doc: adding your own rules

9 years ago · 107c12afd6
parent 3366571eeb
commit 107c12afd6
2 changed files with 61 additions and 0 deletions
--- a/doc/sphinx/adding-your-own-rules.rst
+++ b/doc/sphinx/adding-your-own-rules.rst
@ -0,0 +1,60 @@
+Adding Your Own Rules
+=====================
+
+If you would like to create a rule yourself and use it with Suricata,
+this guide might be helpful.
+
+Start creating a file for your rule. Type for example the following in
+your console:
+
+::
+
+  sudo nano local.rules
+
+Write your rule, see [[Suricata Rules]] and save it.
+
+Open yaml
+
+::
+
+  sudo nano /etc/suricata/suricata.yaml
+
+and make sure your local.rules file is added to the list of rules.
+
+Now, run Suricata and see if your rule is being loaded.
+
+::
+
+  suricata -c /etc/suricata/suricata.yaml -i wlan0
+
+If your rule failed to load, check if you have made a mistake anywhere
+in the rule. Mind the details; look for mistakes in special
+characters, spaces, capital characters etc.
+
+Next, check if your log-files are enabled in suricata.yaml.
+
+If you had to correct your rule and/or modify yaml, you have to
+restart Suricata.
+
+If you see your rule is successfully loaded, you can double check your
+rule by doing something that should trigger it.
+
+Enter:
+
+::
+
+  tail -f /var/log/suricata/fast.log
+
+If you would make a rule like this:
+
+::
+
+  alert http any any -> any any (msg:"Do not read gossip during work";
+  content:"Scarlett"; nocase; classtype:policy-violation; sid:1; rev:1;)
+
+Your alert should look like this:
+
+::
+
+  09/15/2011-16:50:27.725288  [**] [1:1:1] Do not read gossip during work [**]
+  [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.0.32:55604 -> 68.67.185.210:80
--- a/doc/sphinx/rules.rst
+++ b/doc/sphinx/rules.rst
@ -14,3 +14,4 @@ Rules
   file-keywords
   thresholding
   rule-lua-scripting
+   adding-your-own-rules