How to run suricata to check whether the rules I wrote for a certain pcap file are correct

How to run suricata to check whether the rules I wrote for a certain pcap file are correct?

Hi,

Presuming you have the pcap for the sample, you can run suricata from a command line with a -r (this is pcap file/offline mode) and specify the pcap name after the -r combined with a -S with the rules file containing your rule. For example, I usually use something like
suricata -c suricata.yaml -vv -k none -S ~/rules/test.rules -r ~/somepcap.pcap

Then it’s just a matter of reviewing the output/logs for any alerts or errors/warnings.

Hopefully that helps.

JT

2 Likes

Hi!
In addition to JT’s answer, you can first do a basic semantic check by running

suricata -T

Note that this will pick up the rules as configured in suricata.yaml.

This will error on any rules that are incorrect in how the rule keywords should be used.
However, if you have written the rule incorrectly in terms of what it is supposed to do, you should perform a test like JT mentioned on smallest pcap possible where you’d expect the rule to fire.

1 Like