Skip to content

enhancements for suricata update #723

New issue
New issue
Open
Feature
Open
enhancements for suricata update#723
Feature
Labels
enhancementNew feature or requestsuricataRelating to Malcolm's use of Suricata
Milestone
z.staging
@mmguero

Description

@mmguero
mmguero
opened on Jul 28, 2025

This is prompted by a question in the Q&A forum by @y0d4a that got me looking at this and realizing it's pretty lacking how we handle it in Malcolm.

We need to handle customization to suricata rule updates a lot better. At the moment we don't really do anything other than a few variables in ./config/suricata.env that allow you to turn rule updates on/off, and turn the ET Open ruleset on/off.

Some of the things we ought to support (preferably via environment variable):

  • specifying custom sources for update.yaml, including secret codes/"oinkcodes" for Pro/paid sources
  • customizing the update time period maybe
  • customizing pretty much anything else you'd want to customize in update.yaml
  • Make sure that either these pulled rules are persisted across restarts in a volume, or make sure they get pulled on startup
  • ??? (we need to just grok suricata updates better and make decisions based on what's available)

Right now there are a few things that are done that need to be examined:

  • this suricata-update-rules.sh script is executed via supercronic every six hours. However, note that this is only executed in the Suricata Docker container, NOT on hedgehog linux! So we need to standardize that, probably, as well as make sure that it's done consistently between the suricata and suricata-live containers (could it be done by just one of them and then the rules directory shared? or is there some other better way? or just have it executed in both of them even though that's sort of redundant?)
  • we have this suricata_update_config_populate.py script that is unfinished and actually never called/used anywhere. I think that probably it is intended to be the equivalent to suricata_config_populate.py only for update.yaml instead of suricata.yaml. This is probably the script we need to fill in to generate what needs to go into update.yaml based on the environment variables, prior to running suricata-update.
  • as mentioned above there's all sorts of stuff going on on hedgehog linux dealing with suricata rules updates that we should standardize across hedgehog linux and malcolm so we are sharing the same logic (probably something that looks like suricata-update-rules.sh and whatever we put in suricata_update_config_populate.py and just use it consistently across both platforms.

I don't really know everything (anything) about suricata-update, so part of the work for this feature is figuring out what we don't know and doing the right thing to make this feature better.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestsuricataRelating to Malcolm's use of Suricata

    Type

    Feature

    Projects

    Malcolm

    Status

    Todo

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions