Getting Started with Suricata-Update: Managing rule sets and sources
HTML-код
- Опубликовано: 21 окт 2024
- In this video we're going to take a look at rules and rule sets and how you can manage those with suricata-update. This video assumes you already have Suricata installed and are now ready to add some free/open-source rule sets. Suricata-update is the de facto rule set manager and ships with all recent versions of Suricata.
Link to scripts via Github gists
Setup Suricata-Update: gist.github.co...
Ingest PCAP: gist.github.co...
Link to Suricata forums: forum.suricata.io
Nice video, except... out of the blue you start talking about this pcap & script file, where does the pcap file come from, what does it do? why are we running this script to process the pcap file? DO we need to run a script for each thing we monitor.... It's a but confusing. Its odd that you explain why you need to do a ./script name to run a script , but do not explain other stuff that is more complicated. Did I miss more than your first 2 videos? Thanks!
Guys don't forget to install jq otherwise you won't be able to see the alerts (i guess):
sudo apt update
sudo apt install jq
Thanks for the video! it's great and helped me out!
I'm running Suricata on Debian and came across an error when having to run the pcap file. After a bunch of research, I learn I had to update the default file path under the suricata.yaml file to point to /var/lib/suricata/rules/. Debian auto downloaded version 6.0.1 for me. Not sure if this mix-up was fixed in later patches! Have a great one!
thanx man... really helpful
I tried to follow you everything works find till the minute 13 I didn't get any alerts :(
Ok I figured it out. We have to change the dir for the suricata rule
@@kodaxeduhman2824 hello, how do I do that ?
@@naeemali7369 I would like to tell you that I did this as a personal project and I dumped the project because I needed to prepare many things to make the project works as I intended. Also I'm not an expert :)
But if you want to fix the same problem that I faced, you have to modify the configuration file called "suricata-yaml" usually placed on "/etc/suricata" I'm not sure exactly where it's exact location but once you open the file search for something like "default-rule-path" you have to change it to the one he modified in the suricata-update script I believe it was "/var/lib/suricata/rules/" if I'm not mistaken. The other issue I faced was I had to do the permissions manually.
@@kodaxeduhman2824 I'm working on that now, thank you for taking your time to reply me.