rockfish update
Download and install Suricata rule updates. Functionally equivalent to suricata-update.
Overview
The update command manages Suricata rule sources — downloading rule archives
(ET Open by default), applying local filter files (enable, disable, drop, modify),
and writing a merged suricata.rules file. Optionally reloads Suricata after a
successful update.
Usage
# Download rules, apply filters, write suricata.rules
rockfish update
# Force re-download and reload Suricata
rockfish update --force --reload
# Use ET Pro rules (requires oinkcode)
rockfish update --etpro YOUR_OINKCODE
# Include additional local rules
rockfish update --local /etc/suricata/rules/local.rules,/etc/suricata/rules/custom/
Options
| Option | Default | Description |
|---|---|---|
--suricata-version | auto-detect | Suricata version (e.g. 7.0) |
--data-dir | /var/lib/suricata | Cache directory for downloaded archives and source state |
--config-dir | /etc/suricata | Directory containing filter files |
--output | /var/lib/suricata/rules/suricata.rules | Output path for merged rules |
--etpro | - | Proofpoint ET Pro oinkcode |
--url | - | Custom URL for the primary rule source |
--local | - | Additional local .rules files or directories (comma-separated) |
--reload | false | Reload Suricata after update (via suricatasc) |
--no-reload | false | Explicitly disable reload |
--force | false | Force re-download even if cache is fresh |
Source Management
List available sources
rockfish update list-sources
Fetches the OISF source index and displays all available rule sources with their enabled/disabled status.
Enable a source
rockfish update enable-source et/pro
rockfish update enable-source oisf/trafficid
Disable a source
rockfish update disable-source et/pro
Remove a source
Disables the source and deletes its cached archive:
rockfish update remove-source et/pro
Refresh the source index
rockfish update update-sources
Filter Files
Filter files control which rules are enabled, disabled, converted to drop, or modified.
Place them in the config directory (/etc/suricata/ by default).
enable.conf
Force-enable rules matching the specified patterns:
# By SID
2100001
# By SID range
2100001-2100010
# By regex on rule text
re:ET SCAN
# By group (source filename)
group:emerging-scan.rules
disable.conf
Disable rules matching the specified patterns (same format as enable.conf):
# Disable noisy rules
re:ET INFO
2100498
group:emerging-deleted.rules
drop.conf
Change the action to drop for matching rules (same format):
# Drop all exploit rules
re:ET EXPLOIT
modify.conf
Regex find-and-replace on matching rules:
# Change action from alert to drop for specific SID
2100001 "alert" "drop"
# Change action for all SCAN rules
re:ET SCAN "alert" "drop"
YAML Configuration
Settings can also be specified in rockfish.yaml:
update:
suricata_version: "7.0"
data_dir: /var/lib/suricata
config_dir: /etc/suricata
output: /var/lib/suricata/rules/suricata.rules
reload: true
etpro_code: "YOUR_OINKCODE"
CLI arguments override YAML settings.
Pipeline
The update command follows this pipeline:
- Resolve Suricata version (auto-detect via
suricata -Vor--suricata-version) - Download rule archives for each enabled source (ET Open by default)
- Extract
.rulesfiles from tar.gz archives - Load additional local rule files (if
--localis specified) - Parse all rules, extracting SIDs and group metadata
- Apply filters in order: enable.conf → disable.conf → drop.conf → modify.conf
- Write merged, deduplicated
suricata.rulessorted by SID - Reload Suricata (if
--reloadis set) viasuricatasc -c reload-rules
Reload Behavior
When --reload is specified, Rockfish attempts to reload Suricata rules:
- First tries
suricatasc -c reload-rules - Falls back to sending
SIGUSR2to the Suricata process (found via pidfile orpidof)
Default Rule Source
Without any additional sources enabled, Rockfish downloads the Emerging Threats Open ruleset:
https://rules.emergingthreats.net/open/suricata-{version}/emerging.rules.tar.gz
When an ET Pro oinkcode is provided (--etpro), ET Pro replaces ET Open:
https://rules.emergingthreatspro.com/{code}/suricata-{version}/etpro.rules.tar.gz
Examples
# Basic update with ET Open rules
rockfish update
# ET Pro with reload
rockfish update --etpro abc123 --reload
# Custom paths
rockfish update \
--data-dir /opt/suricata/data \
--config-dir /opt/suricata/etc \
--output /opt/suricata/rules/suricata.rules
# Include local rules alongside downloaded rules
rockfish update --local /etc/suricata/rules/local.rules
# Force fresh download
rockfish update --force
# Automated cron job
rockfish update --reload --quiet
Cron Example
Run rule updates every 6 hours and reload Suricata:
0 */6 * * * /opt/rockfish/bin/rockfish update --reload --quiet 2>&1 | logger -t rockfish-update