Open Mehrdad-hajizadeh opened 6 days ago
Location of Suricata Rules:
/etc/suricata/rules/
directory. Rules managed by suricata-update
are located in /var/lib/suricata/rules/
.Assessing the Current Situation:
ls -al /etc/suricata/rules/
sudo suricata -T -c /etc/suricata/suricata.yaml -v
Basic Suricata Rule Syntax:
action proto src_ip src_port -> dest_ip dest_port (msg:"Alert message"; content:"string"; sid:12345;)
alert
, drop
).tcp
, udp
, etc.).Adding Custom Rules:
local.rules
file:
sudo nano /etc/suricata/rules/local.rules
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH connection detected"; flow:to_server,established; content:"SSH-2.0-OpenSSH"; sid:100001;)
Apply the New Rules:
sudo suricata-update
sudo systemctl restart suricata.service
Obtaining Third-Party Rule Sets:
List Available Rule Sources:
To see all available rule sources, use:
sudo suricata-update list-sources
This command lists rule sources such as et/open
, et/pro
, oisf/trafficid
, scwx/enhanced
, etc., showing their vendors, licenses, and subscription requirements.
Enable and Update Third-Party Rules:
sudo suricata-update enable-source et/open
sudo suricata-update
Test the Suricata Configuration:
sudo suricata -T -c /etc/suricata/suricata.yaml -v
Generate Traffic to Match Rules:
curl
to generate test traffic:
curl http://example.com
sudo cat /var/log/suricata/fast.log
Clear Logs for Future Tests:
fast.log
file for new testing:
sudo truncate -s 0 /var/log/suricata/fast.log
By following above steps, we can effectively manage, update, and test Suricata rules.
Suricata requires some pre-defined rules for its detection, hence: