Can't trigger custom rules

i add a new rules at etc/suriacta/rules, call local.rules

alert http any any -> any any (msg:"Do not read gossip during work";
content:"Scarlett"; nocase; classtype:policy-violation; sid:1; rev:1;)

but it seems the alert havent been fired.

i check suricata.log, the output are like this:

- Running in live mode, activating unix socket
- 1 rule files processed. 1 rules successfully loaded, 0 rules failed
- Threshold config parsed: 0 rule(s) found
- 1 signatures processed. 0 are IP-only rules, 1 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only

  • - Going to use 4 thread(s)
    - Running in live mode, activating unix socket
  • - Using unix socket file ‘/var/run/suricata/suricata-command.socket’
  • - all 4 packet processing threads, 4 management threads initialized, engine started.
    - All AFP capture threads are running.

and my suricata.yaml have already set to only to use local.rules which contains only that one rule above.

EDIT: i delete " content: “scarlett” , nocase , classtype:policy-violation " and it fire the alert when i open a browser.

Try using tcpdump or wireshark to see if the pattern you are looking for actually shows up in the internet traffic. You might for instance be visiting sites using TLS. Another option is to increase the inspection limits under the libhtp part of the suricata.yaml config.

Use postman/curl or any to generate your triggered http traffic (should capture it in pcap) for easy to debug & try verbose mode to get more details for your loading, it’s really useful for debugging

I have the same problem, can’t see alert for my local.rules, how did you fix it please ?