Suricata configuration¶
In addition to downloading Suricata rulesets from multiple sources, Corelight-update can optimize the ruleset. It works by optionally applying Corelight recommended changes to the rulesets, and extracting content from Suricata rules and creating Zeek Intel rules with that content.
Content is only extracted from enabled rules and the “do_notice” flag can individually be set based on rule type. This means you can use the typical enable.conf and disable.conf rules to control what data is extracted. See Suricata policy settings for details.
Tip
No configuration is required to include local Suricata rulesets. See Locally managed sources for details.
Any “.rules” or “.rules.tar.gz” ruleset placed in the global-suricata folder is automatically available to all policies.
Any “.rules” or “.rules.tar.gz” ruleset placed in a local-suricata folder is automatically available to that policy.
Suricata configuration files¶
Suricata uses four configuration files when processing traffic and/or testing rules.
suricata.yaml
classification.config
reference.config
threshold.config
These configuration files can be manually placed in the policy configs folder (/etc/corelight-update/configs/<policy>/
), or the policy can be configured to pull Suricata configuration files from remote sources if desired. See Remote config files.
See Using a proxy with Corelight-update for details about using a proxy to download remote sources.
Optionally, these configuration files can be pushed to the policy in Fleet Manager or directly to a sensor. See Push content settings.
Warning
Suricata configuration files are not pushed to Software Sensor v1.x.
Disabled rules¶
By default, disabled rules are not written back to the final Suricata ruleset. If desired, disabled rules can be included in the ruleset file by enabling write_disabled_rules: true
in the Suricata policy settings.
Ruleset testing¶
By default, Corelight-update attempts to test the ruleset using Suricata, if it’s available on the host running Corelight-update. If Suricata is not available, Corelight-update logs that it did not test the ruleset and continues.
If the rulesets is tested, and one or more rules fail the test, the details of the failed rules are logged and processing continues. Optionally, Corelight-update can be configured to discard a failed ruleset, after the failed rules have been logged, by setting fail_on_ruleset_error: true
in the Suricata policy settings.
If any of the Suricata configuration files are placed in the policy configuration folder, or pulled from a remote location, they are automatically used when testing the Suricata ruleset.
Tip
It is recommended to use the same version of Suricata for testing that will be used in production. Testing with the Corelight version of Suricata can be accomplished by installing the Corelight Softsensor (without a license) on the same host running Corelight-update.
Corelight-update and Software Sensor use the same package repository so the installation only requires a single command. See Software Sensor Online Installation for details.
See the following sections for more details: