Maintaining custom tags for tag conditional pcap-log configuration

weekender · April 9, 2025, 10:24pm

Hello,

When configuring pcap-log conditional on tag. e.g.
alert http any any → any any (http.method; content:“POST”; tag:session; sid:1;)
How can customised rules best be maintained? As I assume that when updating rules, any such customisations will be overwritten.

Andreas_Herz · July 17, 2025, 9:08pm

Why should custom rules being overwritten?

jonny5 · November 12, 2025, 7:22am

Use suricata-update, you can make your customization part of the update