How to add custom rules to Suricata
-
I've found quite a few posts regarding syntax for custom rules but no discussion of how to actually add the rules. Is it as simple as pasting them into the Defined Custom Rules?
-
Yep! That's just a plain vanilla text area web control. You can copy, paste and edit content in there; then click SAVE when finished. The custom rule (or rules) will be added to any other rules you have selected from the regular sources. Each rule should begin on a line by itself.
Bill
-
Thanks.
Is there a way to pass an FQDN or do I need to just list all their IP’s?
-
Thanks.
Is there a way to pass an FQDN or do I need to just list all their IP’s?
You will need to list the IPs separately. Snort (the binary part) has no concept of a FQDN. It does not perform any kind of DNS lookup when analyzing traffic. Doing that would slow the network down to a crawl.
Bill
-
Thanks. Wonder how many IP’s this hosting server has?
