blob: 2a2264b926d01cf5e29d68c0e5f3bbd923a84c3b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
Adding Your Own Rules
=====================
If you would like to create a rule yourself and use it with Suricata,
this guide might be helpful.
Start creating a file for your rule. Use one of the following examples in
your console/terminal window:
::
sudo nano local.rules
sudo vim local.rules
Write your rule, see :doc:`../rules/intro` and save it.
Update the Suricata configuration file so your rule is included. Use
one of the following examples:
::
sudo nano /etc/suricata/suricata.yaml
sudo vim /etc/suricata/suricata.yaml
and make sure your local.rules file is added to the list of rules: ::
default-rule-path: /usr/local/etc/suricata/rules
rule-files:
- suricata.rules
- /path/to/local.rules
Now, run Suricata and see if your rule is being loaded.
::
suricata -c /etc/suricata/suricata.yaml -i wlan0
If the rule failed to load, Suricata will display as much information as
it has when it deemed the rule un-loadable. Pay special attention to the
details: look for mistakes in special characters, spaces, capital characters,
etc.
Next, check if your log-files are enabled in the Suricata configuration file
``suricata.yaml``.
If you had to correct your rule and/or modify Suricata's YAML configuration
file, you'll have to restart Suricata.
If you see your rule is successfully loaded, you can double check your
rule by doing something that should trigger it.
By default, Suricata will log alerts to two places
- ``eve.json``
- ``fast.log``
These files will be located in the log output directory which is set by
one of two methods:
1. Suricata configuration file: see ``default-log-dir`` for the name of the directory
2. Suricata command line: Using ``-l /path/to/log-dir`` creates log files in the named
directory.
The following example assumes that the log directory is named ``/var/log/suricata`` ::
tail -f /var/log/suricata/fast.log
If you would make a rule like this: ::
alert http any any -> any any (msg:"Do not read gossip during work";
content:"Scarlett"; nocase; classtype:policy-violation; sid:1; rev:1;)
Your alert should look like this: ::
09/15/2011-16:50:27.725288 [**] [1:1:1] Do not read gossip during work [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.0.32:55604 -> 68.67.185.210:80
|
