Another IDS rule downloader - rulecat

May 27 2015

I didn't mean to do it, but I created yet another tool to download IDS rules, with a specific focus on Suricata. Like some other people, I've always used my own scripts for downloading rules instead of using existing tools, and I finally pulled some of that together and dropped it into my idstools project.

Installation

With pip (as its written in Python):

pip install idstools

From source, https://github.com/jasonish/py-idstools/releases/download/0.5.0/idstools-0.5.0.tar.gz, where idstools-rulecat can be run from the exploded tarball without installing (also works with a git clone).

Usage

Probably the simplest usage, assuming you have Suricata already installed is something like:

idstools-rulecat --rules-dir /etc/suricata/rules

This will download the ET Open rules for your version of Suricata and drop them in /etc/suricata/rules. Other useful output options include:

Of course you can also disable, enable and modify rules. To get sample configuration files for doing so, run:

idstools-rulecat --dump-sample-configs

which will drop the following files into your current directory:

As with many Python programs using the argparse module, a configuration file can be created by dropping command line arguments in a file and calling idstools-rulecat like:

idstools-rulecat @/path/to/rulecat.conf

For example, I use a rulecat.conf like:

--suricata=/usr/bin/suricata
--merged=rules/merged.rules
--disable=disable.conf
--enable=enable.conf
--modify=modify.conf
--threshold-in=threshold.in
--threshold-out=etc/threshold.config
--post-hook=sudo kill -USR2 $(cat /var/run/suricata.pid)
--etpro=ETPRO_CODE

Note the --etpro which will ET Pro rules instead of the ET Open rules. For full usage, head over to http://idstools.readthedocs.org/en/latest/tools/rulecat.html. This is a work in progress, and is primarily being developed to satisfy my needs, perhaps it will be useful to others as well.