Running Suricata default in Windows


Question for all. If I run suricata with the following syntax “Suricate.exe -c suricate.yaml -I interface”, and my rules folder is currently empty, will rules automatically be added into the folder? When I run suricate.exe /? it mentions this file. “signature.rules”. I don’t see this file anywhere.



You would need to download and put rules in the rules folder.
The suricata.yaml is setup for ET Open ruleset, however if you add different rules you should just add in those names in the rules section in suricata.yaml.

Ok is there a good reference on rules to start with? A place to download them from? I’m just trying to get a basic setup of Suricata running so I can see it in action and get familiar with it. it looked like there was rules mentioned in the yaml file so I thought possibly they would be added.

You can look into the rulesets that are listed for suricata-update, see the docs here suricata-update - A Suricata Rule Update Tool — suricata-update 1.3.0rc1 documentation

As Peter mentioned, ETOpen rulesets are most of the time a good way to start.