Create suricata custom rule with suricata-update

I’m confused with how the custom rule work if using with suricata-update

So, if I use suricata-update, it mentioned in here that I have to change the default rule path in suricata.yaml as follow:

default-rule-path: /var/lib/suricata/rules
rule-files:
 - suricata.rules

So, I created a custom rule file in here /etc/suricata/rules/custom.rules

and to demonstrate custom.rules just contains this rule:

alert icmp any any -> any any (msg: "ICMP Packet found";)

Now, if I run suricata-update

I don’t see that my custom.rules get written in suricata.rules

So how do you load this custom rule file when using with suricata-update tool ?

You have a few options. You could just put your custom.rules in your suricata.yaml like:

default-rule-path: /var/lib/suricata/rules
rule-files:
  - suricata.rules
  - /etc/suricata/rules/custom.rules

(this is what I do)

Or you can let Suricata-Update know about them so they get incorporated into the suricata.rules. There are 2 ways to do this:

On the command line with every call to Suricata-Update:

suricata-update --local /etc/suricata/rules/custom.rules

Or create a /etc/suricata/update.yaml configuration file that looks like:

local:
  - /etc/suricata/rules/custom.rules

So they get included on every call with suricata-update.

3 Likes

Hi Arafatx,
Did you try using the --local option to tell suricata-update to add your custom.rules file? (suricata-update - Update — suricata-update 1.3.0dev0 documentation)

hehe, Jason’s answer is way more complete.

1 Like

Thanks @ish @jufajardini

1 Like