Posted in

Suricata Rule Updates on Corelight

We purchased a Corelight AP3000 recently to run Zeek and Suricata and send these logs to our SIEM. This was my first time running Suricata in my environment and I quickly learned that Suricata is only as good as the rules provided to it.

Downloading Suricata Rules

To download rules for Suricata, I used the Emerging Threats Open ruleset that’s built into the suricata-update tool. You can read more about the tool here: The installation is straightforward:

pip install –upgrade suricata-update

And so is running it to download the latest rules:

suricata-update –suricata-version 5.0

We’re running Suricata version 5 on our Corelight, so I gave it that parameter to ensure the rules would be compatible.

Uploading to Corelight

Uploading the rules to Corelight is easy as well using the corelight-client. You can download it from their github repository:

The installation is straightfoward:

git clone
cd corelight-client
sudo python3 install

Running it is easy enough, but I would recommend defining a few parameters to make the process more smooth. First, you’ll define the device with the -b argument and then store your devices in a corelight-client.rc file in the directory you run corelight-client from in the future:

corelight-client -b x.x.x.x

vim ~/.corelight-client.rc

Now that you’ve downloaded Suricata rules in the previous section and have installed the corelight-client, you can upload the rules to Corelight:

corelight-client suricata ruleset upload –file=/var/lib/suricata/rules/suricata.rules –filename=suricata.rules

You can confirm this worked by logging into the Corelight appliance and navigating to Packages > Suricata and confirming the upload date is today:

Using Docker

These earlier steps are great for one-off, on-demand uploads, but I think we can take it up a notch and run them on a scheduled job. And to take it up another notch, let’s run them in a Docker container so we don’t have to dedicate a server or workstation to handle Suricata rules.

The Dockerfile

This Dockerfile is based on Ubuntu, downloads and installs the latest suricata-update & corelight-client. It is the configuration that will be used in the next step building an image that has our tools in it so that we can run everything we need:

FROM ubuntu
LABEL Description=”Corelight-Client to access Corelight API” Version=”1.0″

# Install pip, suricata-update and corelight-client

RUN apt update -y && apt install -y python3 python3-pip curl git

RUN pip3 install setuptools

RUN pip3 install –trusted-host –trusted-host corelight-client

RUN pip3 install –trusted-host –trusted-host –upgrade suricata-update

# copy corelight config to home directory

# the contents of this .rc file will need to be different if connecting to multiple Corelights

COPY ./config/corelight-client.rc /root/.corelight-client.rc

# create suricata directories

RUN mkdir /etc/suricata/ \

&& mkdir /var/lib/suricata \

&& mkdir /var/lib/suricata/rules \

&& mkdir /var/lib/suricata/update

Script to Update Rules

To make things easy in our container, we’ll run a bash script to actually download and update the rules. This script will be

suricata-update –suricata-version 5.0
corelight-client suricata ruleset upload –file=/var/lib/suricata/rules/suricata.rules –filename=suricata.rules

Building the Image

Now we’re ready to build the image with Corelight-Client & Suricata-Update installed:

sudo docker build . -t suricata-corelight

Running the Container

Now that the image has been built, we can run it as a one-off. It will run the bash script we created earlier and update the Suricata rules on our Corelight appliance (note you can run it with -it instead of -d to see what happens when it runs, great for troubleshooting):

sudo docker run -d –rm \
-v /home/infosec/docker/suricata/config/suricata:/etc/suricata \
-v /home/infosec/docker/suricata/config/suricata/rules:/var/lib/suricata/rules \
suricata-corelight \

Scheduling the Container

This is the cool part of this guide: we’re going to set a CRON job to run daily that creates the container, downloads Suricata rules, uploads them to Corelight and then destroys the container. Now that’s efficiency! To achieve this, I pasted all of the below into a Bash script

docker run -d –rm \
-v /home/infosec/docker/suricata/config/suricata:/etc/suricata \

-v /home/infosec/docker/suricata/config/suricata/rules:/var/lib/suricata/rules \
suricata-corelight \

Then I scheduled cron to run that script each day.


This was a fun exercise in using Docker to spin up a container when we needed to perform a particular task. If you have any questions or comments, please drop a comment and thanks for reading!

One thought on “Suricata Rule Updates on Corelight

  1. Andrew, You should checkout some of my Ansible Roles to manage your Corelight Sensors. Start with this one:

    I’m also working on a bundle the uses Docker and includes Ansible AWX, GitLab, Suricata-update (with Suricata), Zeek Package Manager, Corelight-client, etc. It’s still a work in progress to modify the Corelight-Ansible-Roles to target Docker containers.

    I’ll be publishing some Docker-compose and Dockerfiles for the Corelight Software Sensor soon.

Leave a Reply

Your email address will not be published. Required fields are marked *