Suricata

Thanks for the quick response. I agree that if the recommend route is oinkmaster than this isn't a bug and a feature request. It might be a good idea to update the guide here:

[[https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation_-_Personal_Package_Archives_(PPA)]]

To include a section saying to setup up the rules follow the oinkmaster guide. Just my thought though.

I agree.
I updated the Basic Set up guide(link provided int the Ubuntu Installation - Personal Package Archives (PPA) ) with rule management info.

Thank you

How does it install them? What happens if it encounters an existing ruleset?

It overrides.

It can be made to ask Y|N - but then that would mean that apt-get upgrade would stop and not continue until the user answers.

Hmm this not is how the packaging should behave. It needs to be non-interactive and it certainly shouldn't override and existing config/rulesetup.

I know that Debian has a separate package for rules (https://packages.debian.org/sid/snort-rules-default), but that is a not a good approach either. It lacks update capabilities. In general, data like rules shouldn't be in debs. It's too volatile and needs to be updated regularly (daily/weekly).

I really think the proper way would be to install oinkmaster/pulledpork with a tuned for suri default configuration. But this doesn't belong in the suricata ppa package though. We could consider offering such an oinkmaster or pulledpork package through our ppa, but thats another thing to maintain then.

Yes... I agree - this is a challenge.

Maybe we can download the rules in a sub dir of /etc/suricata/rules/ETOpen-date or something like this? (during upgrade/install)
That way we will not override any rules if such exist and there will be a rule-set to use if none is present.