So I am new in the variables and rules of Suricata, having recently switched from Snort 2.9 to Suricata 4.1. Previously we just used the snort ruleset, and ET rulesets, but swithing to just ET for the time being, as I figure out how to build some of my own rules.
I have built out an include file for all the variables that could be used (I wanted to keep it seperate from the suricata.yaml) so the actual analyst dont touch that main suricata.yaml.)
So we got near 100-200 variables, not trying to figure out some basic rules to build that might not be contained in the normal ET sets that I should be concerned with. (Offiline system, so its probably sporatic at best when rules get offical updates).
Does anyone have pointers on where to look for something beyond creating a ping rule?