--- /dev/null
+Rule Management with Oinkmaster
+===============================
+
+
+It is possible to download and install rules manually, but there is a
+much easier and quicker way to do so. There are special programs which
+you can use for downloading and installing rules. There is for example
+`Pulled Pork <https://github.com/shirkdog/pulledpork>`_ and
+`Oinkmaster <http://oinkmaster.sourceforge.net/>`_. In this documentation
+the use of Oinkmaster will be described.
+
+To install Oinkmaster, enter:
+
+::
+
+ sudo apt-get install oinkmaster
+
+There are several rulesets. There is for example Emerging Threats (ET)
+Emerging Threats Pro and VRT. In this example we are using Emerging
+Threats.
+
+Oinkmaster has to know where the rules an be found. These rules can be found at:
+
+::
+
+ http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
+
+open oinkmaster.conf to add this link by entering:
+
+::
+
+ sudo nano /etc/oinkmaster.conf
+
+Place a # in front of the url that is already there and add the new url like this:
+
+.. image:: oinkmaster/oinkmasterconf.png
+
+(Close oinkmaster.conf by pressing ctrl x, followed by y and enter. )
+
+The next step is to create a directory for the new rules. Enter:
+
+::
+
+ sudo mkdir /etc/suricata/rules
+
+
+Next enter:
+
+::
+
+ cd /etc
+ sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
+
+In the new rules directory a classification.config and a
+reference.config can be found. The directories of both have to be
+added in the suricata.yaml file. Do so by entering:
+
+::
+
+ sudo nano /etc/suricata/suricata.yaml
+
+And add the new file locations instead of the file locations already
+present, like this:
+
+.. image:: oinkmaster/suricata_yaml.png
+
+To see if everything works as pleased, run Suricata:
+
+::
+
+ suricata -c /etc/suricata/suricata.yaml -i wlan0 (or eth0)
+
+You will notice there are several rule-files Suricata tries to load,
+but are not available. It is possible to disable those rule-sets in
+suricata.yaml by deleting them or by putting a # in front of them. To
+stop Suricata from running, press ctrl c.
+
+Emerging Threats contains more rules than loaded in Suricata. To see
+which rules are available in your rules directory, enter:
+
+::
+
+ ls /etc/suricata/rules/*.rules
+
+Find those that are not yet present in suricata.yaml and add them in
+yaml if desired.
+
+You can do so by entering :
+
+::
+
+ sudo nano /etc/suricata/suricata.yaml
+
+If you disable a rule in your rule file by putting a # in front of it,
+it will be enabled again the next time you run Oinkmaster. You can
+disable it through Oinkmaster instead, by entering the following:
+
+::
+
+ cd /etc/suricata/rules
+
+and find the sid of the rule(s) you want to disable.
+
+Subsequently enter:
+
+::
+
+ sudo nano /etc/oinkmaster.conf
+
+and go all the way to the end of the file.
+Type there:
+
+::
+
+ disablesid 2010495
+
+Instead of 2010495, type the sid of the rule you would like to
+disable. It is also possible to disable multiple rules, by entering
+their sids separated by a comma.
+
+If you run Oinkmaster again, you can see the amount of rules you have
+disabled. You can also enable rules that are disabled by default. Do
+so by entering:
+
+::
+
+ ls /etc/suricata/rules
+
+In this directory you can see several rule-sets
+Enter for example:
+
+::
+
+ sudo nano /etc/suricata/rules/emerging-malware.rules
+
+In this file you can see which rules are enabled en which are not.
+You can not enable them for the long-term just by simply removing
+the #. Because each time you will run Oinkmaster, the rule will be
+disabled again. Instead, look up the sid of the rule you want to
+enable. Place the sid in the correct place of oinkmaster.config:
+
+::
+
+ sudo nano /etc/oinkmaster.conf
+
+do so by typing:
+
+::
+
+ enablesid: 2010495
+
+Instead of 2010495, type the sid of the rule you would like to to
+enable. It is also possible to enable multiple rules, by entering
+their sids separated by a comma.
+
+In oinkmaster.conf you can modify rules. For example, if you use
+Suricata as inline/IPS and you want to modify a rule that sends an
+alert when it matches and you would like the rule to drop the packet
+instead, you can do so by entering the following:
+
+::
+
+ sudo nano oinkmaster.conf
+
+At the part where you can modify rules, type:
+
+::
+
+ modifysid 2010495 “alert” | “drop”
+
+The sid 2010495 is an example. Type the sid of the rule you desire to
+change, instead.
+
+Rerun Oinkmaster to notice the change.
+
+Updating your rules
+~~~~~~~~~~~~~~~~~~~
+
+If you have already downloaded a ruleset (in the way described in this
+file), and you would like to update the rules, enter:
+
+::
+
+ sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
+
+It is recommended to update your rules frequently. Emerging Threats is
+modified daily, VRT is updated weekly or multiple times a week.
projects / thirdparty / suricata.git / commitdiff
