Custom rule not triggering (newbie warning!) [SOLVED]

Hello,
Newbie here. I’ve finally got a custom rules file set up and working, but having trouble with what I thought would be a simple rule:

alert dns $HOME_NET any → any any (msg:“SG POLICY mega.io lookup”; dns.query; content:“mega.io”; nocase; endswith; reference:url,mega.io; classtype:policy-violation; sid:1000000; rev:1; metadata:created_at 2022_10_18, updated_at 2022_10_18;)

I basically copied one of ET’s rules for a dns query to Dropbox, and just modified it and put it in my custom rules file.
I just want to know if someone on the network goes to mega.io, and figured that a DNS lookup would be a good way to alert me of that.
Just to be clear, when I point a browser to mega.io, the rule does not fire.
Now, I know that my custom rules file is working fine because I tried the following rule:

alert icmp any any → any any (msg: “ICMP Packet Found”:wink:

And it fired properly every time I tried to ping something.

So I’m guessing there’s something that I’m not missing (I’ve never written my own rules before - I’m very new to Suricata). Please ask any seemingly-obvious questions, because it’s very well possible that I’m missing something or have made incorrect assumptions or something.

OK, so this is solved.

I just tried going to go to mega.io again, and this time the rule was triggered.

I’m guessing that maybe I didn’t let enough time go by between when I created the rule, restarted Suricata and try going to mega.io. I was using:
sudo systemctl restart suricata.service
And was waiting until I got the command prompt again, (about a minute), but maybe that just wasn’t enough time still?
Strange. I wonder if there’s other stuff that has to happen before it’s ready…

1 Like

Hi,

it can take sometime until all rules are loaded in, so it’s better to follow the suricata.log to know when the rules are actually enabled. This depends on your configuration, regarding the delayed-detect value as well.

1 Like

Hi Andreas,

Thanks for the reply!