May 27, 2015
I didn't mean to do it, but I created yet another tool to download IDS rules, with a specific focus on Suricata. Like some other people, I've always used my own scripts for downloading rules instead of using existing tools, and I finally pulled some of that together and dropped it into my idstools project.
With pip (as its written in Python):
pip install idstools
From source, https://github.com/jasonish/py-idstools/releases/download/0.5.0/idstools-0.5.0.tar.gz, where idstools-rulecat can be run from the exploded tarball without installing (also works with a git clone).
Probably the simplest usage, assuming you have Suricata already installed is something like:
idstools-rulecat --rules-dir /etc/suricata/rules
This will download the ET Open rules for your version of Suricata and drop them in /etc/suricata/rules. Other useful output options include:
Of course you can also disable, enable and modify rules. To get sample configuration files for doing so, run:
idstools-rulecat --dump-sample-configs
which will drop the following files into your current directory:
As with many Python programs using the argparse module, a configuration file can be created by dropping command line arguments in a file and calling idstools-rulecat like:
idstools-rulecat @/path/to/rulecat.conf
For example, I use a rulecat.conf like:
--suricata=/usr/bin/suricata
--merged=rules/merged.rules
--disable=disable.conf
--enable=enable.conf
--modify=modify.conf
--threshold-in=threshold.in
--threshold-out=etc/threshold.config
--post-hook=sudo kill -USR2 $(cat /var/run/suricata.pid)
--etpro=ETPRO_CODE
Note the --etpro which will ET Pro rules instead of the ET Open rules. For full usage, head over to http://idstools.readthedocs.org/en/latest/tools/rulecat.html. This is a work in progress, and is primarily being developed to satisfy my needs, perhaps it will be useful to others as well.