Question about customizing rules

I put some rules into /vat/lib/suricata/local.rules. But nothing displayed in the WUI. I’m confused about that. (Core 156.)
Maybe I forgot to config something?
Kind regards and thanks in advance for the help!

And my local.rules still exist at /var/lib/suricata. But nothing in WUI

Hi @majiko

Welcome to the IPFire Community.

I just tried creating the local.rules file for Suricata. As long as there was one valid suricata rule in the file it showed up in the Intrusion Prevention System WUI page.

If I mangled the rules so none of them were valid then local.rules did not show up in the WUI page.

It’s likely that you have errors in your local.rules definitions.

Here is a link to the Suricata documentation on the rule format.
https://suricata.readthedocs.io/en/suricata-5.0.0/rules/intro.html

To test that everything is working okay you can just copy one of the other rules files to local.rules and then see if you see it in the WUI.
That is what I did and it worked when I refreshed the WUI page.

Good luck.

Thanks for replying!@bonnietwin

I just checked my local.rules carefully, but it still doesn’t work, i also try the example rule in url ((5.1. Rules Format — Suricata unknown documentation) but the same reason occured.

That’s weird, i’ll keep tring and find a resolution.

Thanks for help Adolf, have a good day!

I finally find the resolution. I try copying a rule downloading from the Emergingthreats.net Community Rules and rename it as “local.rules”.

The cute “local.ruls” emeged in the Intrusion Prevention System WUI page, and I try creating rules in it, still work. lol

Your answer gives me a inspiration. Thanks!

1 Like