How should I add my rule file to Suricata?

Question

How should I add my rule file to Suricata?

1.3k views Asked by cyber-researcher At 23 November 2024 at 21:38

I was looking into suricata and I could not understand something about configuration file. As in the documentation we need to add our rule file to the suricata.yaml like this:

default-rule-path: /usr/local/etc/suricata/rules
rule-files:
         - suricata.rules
         - /path/to/local.rules

Should we need write the directory of the local.rules(sample file) ? Or we just keep it as /path/...

Which one is the correct usage? Thanks in advance

Original Q&A

There are 1 answers

**Jason** · Answer 1 · 2021-04-25 16:55:36

Both are fine. A rule file without a leading / will be loaded relative to the default-rule-path. I will often have a section that looks like:

default-rule-path: /var/lib/suricata/rules
rules-files:
  - suricata.rules
  - /etc/suricata/rules/local.rules

Where suricata.rules is the output of suricata-update. And local.rules is just a rule file I manually update.

TechQA.

How should I add my rule file to Suricata?

There are 1 answers

Related Questions in SECURITY

Related Questions in SURICATA

Related Questions in IDS

Popular Questions

Popular Tags

Trending Questions