Custom Suricata Rules

Hi there,

I can see we have a few sets of Suricata rules to choose from.

Is it possible for us to make our own rules in addition to selecting say the ET set?

Or do our rules get blasted away anytime the ET set is updated?

I think this is not easy, I think only 1 person here knows how to do it.
you have to add it as a ruleset provider in

ruleset-sources’

unfortunately I am no expert

Given we can only have 1.ruleset at a time I assume you can only have either your custom rules OR a set like Emerging threats not both at the same timer I gather?

That is a very good point. but I would think once you make a custom ruleset, you would include all prefered ones. I wish I could remember who wrote all this. Will try to come back if I remmember

Okies thanks :slight_smile:

Hello knightian,

you simple can put your custom suricata rules into the following file:

/var/lib/suricata/local.rules

If this file does not exist, just create it and put your rules into it.

In the WUI on the IDS page the “local.rules” will be displayed and can be enabled like the usual way.

Best regards,

-Stefan

That was easy, thank you @stevee. :heart_eyes:

I loaded 25MB of suricata rules into local.rules

RAM usage went from 500MB to 1.6 GB.

Now I am waiting for IPfire to start smoking :smile:

Legend thanks mate!

Updated to core 154 and local.rules persisted as well so that’s brilliant, thanks again!

Is there a way to download updated rules into local.rules?
i.e. from
https://sslbl.abuse.ch/blacklist/sslblacklist_tls_cert.rules

You could just set a cronjob to run a script that does it I reckon might be best way. Although caution as I found entries in fcrontab -e get reset when you update.