Backup IPS Rule Selection

Hello,

After spending a lot of time to tune the rules selected in the ET Community suricata ruleset, how can I extract/backup the selection so I can replicate it on another device etc.

Hi @knightian

They are saved in your backup. If you don’t want to restore the whole backup to other machines then you can extract the required file from the backup. It is in the backup at

/var/ipfire/suricata/suricata-used-rulefiles.yaml

The file is headed up with

#Autogenerated file. Any custom changes will be overwritten!

So you must test on a non production system to make sure that it works on its own.

Probably worth reading the code that executes the restore to see what it does with the backup files and the ips code to see what it does with those files. You might need to take additional actions to make it update your WUI page rather than the WUI page updating the files.

Thanks @bonnietwin

That seems to list the categories I enable, however under each category I enable/disable individual rules, do you know which file those are stored in? Cheers

No I don’t. I just found the file I did by opening up one of my backups and looking at the suricata directory and looking in the files.

Just had another quick look in the backup file after coming back from a long walk with my dog.

/var/lib/suricata/

has all the rulesets as individual files. eg

emerging-dns.rules

is an example.

In my setup I have this selected. Looking in this file I see that the subrules are uncommented that I have selected and those not selected stay commented. Any of the other rules not selected in the WUI have all the subrules in their rules file commented out.

There is also a tmp directory in the backup that contains the idsrules.tar.gz file.

Hello knightian,

the files which contains the user enabled/disabled rules are the following:

/var/ipfire/suricata/oinkmaster-enabled-sids.conf
/var/ipfire/suricata/oinkmaster-disabled-sids.conf

If you copy this two files to another installation you easily can replicate the same ruleset on that machine.

Best regards,

-Stefan

1 Like

@stevee @bonnietwin

Awesome thanks guys, exactly what I needed.