Add your own suricata rules to PiRogue
This is a friendly contribution written by evilcel3ri, security researcher also developer for Pithus. Follow him on Twitter!
Add your own suricata rules to PiRogue
You need:
- SSH access to your PiRogue
- Github knowledge
- Optional: if you want access to ET PRO you would need your Oink code
The easiest way to manage your Suricata rules is to have them on a Github repository or on a Web directory that can be checked out by suricata-update
. Manually adding rules directly to the PiRogue is not recommended as it might get overwritten by an update.
Write your rules according to Suricata’s documentation. Bare in mind, the rules you want to write are alert ones. Set them up on a Github repository (or a Web directory) that can be reached by your PiRogue.
After being connected to your PiRogue.
Add your new source in this fashion:
sudo suricata-update add-source YOUR_NAME URL_TO_THE_DOT_RULES
Run
sudo suricata-update
and then
sudo suricatasc -c reload-rules
and your rules must be updated and taken into account 🙂
Example with Abuse.ch SSL blocklist
If you want to add the Abuse.ch SSL blocklist, run the following commands:
sudo suricata-update add-source SSLBL https://sslbl.abuse.ch/blacklist/sslblacklist.rules
sudo suricata-update
sudo suricatasc -c reload-rules
Add an already published rule set such as ET Pro
While connected to your PiRogue: Run
sudo suricata-update enable-source et/pro
insert your oink-code
when prompted and finally run
sudo suricata-update
sudo suricatasc -c reload-rules
In both cases, the PiRogue will grab the new version of your rules on a daily basis.