idstools-rulecat [OPTIONS]


idstools-ruleset aims to be a simple to use rule download and management tool for Suricata. It can also be used for Snort when no SO rule stub generation is required.


-h, --help

Show help.

-v, --verbose

Be more verbose.

-t <directory>, --temp-dir=<directory>

Temporary working directory (default: /var/tmp/idstools-rulecat). This is where downloaded files will be stored.


The path to the Suricata program used to determine which version of the ET pro rules to download if not explicitly set in a –url.


Force remote rule files to be downloaded if they otherwise wouldn’t be due to just recently downloaded, or the remote checksum matching the cached copy.


The directory where rule individual rules files will be written to. One of -o or --merged is required.


Output a fragment of YAML containing the rule-files section will all downloaded rule files listed for inclusion in your suricata.yaml.


Write a single file containing all rules. This can be used in addition to -o or instead of -o.


A URL to download rules from. This option can be used multiple times.


Download the ET open ruleset. This is the default if --url or --etpro are not provided.

If one of etpro or --url is also specified, this option will at the ET open URL to the list of remote ruleset to be downloaded.


Download the ET pro ruleset using the provided code.


Output a v1 style file.


Output a v2 style file.

-q, --quiet

Run quietly. Only warning and error message will be displayed.


Output sample configuration files for the --disable, --enable, --modify and --threshold-in commands.


Specify the configuration file for disabling rules.


Specify the configuration file for enabling rules.


Specify the configuration file for rule modifications.


Specify the threshold.conf input template.


Specify the name of the processed threshold.conf to output.


A command to run after the rules have been updated; will not run if not change to the output files was made. For example:

--post-hook=sudo kill -USR2 $(cat /var/run/

will tell Suricata to reload its rules.


Download ET open rules for the version of Suricata found on the path, saving the rules in /etc/suricata/rules:

idstools-rulecat -o /etc/suricata/rules

Download ET pro rules for the version of Suricata found on the path, saving the rules in /etc/suricata/rules:

idstools-rulecat --etpro XXXXXXXXXXXXXXXX -o /etc/suricata/rules

Download ET open rules plus an additional rule files and save the rules in /etc/suricata/rules:

idstools-rulecat --etopen \
    --url \
    -o /etc/suricata/rules

Configuration File

Command line arguments can be put in a file, one per line and used as a configuration file. By default, idstools-rulecat will look for a file in the current directory named rulecat.conf.

Example configuration file:

--post-hook=sudo kill -USR2 $(cat /var/run/

If rulecat.conf is in the current directory it will be used just by calling idstools-rulecat with no arguments. Otherwise you can point idstools-rulecat at a configuration with the command idstools-rulecat @/path/to/rulecat.conf.