How to run suricata to check whether the rules I wrote for a certain pcap file are correct

weiy · June 1, 2023, 11:33am

How to run suricata to check whether the rules I wrote for a certain pcap file are correct？

jmtaylor90 · June 5, 2023, 12:19pm

Hi,

Presuming you have the pcap for the sample, you can run suricata from a command line with a -r (this is pcap file/offline mode) and specify the pcap name after the -r combined with a -S with the rules file containing your rule. For example, I usually use something like
suricata -c suricata.yaml -vv -k none -S ~/rules/test.rules -r ~/somepcap.pcap

Then it’s just a matter of reviewing the output/logs for any alerts or errors/warnings.

Hopefully that helps.

JT

sbhardwaj · June 8, 2023, 8:56am

Hi!
In addition to JT’s answer, you can first do a basic semantic check by running

suricata -T

Note that this will pick up the rules as configured in suricata.yaml.

This will error on any rules that are incorrect in how the rule keywords should be used.
However, if you have written the rule incorrectly in terms of what it is supposed to do, you should perform a test like JT mentioned on smallest pcap possible where you’d expect the rule to fire.

Topic		Replies	Views
Instruction to write rules on Suricata Help	7	1496	February 12, 2021
How to run suricata rules on Centos 7 Help centos	3	1141	June 17, 2021
Running suricata-update Help	6	1117	December 29, 2021
Rule profiling functionality Help	1	1246	September 19, 2020
Pcap file does not exist Help	2	235	September 6, 2023

How to run suricata to check whether the rules I wrote for a certain pcap file are correct

Related Topics