I’m running suricata version 6.0.4, i created a file named local.rules for my custom rules in /var/lib/suricata/rules , and i edited suricata.yaml to add my local.rules :
then i checked my configuration with : suricata -T -c /etc/suricata/suricata.yaml -v:
4/2/2022 – 13:31:37 - - 2 rule files processed. 24042 rules successfully loaded, 0 rules failed
4/2/2022 – 13:31:37 - - Threshold config parsed: 0 rule(s) found
4/2/2022 – 13:31:37 - - 24045 signatures processed. 1242 are IP-only rules, 3897 are inspecting packet payload, 18878 inspect application layer, 0 are decoder event only
4/2/2022 – 13:32:12 - - Configuration provided was successfully loaded. Exiting.
But suricata dont alert on my local.rules, like it dont take it into account !
can you pease help ?
I see 2 rule files being processed … can you run
suricata -c /path/to/suricata.yaml --dump-config | grep rules?
This will show the actual rule path and rule file(s) that are loaded.
Thank you for your response, here is the result of the command :
outputs.5.pcap-log.honor-pass-rules = no
app-layer.protocols.http2.http1-rules = no
engine-analysis.rules-fast-pattern = yes
engine-analysis.rules = yes
detect.profiling.grouping.include-rules = false
profiling.rules = (null)
profiling.rules.enabled = yes
profiling.rules.filename = rule_perf.log
profiling.rules.append = yes
profiling.rules.limit = 10
profiling.rules.json = yes
default-rule-path = /var/lib/suricata/rules
rule-files.0 = suricata.rules
rule-files.1 = local.rules
This confirms that Suricata is using the rule files that you’ve configured and installed.
When i copy the same rules from local.rules to suricata.rules, and i do my test it works fine, i can see the alerts in log file !!
but with local.rules it does not work !
Can you DM your (1) rule file(s), (2) suricata configuration and (3) a pcap that will trigger the alerts?
Can you send me the actual rule files and configuration file as well as the test you perform to validate them?
I will close the Ticket in Redmine, Thanks
Done, i sent you a message with the files and the test i perform, thank you
I can confirm that both rulesets are being loaded using your
You can run
suricata -c /path/to/suricata.yaml --engine-analysis to confirm that the rules you’re providing are being used.
--engine-analysis will create a couple of files with analysis of the rules you provide.
I think the problem is more likely in the local rules — try adding
to_client as appropriate for the rule) .