oinkcode (PRO code)

[y0d4a]

Hi, how i can add oinkcode (PRO code) in suricata?

tnx

[mmguero]

Hmm, this isn't something I've tried specifically before (so far I've only dealt with the ET Open ruleset and custom rules) but we ought to be able to figure it out, and I'll probably create a feature request but to make it more convenient for you to do in the future.

From what I can tell from the documentation enabling a custom/pro source can be done by either adding the source directly to the suricata update.yaml or by running suricata-update enable-source and providing the oink code (either as a secretcode or oinkcode parameter, I'm not sure which, google's not being super clear about it).

Are we talking about doing this in Malcolm or on Hedgehog Linux, as I think it'll be slightly different depending on which you're doing.

In Malcolm itself, I think probably what you'll need to do is get the update.yaml file (you could grab an example from here) and save it locally in your host running Malcolm (under ./suricata or something like that) and then bind mount it into the suricata and suricata-live containers volumes: sections. I think it would look something like this, assuming you put it in your Malcolm directory as ./suricata/update.yaml.

    - type: bind
      bind:
        create_host_path: false
      source: ./suricata/update.yaml
      target: /etc/suricata/update.yaml
      read_only: true

Then you'd do whatever you need to do to specify your custom/pro source there in that file.

In Malcolm's ./config/suricata.env, make sure you have SURICATA_UPDATE_RULES=true. Then, every six hours Malcolm will attempt to do the rule update. I don't have a way for you to change that frequency at the moment, but you could run it manually once Malcolm is up and running by doing this on the host from the Malcolm installation directory:

• docker compose exec -u $(id -u) suricata bash /usr/local/bin/suricata-update-rules.sh

I'll log an enhancement request for us to look at this and make the whole process smoother, as it's not really pretty at the moment (as you can see). I'll link that here.

[mmguero]

see #723

[y0d4a]

Nice, this works flawless, to check is everything fine i do:

docker exec -it ids-suricata-live-1 suricata-update

and got confirmation

28/7/2025 -- 21:12:51 - -- Fetching https://rules.emergingthreatspro.com/CODE/suricata-7.0.3/etpro-all.rules.tar.gz.
100% - 8669312/8669312

thank you for your time and support!
🍻

[mmguero]

No problem. I appreciate you bringing up the question, this is obviously we could make more user friendly. Cheers!