Installing Suricata with Oinkmaster

Oinkmaster is a tool to help you manage your signatures. While it is primarily designed for Snort, it also works for Suricata.

If you have installed Suricata using the default configuration, then Oinkmaster should be installed (it is recommended by the package). If not, run:

apt-get install oinkmaster

Edit the configuration file /etc/oinkmaster.conf:

url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz

Create the directory for rules:

mkdir /etc/suricata/rules

oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

Now update Suricata’s configuration (default for Ubuntu is /etc/suricata/suricata.yaml to match the paths:

classification-file: /etc/suricata/rules/classification.config
reference-config-file: /etc/suricata/rules/reference.config
default-rule-path: /etc/suricata/rules

Now, we need to update the list of rules (adding names of files /etc/suricata/rules/*.rules) in the same configuration file:

rules-files:
- botcc.rules
- ...

The rules are organized in files, grouped by categories. If you want to disable some categories, just comment the lines.

If you want to disable only a signature, find its sid (signature id), and add it to /etc/oinkmaster.conf:

disablesid 2011755

On the next oinkmaster update, the corresponding line will automatically be commented in the rules file.

Modify rules

modifysid 2029054 "alert" | "drop"

One nice feature of oinkmaster is the ability to keep the rules up to date very easily.Just run the same command:

oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

• wzdftpd.net
• onnocenter.or.id