I didn’t mean to do it, but I created yet another tool to download IDS rules, with a specific focus on Suricata. Like some other people, I’ve always used my own scripts for downloading rules instead of using existing tools, and I finally pulled some of that together and dropped it into my idstools project.
With pip (as its written in Python):
pip install idstools
From source, https://github.com/jasonish/py-idstools/releases/download/0.5.0/idstools-0.5.0.tar.gz, where idstools-rulecat can be run from the exploded tarball without installing (also works with a git clone).
Probably the simplest usage, assuming you have Suricata already installed is something like:
idstools-rulecat --rules-dir /etc/suricata/rules
This will download the ET Open rules for your version of Suricata and drop them in /etc/suricata/rules.
Other useful output options include:
- –merged to merge all the rules into a single file making it easier to include into your suricata.yaml.
- –yaml-fragment to dump a fragment of YAML for inclusion in your suricata.yaml that lists each rule file downloaded.
Of course you can also disable, enable and modify rules. To get sample configuration files for doing so, run:
which will drop the following files into your current directory:
- disable.conf – allows disabling of rules by ID or regular expression.
- enable.conf – allows enabling of rules by ID or regular expression.
- modify.conf – rule modifications
- threshold.in – an input threshold.conf that idstools-rulecat will expand (experimental)
As with many Python programs using the argparse module, a configuration file can be created by dropping command line arguments in a file and calling idstools-rulecat like:
For example, I use a rulecat.conf like:
--post-hook=sudo kill -USR2 $(cat /var/run/suricata.pid)
Note the –etpro which will ET Pro rules instead of the ET Open rules.
For full usage, head over to http://idstools.readthedocs.org/en/latest/tools/rulecat.html.
This is a work in progress, and is primarily being developed to satisfy my needs, perhaps it will be useful to others as well.