the path, saving the rules in /etc/suricata/rules:

idstools-rulecat --etpro XXXXXXXXXXXXXXXX -o /etc/suricata/rules

Download ET open rules plus an additional rule files and save the rules in /etc/suricata/rules:

idstools-rulecat --etopen \
    --url https://sslbl.abuse.ch/blacklist/sslblacklist.rules \
    -o /etc/suricata/rules

Configuration File

Command line arguments can be put in a file, one per line and used as a configuration file. By default, idstools-rulecat will look for a file in the current directory named rulecat.conf.

Example configuration file:

--suricata=/usr/sbin/suricata
--merged=rules/merged.rules
--disable=disable.conf
--enable=enable.conf
--modify=modify.conf
--post-hook=sudo kill -USR2 $(cat /var/run/suricata.pid)
--etpro=XXXXXXXXXXXXXXXX
--url=https://sslbl.abuse.ch/blacklist/sslblacklist.rules

If rulecat.conf is in the current directory it will be used just by calling idstools-rulecat with no arguments. Otherwise you can point idstools-rulecat at a configuration with the command idstools-rulecat @/path/to/rulecat.conf.