Hi there,
I can see we have a few sets of Suricata rules to choose from.
Is it possible for us to make our own rules in addition to selecting say the ET set?
Or do our rules get blasted away anytime the ET set is updated?
Hi there,
I can see we have a few sets of Suricata rules to choose from.
Is it possible for us to make our own rules in addition to selecting say the ET set?
Or do our rules get blasted away anytime the ET set is updated?
I think this is not easy, I think only 1 person here knows how to do it.
you have to add it as a ruleset provider in
ruleset-sources’
unfortunately I am no expert
Given we can only have 1.ruleset at a time I assume you can only have either your custom rules OR a set like Emerging threats not both at the same timer I gather?
That is a very good point. but I would think once you make a custom ruleset, you would include all prefered ones. I wish I could remember who wrote all this. Will try to come back if I remmember
Okies thanks
Hello knightian,
you simple can put your custom suricata rules into the following file:
/var/lib/suricata/local.rules
If this file does not exist, just create it and put your rules into it.
In the WUI on the IDS page the “local.rules” will be displayed and can be enabled like the usual way.
Best regards,
-Stefan
That was easy, thank you @stevee.
I loaded 25MB of suricata rules into local.rules
RAM usage went from 500MB to 1.6 GB.
Now I am waiting for IPfire to start smoking
Legend thanks mate!
Updated to core 154 and local.rules persisted as well so that’s brilliant, thanks again!
Is there a way to download updated rules into local.rules?
i.e. from
https://sslbl.abuse.ch/blacklist/sslblacklist_tls_cert.rules
You could just set a cronjob to run a script that does it I reckon might be best way. Although caution as I found entries in fcrontab -e get reset when you update.