Order of operations¶
The order of operations for every interval starts with:
Read the global policy configuration and each individual policy configuration.
Process the global tasks.
Process each policy and push content for that policy.
Process global tasks¶
See Global configuration and policy settings for configuration options.
Process enabled integrations.
Download remote Suricata config files and store the in
/etc/corelight-update/global/
.Download new content and update the Global Source Cache.
Remove content from the global cache for sources that are no longer configured.
Process policy tasks¶
See Policy configuration and settings for configuration options
Copy local suricata rulesets from
/etc/corelight-update/configs/<policy>/local-suricata/
to the working directory.Copy global suricata rulesets from
/etc/corelight-update/global/global-suricata/
to the working directory.Copy local intel files from
/etc/corelight-update/configs/<policy>/local-intel/
to the working directory.Copy global intel files from
/etc/corelight-update/global/global-intel/
to the working directory.Remove content from the policy cache for sources that are no longer configured.
Download new content from policy sources.
Add default Input files to
/etc/corelight-update/configs/<policy>/local-input/
(if enabled - only runs once)Process enabled integrations based on their intervals. See Third-party integrations settings
Process Input files and update the statefile.
Process Suricata rulesets.
Collect ruleset files
Collect new source content and copy it to the suricata working directory.
Check the global cache first.
If not in the global cache, download new content directly and update the policy level cache.
Check for global
.rules
or.rules.tar.gz
files in/etc/corelight-update/global/global-suricata/
and extract/copy them to the suricata working directory.Check for local
.rules
or.rules.tar.gz
files in/etc/corelight-update/configs/<policy>/local-suricata/
and extract/copy them to the suricata working directory.
Merge all of the rulesets into a single ruleset, ignoring any ruleset file identified with File filters in the following:
Corelight recommended disable.conf (if enabled)
global disable.conf (if it exists)
policy disable.conf (if it exists)
If enabled, process Corelight recommended disable.conf, enable.conf and modify.conf files in that order.
If they exist, process global disable.conf, enable.conf and modify.conf files in that order.
If they exist, process policy disable.conf, enable.conf and modify.conf files in that order.
If enabled, extract selected atomic rules from the Suricata ruleset and generate a Zeek Intel file.
If enabled and Suricata is installed on the same host, test the new ruleset with Suricata in test mode (see Suricata configuration for details).
Publish the new Suricata ruleset - suricata.rules.
Process Intel files
Check for global
.dat
files in/etc/corelight-update/global/global-intel/
and copy them to the intel working directoryCheck for local
.dat
files in/etc/corelight-update/configs/<policy>/local-intel
and copy them to the intel working directoryMerge all of the global, local and integration intel files into a single file
Publish the new intel file - intel.dat
Push content for policies¶
Tip
By default, Corelight-update only attempts to push new content to sensors. However, you can manually force a push of all existing content to a group of sensors with the CLI commands
Push new Intel files.
Push new Suricata ruleset.
Push new Zeek Package bundle.
Push new Input files