Support #5042
closedSuricata dont take local.rules into account
Added by mostafa mhb about 2 years ago. Updated about 2 years ago.
Description
Hi,
I'm running suricata version 6.0.4, i created a file named local.rules for my custom rules, and i edited suricata.yaml to add my local.rules :
default-rule-path: /var/lib/suricata/rules
- suricata.rules
Files
| local.rules (423 Bytes) local.rules | mostafa mhb, 02/07/2022 09:45 AM | ||
| suricata.yaml (70.9 KB) suricata.yaml | mostafa mhb, 02/07/2022 09:45 AM |
Updated by mostafa mhb about 2 years ago
Hi,
I'm running suricata version 6.0.4, i created a file named local.rules for my custom rules, and i edited suricata.yaml to add my local.rules :
default-rule-path: /var/lib/suricata/rules
- suricata.rules
- local.rules
then i checked my configuration with : suricata -T -c /etc/suricata/suricata.yaml -v:
4/2/2022 -- 13:31:37 - <Info> - 2 rule files processed. 24042 rules successfully loaded, 0 rules failed
4/2/2022 -- 13:31:37 - <Info> - Threshold config parsed: 0 rule(s) found
4/2/2022 -- 13:31:37 - <Info> - 24045 signatures processed. 1242 are IP-only rules, 3897 are inspecting packet payload, 18878 inspect application layer, 0 are decoder event only
4/2/2022 -- 13:32:12 - <Notice> - Configuration provided was successfully loaded. Exiting.
But suricata dont alert on my local.rules, like it dont take it into account !
can you pease help ?
Updated by Andreas Herz about 2 years ago
- Status changed from New to In Progress
Well based on the output 2 rule files are processed so that is correctly loaded.
Maybe you had no traffic that would match the signatures that you added, for testing purpose you could add a rather small signature that should match on all traffic.
Updated by Andreas Herz about 2 years ago
- Status changed from In Progress to Feedback
- Assignee set to mostafa mhb
Updated by mostafa mhb about 2 years ago
Thank you Andreas for your response.
I'm sure that i have traffic that match my rule :
alert tcp $HOME_NET any -> $HOME_SERVER 22 (msg:" SSH Access Attempt To Server 1"; classtype:attempted-admin; sid:1000001;)
When i copy my rules from local.rules to suricata.rules it works, i can see alerts in the logs file !!
Updated by Andreas Herz about 2 years ago
Can you upload your config file and local rule file?
Must be something strange within the file I guess.
Updated by mostafa mhb about 2 years ago
- File local.rules local.rules added
- File suricata.yaml suricata.yaml added
Here is the result that show that my config take into account local.rules : suricata -c suricata.yaml --dump-config :
napatech = (null)
napatech.streams = (null)
napatech.streams.0 = 0-3
napatech.enable-stream-stats = no
napatech.auto-config = yes
napatech.hardware-bypass = yes
napatech.inline = no
napatech.ports = (null)
napatech.ports.0 = 0-1
napatech.ports.1 = 2-3
napatech.hashmode = hash5tuplesorted
default-rule-path = /var/lib/suricata/rules
rule-files = (null)
rule-files.0 = suricata.rules
rule-files.1 = local.rules
classification-file = /etc/suricata/classification.config
reference-config-file = /etc/suricata/reference.config
i joined local.rules and suricata.yaml
Thanks in advance for your help
Updated by Andreas Herz about 2 years ago
In your suricata.yaml the HOME_SERVER is missing the " char in the end.
Updated by mostafa mhb about 2 years ago
Thanks, it's just when i want to edit the conf before send it .
Updated by Andreas Herz about 2 years ago
- Status changed from Feedback to Closed