Instruction to write rules on Suricata

Hello everyone !
im new with Suricata , and i want to learn how to write rules , i read all the document instruction on Suricata but i dont know when to use those options. What should i do now ? i’m quite panic cuz it has lots of options, but i know there are some common rule options can use.
Thanks for reading my post.


Here are instructions for writing suricata rules.

1 Like

If you have read the documentation posted by @suricatalfon and still do not know when to use individual options, start with simpler ones / always matching ones and build more complex rules later. You can inspect the traffic in Wireshark and then according to the traffic you can write some rules.
Alternatively, tutorials for Snort rules can also help you understand the concept as they often follow at least similar syntax.

1 Like

yeah , i have seen snort by talos channel . I wanna ask , how can i take/get Attack Scenario to write rules and check my rules work ? any document or link tutorial ?

yay , im still reading it cuz it’s offical document from suricata. but i wanna ask 1 thing that is there anything such as document , tutorial about have an Attack scenario to write rules and check it works ?

Probably the easiest way how to get attack scenario is to download a PCAP file with malware infected. This file can then be analyzed by Suricata in offline mode using -r path-to-pcap option.
Analyze the threat in Wireshark, write a rule accordingly, run the Suricata and then check for instance fast.log whether you have successfully identified the threat. Do not forget to enable fast.log output in the suricata.yaml settings.

Hello Everyone

I am new in Suricata. While running suricata i am getting following error.
Screenshot attach. Please help to rectify the problem

Hi Chandan,
hope you have resolved your issues with Suricata.
Continuing in an unrelated thread is not a good practice, it would be best if you open a new one.
But from the output, it seems like you don’t have files specified in suricata.yaml in the correct location. Please verify each path from the log.