Custom rule for Suricata (SELKS6)

[nyukers]

Is there an existing issue for this?

• [X] I have searched the existing issues

Current Behavior

Ruleset has errors Unable to check ruleset validityInternal Server Error

Expected Behavior

Source is valid Source activated in "MyRuleSet"

Steps To Reproduce

1) I try to apply my custom rule to Suricata (SELKS6) from file. Name: My Test Rules Method: Upload Datatype: Other content Use IP reputation for group signatures: check Add source to the following ruleset(s): MyRuleSet File: my.rules

2) Result: 'My Test Rules' source initialisation Source fully activated. Source updated Source is valid Source activated in "MyRuleSet" See details of My Test Rules source.

3)However look to Sources: My Test Rules Last update: Feb. 4, 2022, 1 p.m. 0 Categories 0 Rules

Source: My Test Rules@HEAD Source fetched from None Ruleset has errors Unable to check ruleset validityInternal Server Error

I can't understand it. Where I made failed step?

Anything else?

No response

[pevma]

Is it possible to share the rule or the error it produces ?

[nyukers]

alert http any any -> any any (msg:"SURICATA TRAFFIC-ID: nyukers"; content:"nyukers.blogspot.com"; isdataat:!1,relative; noalert; sid:400000001; rev:1;)

[pevma]

It seems it loads fine here

[pevma]

Do you use the docker version or the ISO ?

[nyukers]

ISO, no desktop. Why your Suricata status is brown?

[pevma]

Status became green after a few seconds, but what is important is that the rules says it is valid and active as on the screenshot - if you have the same you should be good.

[nyukers]

Ok, I have got it. Maybe problem is placed on my side.)

[nyukers]