Installing Suricata with Oinkmaster: Difference between revisions
No edit summary |
No edit summary |
||
| Line 2: | Line 2: | ||
Oinkmaster is a tool to help you manage your signatures. While it is primarily designed for Snort, it also works for [[Suricata]]. | Oinkmaster is a tool to help you manage your signatures. While it is primarily designed for Snort, it also works for [[Suricata]]. | ||
If you have installed Suricata using the default configuration, then Oinkmaster should be installed (it is recommended by the package). If not, run: | If you have installed Suricata using the default configuration, then Oinkmaster should be installed (it is recommended by the package). If not, run: | ||
apt-get install oinkmaster | |||
Edit the configuration file <code>/etc/oinkmaster.conf</code>: | |||
modifysid 2029054 "alert" | "drop" | |||
url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz | |||
Create the directory for rules: | |||
mkdir /etc/suricata/rules | |||
oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules | |||
Now update Suricata’s configuration (default for [[Ubuntu]] is <code>/etc/suricata/suricata.yaml</code> to match the paths: | |||
classification-file: /etc/suricata/rules/classification.config | |||
reference-config-file: /etc/suricata/rules/reference.config | |||
default-rule-path: /etc/suricata/rules | |||
Now, we need to update the list of rules (adding names of files <code>/etc/suricata/rules/*.rules</code>) in the same configuration file: | |||
rules-files: | |||
- botcc.rules | |||
- ... | |||
The rules are organized in files, grouped by categories. If you want to disable some categories, just comment the lines. | |||
If you want to disable only a signature, find its sid (signature id), and add it to <code>/etc/oinkmaster.conf</code>: | |||
disablesid 2011755 | |||
On the next oinkmaster update, the corresponding line will automatically be commented in the rules file. | |||
Modify rules | |||
modifysid 2029054 "alert" | "drop" | |||
===Updating the rules=== | ===Updating the rules=== | ||
One nice feature of oinkmaster is the ability to keep the rules up to date very easily.Just run the same command: | One nice feature of oinkmaster is the ability to keep the rules up to date very easily.Just run the same command: | ||
oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules | |||
oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules | |||
==Source== | ==Source== | ||
Latest revision as of 20:48, 1 November 2025
Install Oinkmaster
Oinkmaster is a tool to help you manage your signatures. While it is primarily designed for Snort, it also works for Suricata.
If you have installed Suricata using the default configuration, then Oinkmaster should be installed (it is recommended by the package). If not, run:
apt-get install oinkmaster
Edit the configuration file /etc/oinkmaster.conf:
url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
Create the directory for rules:
mkdir /etc/suricata/rules
oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
Now update Suricata’s configuration (default for Ubuntu is /etc/suricata/suricata.yaml to match the paths:
classification-file: /etc/suricata/rules/classification.config reference-config-file: /etc/suricata/rules/reference.config default-rule-path: /etc/suricata/rules
Now, we need to update the list of rules (adding names of files /etc/suricata/rules/*.rules) in the same configuration file:
rules-files: - botcc.rules - ...
The rules are organized in files, grouped by categories. If you want to disable some categories, just comment the lines.
If you want to disable only a signature, find its sid (signature id), and add it to /etc/oinkmaster.conf:
disablesid 2011755
On the next oinkmaster update, the corresponding line will automatically be commented in the rules file.
Modify rules
modifysid 2029054 "alert" | "drop"
Updating the rules
One nice feature of oinkmaster is the ability to keep the rules up to date very easily.Just run the same command:
oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules