How to run suricata rules on Centos 7

Hi All,
I’m new to suricata and have just set up centos 7.9 and installed Suricata. I’ve tried to follow the Suricata quick start documentation via : 2. Quickstart guide — Suricata 6.0.2 documentation

When i tried to run the alert rule as per the sample from the documentation , it kept returning to me as "bash: syntax error near unexpected token `(’ . May I check if there is anything wrong with the following and if i may have missed out some other steps

alert ip any any → any any (msg:“GPL ATTACK_RESPONSE id check returned root”; content:“uid=0|28|root|29|”; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Thank you

Hello, Can you please provide more information like the command line you are using to start Suricata?

As part of the quick start, assuming you did a suricata-update, that rule is there for informational purposes. You don’t need to do anything with it. Instead run the commands a few lines below, in particular:

curl http://testmynids.org/uid/index.html

then check your log file, /var/log/suricata/fast.log for the alert.

Thanks for your response.

  1. I’ve created my own custom rule called “local.rules” and place it under the default rule path /var/lib/suricata/rules
  2. I then run the following command to reload the rule
    suricata -c /etc/suricata/suricata.yaml -i
  3. tcpreplay some pcaps file
    4.i have checked from fast.log that the alerts are generated there.

I have few questions on the above

  1. Whenever we made any changes to the .rules file, do we always need to run the command in [2] to reload the rules? May i check what is the purpose for this? Do we need to keep this running the background in order for the alerts to be generated when we replay any traffic?
  2. i’ve read from the suricata documentation that the alerts should be generated in the eve.log. May i check what’s the difference between alerts generated in fast.log vs eve.log? i did tried to run the following command based on the suricata documentation but it didn’t return with any result

sudo tail /var/log/suricata/eve.json | jq ‘select(.event_type==“alert”)’

When changes are made to rules you do need to reload them. You can do this by restarting the entire process, or more elegantly with 7.3. Rule Reloads — Suricata 7.0.0-dev documentation

kill -USR2 $(pidof suricata)
or
suricatasc -c reload-rules
or
suricatasc -c ruleset-reload-nonblocking

You need a socket to control with suricatasc (socket control) 20. Interacting via Unix Socket — Suricata 6.0.0 documentation