Instruction to write rules on Suricata

An_Trinh_Quoc · January 25, 2021, 1:47pm

Hello everyone !
im new with Suricata , and i want to learn how to write rules , i read all the document instruction on Suricata but i dont know when to use those options. What should i do now ? i’m quite panic cuz it has lots of options, but i know there are some common rule options can use.
Thanks for reading my post.

suricatalfon · January 27, 2021, 9:54am

Hello,

Here are instructions for writing suricata rules.

https://suricata.readthedocs.io/en/suricata-6.0.0/rules/index.html

lukashino · January 28, 2021, 3:59pm

If you have read the documentation posted by @suricatalfon and still do not know when to use individual options, start with simpler ones / always matching ones and build more complex rules later. You can inspect the traffic in Wireshark and then according to the traffic you can write some rules.
Alternatively, tutorials for Snort rules can also help you understand the concept as they often follow at least similar syntax.

An_Trinh_Quoc · February 1, 2021, 2:43am

yeah , i have seen snort by talos channel . I wanna ask , how can i take/get Attack Scenario to write rules and check my rules work ? any document or link tutorial ?

An_Trinh_Quoc · February 1, 2021, 2:45am

yay , im still reading it cuz it’s offical document from suricata. but i wanna ask 1 thing that is there anything such as document , tutorial about have an Attack scenario to write rules and check it works ?

lukashino · February 3, 2021, 1:45pm

Probably the easiest way how to get attack scenario is to download a PCAP file with malware infected. This file can then be analyzed by Suricata in offline mode using -r path-to-pcap option.
Analyze the threat in Wireshark, write a rule accordingly, run the Suricata and then check for instance fast.log whether you have successfully identified the threat. Do not forget to enable fast.log output in the suricata.yaml settings.

chandandreams · February 10, 2021, 7:21am

Hello Everyone

I am new in Suricata. While running suricata i am getting following error.
Screenshot attach. Please help to rectify the problem

lukashino · February 12, 2021, 1:11pm

Hi Chandan,
hope you have resolved your issues with Suricata.
Continuing in an unrelated thread is not a good practice, it would be best if you open a new one.
But from the output, it seems like you don’t have files specified in suricata.yaml in the correct location. Please verify each path from the log.

Topic		Replies	Views
How to run suricata to check whether the rules I wrote for a certain pcap file are correct	2	1449	June 8, 2023
Snort Rules in Suricata 6.x in Offline Mode Help	5	476	August 17, 2023
Running Suricata default in Windows Rules	3	619	May 24, 2023
Suricata Variables and Rules Rules	1	2283	June 2, 2020
Some match bypass? Rules rules	27	1972	September 17, 2021

Instruction to write rules on Suricata

Related topics