Suricata configuration

In addition to downloading Suricata rulesets from multiple sources, Corelight-update can optimize the ruleset. It works by optionally applying Corelight recommended changes to the rulesets, and extracting content from Suricata rules and creating Zeek Intel rules with that content.

Content is only extracted from enabled rules and the “do_notice” flag can individually be set based on rule type. This means you can use the typical enable.conf and disable.conf rules to control what data is extracted. See Suricata policy settings for details.

Tip

No configuration is required to include local Suricata rulesets. See Locally managed sources for details.

  • Any “.rules” or “.rules.tar.gz” ruleset placed in the global-suricata folder is automatically available to all policies.

  • Any “.rules” or “.rules.tar.gz” ruleset placed in a local-suricata folder is automatically available to that policy.

Suricata configuration files

Suricata uses four configuration files when processing traffic and/or testing rules.

  • suricata.yaml

  • classification.config

  • reference.config

  • threshold.config

These configuration files can be manually placed in the policy configs folder (/etc/corelight-update/configs/<policy>/), or the policy can be configured to pull Suricata configuration files from remote sources if desired. See Remote config files.

See Using a proxy with Corelight-update for details about using a proxy to download remote sources.

Optionally, these configuration files can be pushed to the policy in Fleet Manager or directly to a sensor. See Push content settings.

Warning

Suricata configuration files are not pushed to Software Sensor v1.x.

Disabled rules

By default, disabled rules are not written back to the final Suricata ruleset. If desired, disabled rules can be included in the ruleset file by enabling write_disabled_rules: true in the Suricata policy settings.

Ruleset testing

By default, Corelight-update attempts to test the ruleset using Suricata, if it’s available on the host running Corelight-update. If Suricata is not available, Corelight-update logs that it did not test the ruleset and continues.

If the rulesets is tested, and one or more rules fail the test, the details of the failed rules are logged and processing continues. Optionally, Corelight-update can be configured to discard a failed ruleset, after the failed rules have been logged, by setting fail_on_ruleset_error: true in the Suricata policy settings.

If any of the Suricata configuration files are placed in the policy configuration folder, or pulled from a remote location, they are automatically used when testing the Suricata ruleset.

Tip

It is recommended to use the same version of Suricata for testing that will be used in production. Testing with the Corelight version of Suricata can be accomplished by installing the Corelight Softsensor (without a license) on the same host running Corelight-update.

Corelight-update and Software Sensor use the same package repository so the installation only requires a single command. See Software Sensor Online Installation for details.

See the following sections for more details: