Another IDS rule downloader – rulecat

I didn’t mean to do it, but I created yet another tool to download IDS rules, with a specific focus on Suricata.  Like some other people, I’ve always used my own scripts for downloading rules instead of using existing tools, and I finally pulled some of that together and dropped it into my idstools project.

Installation

With pip (as its written in Python):

pip install idstools

From source, https://github.com/jasonish/py-idstools/releases/download/0.5.0/idstools-0.5.0.tar.gz, where idstools-rulecat can be run from the exploded tarball without installing (also works with a git clone).

Usage

Probably the simplest usage, assuming you have Suricata already installed is something like:

idstools-rulecat --rules-dir /etc/suricata/rules

This will download the ET Open rules for your version of Suricata and drop them in /etc/suricata/rules.

Other useful output options include:

  • –merged to merge all the rules into a single file making it easier to include into your suricata.yaml.
  • –yaml-fragment to dump a fragment of YAML for inclusion in your suricata.yaml that lists each rule file downloaded.

Of course you can also disable, enable and modify rules.  To get sample configuration files for doing so, run:

idstools-rulecat --dump-sample-configs

which will drop the following files into your current directory:

  • disable.conf – allows disabling of rules by ID or regular expression.
  • enable.conf – allows enabling of rules by ID or regular expression.
  • modify.conf – rule modifications
  • threshold.in – an input threshold.conf that idstools-rulecat will expand (experimental)

As with many Python programs using the argparse module, a configuration file can be created by dropping command line arguments in a file and calling idstools-rulecat like:

idstools-rulecat @/path/to/rulecat.conf

For example, I use a rulecat.conf like:

--suricata=/usr/bin/suricata
--merged=rules/merged.rules
--disable=disable.conf
--enable=enable.conf
--modify=modify.conf
--threshold-in=threshold.in
--threshold-out=etc/threshold.config
--post-hook=sudo kill -USR2 $(cat /var/run/suricata.pid)
--etpro=ETPRO_CODE

Note the –etpro which will ET Pro rules instead of the ET Open rules.

For full usage, head over to http://idstools.readthedocs.org/en/latest/tools/rulecat.html.

This is a work in progress, and is primarily being developed to satisfy my needs, perhaps it will be useful to others as well.

Advertisements

2 thoughts on “Another IDS rule downloader – rulecat

  1. I’m a big fan of this project (python > perl) although how do you handle doing mass drop modifications based on category, like dropsid.conf in pulled pork?

    • You don’t write now, I guess its the last remaining piece, and only because I don’t use IPS mode myself.

      Will try to add it in the next week or so, as it is a must have feature.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s