Here is my conf for my rules:
Here is my rule:
But when i take a dos attack, it didn’t alert anything like I write. It seems that my rule file is not loaded.
Please help me. Tks
Hi,
Did you get any errors when loading the rule files? That is: did Suricata load detect-dos.rules file properly?
I have two suggestions:
- put your rules file in the same directory of the default rule path, so you can declare your rules file in the same way as the suricata.rules is listed.
- add a simpler rule to your rules file, one that will always be triggered, so you know that Suricata is indeed seeing that file
In addition to what @jufajardini said, try starting Suricata with -v; this will cause suricata to emit extra information, including how it’s handling rule files:
[1757253] 15/10/2022 -- 09:16:30 - (detect-engine-loader.c:361) <Info> (SigLoadSignatures) -- 1 rule files processed. 1 rules successfully loaded, 0 rules failed
Without -v, Suricata will display an error message if it’s not able to locate/load a rules file:
[1757581] 15/10/2022 -- 09:23:52 - (detect-engine-loader.c:239) <Warning> (ProcessSigFiles) -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/foobar/somepath.rules
1 Like