Cannot load my own rule

Here is my conf for my rules:
Here is my rule:

But when i take a dos attack, it didn’t alert anything like I write. It seems that my rule file is not loaded.

Please help me. Tks


Did you get any errors when loading the rule files? That is: did Suricata load detect-dos.rules file properly?

I have two suggestions:

  • put your rules file in the same directory of the default rule path, so you can declare your rules file in the same way as the suricata.rules is listed.
  • add a simpler rule to your rules file, one that will always be triggered, so you know that Suricata is indeed seeing that file

In addition to what @jufajardini said, try starting Suricata with -v; this will cause suricata to emit extra information, including how it’s handling rule files:

[1757253] 15/10/2022 -- 09:16:30 - (detect-engine-loader.c:361) <Info> (SigLoadSignatures) -- 1 rule files processed. 1 rules successfully loaded, 0 rules failed

Without -v, Suricata will display an error message if it’s not able to locate/load a rules file:

[1757581] 15/10/2022 -- 09:23:52 - (detect-engine-loader.c:239) <Warning> (ProcessSigFiles) -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/foobar/somepath.rules
1 Like