Feature #695
closedUbuntu PPA Doesn't Install Any Rules
Description
I just installed Suricata-stable from the Ubuntu PPA for 12.04 per the installation guide. When I installed the package it didn't install any rules. I am not sure if this is the correct behavior but the documentation doesn't give steps to installing the rules for a package install. Usually Ubuntu packages would install a rule set along with the package or have a separate package for the rules.
Kevin Harriss
Updated by Peter Manev almost 12 years ago
- Tracker changed from Bug to Feature
- Priority changed from High to Normal
Hi Kevin,
This is not a bug.
It is true however that a small script (and/or during the time of installation/post-installation) downloading the rules set would be ideal.
However you could refer to this guide:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster
or just download and untar the ruleset in a directory of your choosing (or yaml config setting) from here
http://rules.emergingthreats.net/open/suricata/
or if you prefer you can download and use a VRT ruleset.
It is recommended to update your rules frequently. Emerging Threats is modified daily, VRT is updated weekly or multiple times a week.
Thanks
Updated by Kevin Harriss almost 12 years ago
Thanks for the quick response. I agree that if the recommend route is oinkmaster than this isn't a bug and a feature request. It might be a good idea to update the guide here:
To include a section saying to setup up the rules follow the oinkmaster guide. Just my thought though.
Updated by Peter Manev almost 12 years ago
I agree.
I updated the Basic Set up guide(link provided int the Ubuntu Installation - Personal Package Archives (PPA) ) with rule management info.
Thank you
Updated by Peter Manev over 10 years ago
- % Done changed from 0 to 90
The current 2.0.2 Ubuntu PPA Launchpad package downloads and installs a full ET Open ruleset.
Updated by Victor Julien over 10 years ago
How does it install them? What happens if it encounters an existing ruleset?
Updated by Peter Manev over 10 years ago
It overrides.
It can be made to ask Y|N - but then that would mean that apt-get upgrade would stop and not continue until the user answers.
Updated by Victor Julien over 10 years ago
Hmm this not is how the packaging should behave. It needs to be non-interactive and it certainly shouldn't override and existing config/rulesetup.
I know that Debian has a separate package for rules (https://packages.debian.org/sid/snort-rules-default), but that is a not a good approach either. It lacks update capabilities. In general, data like rules shouldn't be in debs. It's too volatile and needs to be updated regularly (daily/weekly).
I really think the proper way would be to install oinkmaster/pulledpork with a tuned for suri default configuration. But this doesn't belong in the suricata ppa package though. We could consider offering such an oinkmaster or pulledpork package through our ppa, but thats another thing to maintain then.
Updated by Peter Manev over 10 years ago
Yes... I agree - this is a challenge.
Maybe we can download the rules in a sub dir of /etc/suricata/rules/ETOpen-date or something like this? (during upgrade/install)
That way we will not override any rules if such exist and there will be a rule-set to use if none is present.
Updated by Victor Julien over 9 years ago
- Target version changed from TBD to Packaging/PPA
Updated by Peter Manev over 8 years ago
- Status changed from New to Closed
The PPA package will try to download an ET open ruleset - if network connectivity is present - if not it will continue with the installation but not download any rules.
See - https://redmine.openinfosecfoundation.org/issues/1730