Getting Started with Suricata-Update: Managing rule sets and sources

Рет қаралды 18,517

Күн бұрын

In this video we're going to take a look at rules and rule sets and how you can manage those with suricata-update. This video assumes you already have Suricata installed and are now ready to add some free/open-source rule sets. Suricata-update is the de facto rule set manager and ships with all recent versions of Suricata.
Link to scripts via Github gists
Setup Suricata-Update: gist.github.co...
Ingest PCAP: gist.github.co...
Link to Suricata forums: forum.suricata.io

Пікірлер: 9

@kodaxeduhman2824 2 жыл бұрын

Guys don't forget to install jq otherwise you won't be able to see the alerts (i guess): sudo apt update sudo apt install jq

@AB-fg4mh 2 жыл бұрын

Thanks for the video! it's great and helped me out! I'm running Suricata on Debian and came across an error when having to run the pcap file. After a bunch of research, I learn I had to update the default file path under the suricata.yaml file to point to /var/lib/suricata/rules/. Debian auto downloaded version 6.0.1 for me. Not sure if this mix-up was fixed in later patches! Have a great one!

@robmorin 2 жыл бұрын

Nice video, except... out of the blue you start talking about this pcap & script file, where does the pcap file come from, what does it do? why are we running this script to process the pcap file? DO we need to run a script for each thing we monitor.... It's a but confusing. Its odd that you explain why you need to do a ./script name to run a script , but do not explain other stuff that is more complicated. Did I miss more than your first 2 videos? Thanks!

@JEN-ge1lu 2 жыл бұрын

thanx man... really helpful

@kodaxeduhman2824 2 жыл бұрын

I tried to follow you everything works find till the minute 13 I didn't get any alerts :(

@kodaxeduhman2824 2 жыл бұрын

Ok I figured it out. We have to change the dir for the suricata rule

@naeemali7369 2 жыл бұрын

@@kodaxeduhman2824 hello, how do I do that ?

@kodaxeduhman2824 2 жыл бұрын

@@naeemali7369 I would like to tell you that I did this as a personal project and I dumped the project because I needed to prepare many things to make the project works as I intended. Also I'm not an expert :) But if you want to fix the same problem that I faced, you have to modify the configuration file called "suricata-yaml" usually placed on "/etc/suricata" I'm not sure exactly where it's exact location but once you open the file search for something like "default-rule-path" you have to change it to the one he modified in the suricata-update script I believe it was "/var/lib/suricata/rules/" if I'm not mistaken. The other issue I faced was I had to do the permissions manually.

@naeemali7369 2 жыл бұрын

@@kodaxeduhman2824 I'm working on that now, thank you for taking your time to reply me.