Suricata dont take into account my local.rules

Hi,

I’m running suricata version 6.0.4, i created a file named local.rules for my custom rules in /var/lib/suricata/rules , and i edited suricata.yaml to add my local.rules :

default-rule-path: /var/lib/suricata/rules

  • suricata.rules
  • local.rules

then i checked my configuration with : suricata -T -c /etc/suricata/suricata.yaml -v:

4/2/2022 – 13:31:37 - - 2 rule files processed. 24042 rules successfully loaded, 0 rules failed
4/2/2022 – 13:31:37 - - Threshold config parsed: 0 rule(s) found
4/2/2022 – 13:31:37 - - 24045 signatures processed. 1242 are IP-only rules, 3897 are inspecting packet payload, 18878 inspect application layer, 0 are decoder event only
4/2/2022 – 13:32:12 - - Configuration provided was successfully loaded. Exiting.

But suricata dont alert on my local.rules, like it dont take it into account !

can you pease help ?

I see 2 rule files being processed … can you run suricata -c /path/to/suricata.yaml --dump-config | grep rules?

This will show the actual rule path and rule file(s) that are loaded.

Thank you for your response, here is the result of the command :

outputs.5.pcap-log.honor-pass-rules = no
app-layer.protocols.http2.http1-rules = no
engine-analysis.rules-fast-pattern = yes
engine-analysis.rules = yes
detect.profiling.grouping.include-rules = false
profiling.rules = (null)
profiling.rules.enabled = yes
profiling.rules.filename = rule_perf.log
profiling.rules.append = yes
profiling.rules.limit = 10
profiling.rules.json = yes
default-rule-path = /var/lib/suricata/rules
rule-files.0 = suricata.rules
rule-files.1 = local.rules

This confirms that Suricata is using the rule files that you’ve configured and installed.

When i copy the same rules from local.rules to suricata.rules, and i do my test it works fine, i can see the alerts in log file !!

but with local.rules it does not work !

Can you DM your (1) rule file(s), (2) suricata configuration and (3) a pcap that will trigger the alerts?

Done I sent you a DM

Can you send me the actual rule files and configuration file as well as the test you perform to validate them?

This is the same as Support #5042: Suricata dont take local.rules into account - Suricata - Open Information Security Foundation please stick to either redmine or the forum Mostafa

I will close the Ticket in Redmine, Thanks

Done, i sent you a message with the files and the test i perform, thank you

Hi,

I can confirm that both rulesets are being loaded using your suricata.yaml and local.rules

You can run suricata -c /path/to/suricata.yaml --engine-analysis to confirm that the rules you’re providing are being used. --engine-analysis will create a couple of files with analysis of the rules you provide.

I think the problem is more likely in the local rules — try adding flow:established,to_server; (or to_client as appropriate for the rule) .