rulecat - A Suricata rule update tool¶
Synopsis¶
idstools-rulecat
[OPTIONS]
Description¶
idstools-ruleset
aims to be a simple to use rule download and
management tool for Suricata. It can also be used for Snort when no SO
rule stub generation is required.
Options¶
-
-h
,
--help
¶
Show help.
-
-v
,
--verbose
¶
Be more verbose.
-
-t
<directory>
,
--temp-dir
=<directory>
¶ Temporary working directory (default: /var/tmp/idstools-rulecat).
This is where downloaded files will be stored.
-
--suricata
=<path>
¶ The path to the Suricata program used to determine which version of the ET pro rules to download if not explicitly set in a
--url
argument.
-
--suricata-version
<version>
¶ Set the Suricata version to a specific version instead of checking the version of Suricata on the path.
-
--force
¶
Force remote rule files to be downloaded if they otherwise wouldn’t be due to just recently downloaded, or the remote checksum matching the cached copy.
-
-o
,
--output
¶
The directory where rule individual rules files will be written to. One of
-o
or--merged
is required.
-
--merged
=<filename>
¶ Write a single file containing all rules. This can be used in addition to
--output
or instead of--output
.
-
--yaml-fragment
=<filename.yaml>
¶ Output a fragment of YAML containing the rule-files section will all downloaded rule files listed for inclusion in your suricata.yaml.
-
--url
=<url>
¶ A URL to download rules from. This option can be used multiple times.
-
--local
=<filename or directory>
¶ A path to a filename or directory of local rule files to include. May be specified multiple times and should not include files in the output path.
If the path is a directory all files ending in .rules will be loaded.
Wildcards are accepted but to avoid shell expansion the argument must be quoted, for example:
--local '/etc/suricata/custom-*.rules'
-
--sid-msg-map
=<filename>
¶ Output a v1 style sid-msg.map file.
-
--sid-msg-map-2
=<filename>
¶ Output a v2 style sid-msg.map file.
-
--disable
=<disable.conf>
¶ Specify the configuration file for disabling rules.
-
--enable
=<enable.conf>
¶ Specify the configuration file for enabling rules.
-
--modify
=<modify.conf>
¶ Specify the configuration file for rule modifications.
-
--drop
=<drop.conf>
¶ Specify the configuration file for rules to change to drop.
-
--ignore
=<filename>
¶ Filenames to ignore. This is a pattern that will be matched against the basename of a rule files.
This argument may be specified multiple times.
Default: *deleted.rules
Alternatively the group matcher may be used in the file passed to
--disable
.
-
--no-ignore
¶
Disable the –ignore option. Most useful to disable the default ignore pattern without adding others.
-
--etopen
¶
Download the ET open ruleset. This is the default if
--url
or--etpro
are not provided.If one of
etpro
or--url
is also specified, this option will at the ET open URL to the list of remote ruleset to be downloaded.
-
--etpro
=<code>
¶ Download the ET pro ruleset using the provided code.
-
-q
,
--quiet
¶
Run quietly. Only warning and error message will be displayed.
-
--dump-sample-configs
¶
Output sample configuration files for the
--disable
,--enable
,--modify
and--threshold-in
commands.
-
--threshold-in
=<threshold.conf.in>
¶ Specify the threshold.conf input template.
-
--threshold-out
=<threshold.conf>
¶ Specify the name of the processed threshold.conf to output.
-
--post-hook
=<command>
¶ A command to run after the rules have been updated; will not run if not change to the output files was made. For example:
--post-hook=sudo kill -USR2 $(cat /var/run/suricata.pid)
will tell Suricata to reload its rules.
-
-V
,
--version
¶
Display the version of idstools-rulecat.
Examples¶
Download ET Open rules for the version of Suricata found on the path, saving the rules in /etc/suricata/rules:
idstools-rulecat -o /etc/suricata/rules
Download ET Pro rules for the version of Suricata found on the path, saving the rules in /etc/suricata/rules:
idstools-rulecat --etpro XXXXXXXXXXXXXXXX -o /etc/suricata/rules
Download ET open rules plus an additional rule files and save the rules in /etc/suricata/rules:
idstools-rulecat --etopen \
--url https://sslbl.abuse.ch/blacklist/sslblacklist.rules \
-o /etc/suricata/rules
Configuration File¶
Command line arguments can be put in a file, one per line and used as a configuration file. By default, idstools-rulecat will look for a file in the current directory named rulecat.conf.
Example configuration file:
--suricata=/usr/sbin/suricata
--merged=rules/merged.rules
--disable=disable.conf
--enable=enable.conf
--modify=modify.conf
--post-hook=sudo kill -USR2 $(cat /var/run/suricata.pid)
--etpro=XXXXXXXXXXXXXXXX
--url=https://sslbl.abuse.ch/blacklist/sslblacklist.rules
If rulecat.conf is in the current directory it will be used just by
calling idstools-rulecat
with no arguments. Otherwise you can
point idstools-rulecat at a configuration with the command
idstools-rulecat @/path/to/rulecat.conf
.
Example Configuration Files¶
Example Configuration to Enable Rules (–enable)¶
# idstools-rulecat - enable.conf
# Example of enabling a rule by signature ID (gid is optional).
# 1:2019401
# 2019401
# Example of enabling a rule by regular expression.
# - All regular expression matches are case insensitive.
# re:hearbleed
# re:MS(0[7-9]|10)-\d+
Example Configuration to Enable Disable (–disable)¶
# idstools - disable.conf
# Example of disabling a rule by signature ID (gid is optional).
# 1:2019401
# 2019401
# Example of disabling a rule by regular expression.
# - All regular expression matches are case insensitive.
# re:hearbleed
# re:MS(0[7-9]|10)-\d+
Example Configuration to convert Rules to Drop (–drop)¶
# idstools-rulecat - drop.conf
#
# Rules matching specifiers in this file will be converted to drop rules.
#
# Examples:
#
# 1:2019401
# 2019401
#
# re:heartbleed
# re:MS(0[7-9]|10)-\d+
Example Configuration to modify Rules (–modify)¶
# idstools-rulecat - modify.conf
# Format: <sid> "<from>" "<to>"
# Example changing the seconds for rule 2019401 to 3600.
#2019401 "seconds \d+" "seconds 3600"
# Change all trojan-activity rules to drop. Its better to setup a
# drop.conf for this, but this does show the use of back references.
#re:classtype:trojan-activity "(alert)(.*)" "drop\\2"
# For compatibility, most Oinkmaster modifysid lines should work as
# well.
#modifysid * "^drop(.*)noalert(.*)" | "alert${1}noalert${2}"