arafatx
(ArafatX)
1
I’m confused with how the custom rule work if using with suricata-update
So, if I use suricata-update, it mentioned in here that I have to change the default rule path in suricata.yaml as follow:
default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rules
So, I created a custom rule file in here /etc/suricata/rules/custom.rules
and to demonstrate custom.rules just contains this rule:
alert icmp any any -> any any (msg: "ICMP Packet found";)
Now, if I run suricata-update
I don’t see that my custom.rules get written in suricata.rules
So how do you load this custom rule file when using with suricata-update tool ?
1 Like
ish
(Jason Ish)
2
You have a few options. You could just put your custom.rules in your suricata.yaml like:
default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rules
- /etc/suricata/rules/custom.rules
(this is what I do)
Or you can let Suricata-Update know about them so they get incorporated into the suricata.rules. There are 2 ways to do this:
On the command line with every call to Suricata-Update:
suricata-update --local /etc/suricata/rules/custom.rules
Or create a /etc/suricata/update.yaml configuration file that looks like:
local:
- /etc/suricata/rules/custom.rules
So they get included on every call with suricata-update.
4 Likes
jufajardini
(Ju Fajardini)
3
Hi Arafatx,
Did you try using the --local option to tell suricata-update to add your custom.rules file? (suricata-update - Update — suricata-update 1.3.0dev0 documentation)
hehe, Jason’s answer is way more complete.
1 Like