Another IDS rule downloader - rulecat

May 27 2015

I didn't mean to do it, but I created yet another tool to download IDS rules, with a specific focus on Suricata. Like some other people, I've always used my own scripts for downloading rules instead of using existing tools, and I finally pulled some of that together and dropped it into my idstools project.


With pip (as its written in Python):

pip install idstools

From source,, where idstools-rulecat can be run from the exploded tarball without installing (also works with a git clone).


Probably the simplest usage, assuming you have Suricata already installed is something like:

idstools-rulecat --rules-dir /etc/suricata/rules

This will download the ET Open rules for your version of Suricata and drop them in /etc/suricata/rules. Other useful output options include:

Of course you can also disable, enable and modify rules. To get sample configuration files for doing so, run:

idstools-rulecat --dump-sample-configs

which will drop the following files into your current directory:

As with many Python programs using the argparse module, a configuration file can be created by dropping command line arguments in a file and calling idstools-rulecat like:

idstools-rulecat @/path/to/rulecat.conf

For example, I use a rulecat.conf like:

--post-hook=sudo kill -USR2 $(cat /var/run/

Note the --etpro which will ET Pro rules instead of the ET Open rules. For full usage, head over to This is a work in progress, and is primarily being developed to satisfy my needs, perhaps it will be useful to others as well.