Suricata

Hi,

I'm running suricata version 6.0.4, i created a file named local.rules for my custom rules, and i edited suricata.yaml to add my local.rules :

default-rule-path: /var/lib/suricata/rules
- suricata.rules
- local.rules

then i checked my configuration with : suricata -T -c /etc/suricata/suricata.yaml -v:

4/2/2022 -- 13:31:37 - <Info> - 2 rule files processed. 24042 rules successfully loaded, 0 rules failed
4/2/2022 -- 13:31:37 - <Info> - Threshold config parsed: 0 rule(s) found
4/2/2022 -- 13:31:37 - <Info> - 24045 signatures processed. 1242 are IP-only rules, 3897 are inspecting packet payload, 18878 inspect application layer, 0 are decoder event only
4/2/2022 -- 13:32:12 - <Notice> - Configuration provided was successfully loaded. Exiting.

But suricata dont alert on my local.rules, like it dont take it into account !

can you pease help ?

Thank you Andreas for your response.

I'm sure that i have traffic that match my rule :

alert tcp $HOME_NET any -> $HOME_SERVER 22 (msg:" SSH Access Attempt To Server 1"; classtype:attempted-admin; sid:1000001;)

When i copy my rules from local.rules to suricata.rules it works, i can see alerts in the logs file !!

Can you upload your config file and local rule file?
Must be something strange within the file I guess.

In your suricata.yaml the HOME_SERVER is missing the " char in the end.

Thanks, it's just when i want to edit the conf before send it .