I’m running suricata version 6.0.4, i created a file named local.rules for my custom rules in /var/lib/suricata/rules , and i edited suricata.yaml to add my local.rules :
default-rule-path: /var/lib/suricata/rules
suricata.rules
local.rules
then i checked my configuration with : suricata -T -c /etc/suricata/suricata.yaml -v:
I can confirm that both rulesets are being loaded using your suricata.yaml and local.rules
You can run suricata -c /path/to/suricata.yaml --engine-analysis to confirm that the rules you’re providing are being used. --engine-analysis will create a couple of files with analysis of the rules you provide.
I think the problem is more likely in the local rules — try adding flow:established,to_server; (or to_client as appropriate for the rule) .