Add your own suricata rules to PiRogue

This is a friendly contribution written by evilcel3ri, security researcher also developer for Pithus. Follow him on Twitter!

Add your own suricata rules to PiRogue

You need:

SSH access to your PiRogue
Github knowledge
Optional: if you want access to ET PRO you would need your Oink code

The easiest way to manage your Suricata rules is to have them on a Github repository or on a Web directory that can be checked out by suricata-update. Manually adding rules directly to the PiRogue is not recommended as it might get overwritten by an update.

Write your rules according to Suricata’s documentation. Bare in mind, the rules you want to write are alert ones. Set them up on a Github repository (or a Web directory) that can be reached by your PiRogue.

After being connected to your PiRogue.

Add your new source in this fashion:

sudo suricata-update add-source YOUR_NAME URL_TO_THE_DOT_RULES

Run

sudo suricata-update

and then

sudo suricatasc -c reload-rules

and your rules must be updated and taken into account 🙂

Example with Abuse.ch SSL blocklist

If you want to add the Abuse.ch SSL blocklist, run the following commands:

sudo suricata-update add-source SSLBL https://sslbl.abuse.ch/blacklist/sslblacklist.rules
sudo suricata-update
sudo suricatasc -c reload-rules

Add an already published rule set such as ET Pro

While connected to your PiRogue: Run

sudo suricata-update enable-source et/pro

insert your oink-code when prompted and finally run

sudo suricata-update
sudo suricatasc -c reload-rules

In both cases, the PiRogue will grab the new version of your rules on a daily basis.

Edit this page on GitHub

Device forensics with MVT

Turn a regular PC into a PiRogue

Docs

PiRogue Tool Suite

Title here

Add your own suricata rules to PiRogue