$OpenBSD: README,v 1.3 2018/03/17 13:03:14 jasper Exp $

+-----------------------------------------------------------------------
| Running ${FULLPKGNAME} on OpenBSD
+-----------------------------------------------------------------------

Starting suricata
=================

For normal use, you need to set first your interface and enable the
daemon:

# rcctl enable suricata
# rcctl set suricata flags -i em0

And you need the rules, these rules are expected to be present in the
${SYSCONFDIR}/suricata/rules directory as defined in
${SYSCONFDIR}/suricata/suricata.yaml.

Rule management
===============

It is possible to download and install rules manually, but there is a
much easier and quicker way to do so. There are special programs which
you can use for downloading and installing rules.

After installing the new rulesets described below, restart suricata to
pick up the new rules:

# rcctl restart suricata

Note that the installed rules have to be updated regularly by the program
used to fetch them initially. For example use cron to update the rules
every 24h.

suricata-update
---------------

The recommended new way of updating rules is with suricata-update which
is installed with:

# pkg_add suricata-update

Run `suricata-update` to download and install the new rules into
${VARBASE}/suricata/rules/ . Next update the suricata configuration
in ${SYSCONFIDR}/suricata/suricata.yaml to use these rules instead:

default-rule-path: ${VARBASE}/suricata/rules/
rule-files:
    - suricata.rules

Oinkmaster
----------

The other common method is with Oinkmaster which can be installed with:

# pkg_add oinkmaster

There are several rulesets. There is for example Emerging Threats (ET)
Emerging Threats Pro and VRT. In this example we are using Emerging
Threats.

Oinkmaster has to know where the rules an be found. These rules can be
found at:

https://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz

And you can download as follow:

# cd /etc && oinkmaster -C ${SYSCONFDIR}/oinkmaster.conf -o ${SYSCONFDIR}/suricata/rules
