Suricata-Update and custom signature sets

If I am using Suricata-Update for ET PRO rules, how do I handle custom signatures?
I listed the custom signature set file name in addition to suricata.rules in suricata.yaml then I put the custom file in /var/lib/suricata/rules/. Do I need to do anything else to get the custom rule set file to work with suricata along with suricata.rules too?

Hi Leonard!

Does your configuration look like the following?

default-rule-path: /var/lib/suricata/rules
 rule-files:
   - suricata.rules
   - myrules.rules # this is the name of the file you put in /var/lib/suricata/rules

Yes.

The second custom rule set should be firing but I see no alerts from it. It works in version 4 of suricata.

Leonard Jacobs, MS, MBA, CISSP, CSSA

President/CEO
Netsecuris LLC
Office (662) 667-7796
http://www.netsecuris.com

Netsecuris is proud to be listed in MSSP Alert’s 2019 Top 200 MSSP List, ChannelE2E’s Top 100 Vertical Market MSPs List for 2019, and The Channel Company’s 2019 list of Top 100 Cyber Security Services Providers.

Alert firing might be due to something else but your rule file should be getting loaded. Could you please confirm if you see

2/7/2020 -- 20:33:55 - <Config> - Loading rule file: /var/lib/suricata/rules/myrules.rules
2/7/2020 -- 20:33:55 - <Config> - No rules loaded from myrules.rules.
2/7/2020 -- 20:33:55 - <Info> - 2 rule files processed. 24761 rules successfully loaded, 0 rules failed

in Suricata logs?

I found something really weird. suricata.log is not updating. This is a relatively new installation with many restarts of Suricata.

Suricata is functioning and giving all kinds of alerts using ET PRO ruleset.

I think I found why suricata.log was not updating. It was not enabled in suricata.yaml in the output section.

Great! Could you access the logs and check if the file is getting loaded properly?

I will have to wait until I can re-start Suricata. Have to wait for maintenance Window for live system but can try on a test system that is identical to live system.