Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata custom rules

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 2 Posters 6.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      danjor404
      last edited by

      I’m attempting to add a custom rules file to Suricata but can’t seem to find any guides specific to pfSense.  I’ve followed the instructions found on Suricata's wiki https://suricata.readthedocs.io/en/latest/rule-management/adding-your-own-rules.html and added my local.rules file to suricata.yaml but it’s not showing up under the “Available Rules Categories”.  Can anyone tell me what I’m doing wrong?  Any help would be appreciated.  Here’s what I’ve done so far:

      Created custom rules file:  /usr/local/etc/suricata/rules/local.rules

      Added a single signature to the file:

      drop udp $HOME_NET any -> any 53 (msg:"Custom DNS Query to a international unicode domain name"; content:"|0c|xn|2d|2d|"; nocase; fast_pattern:only; threshold: type limit, track by_src, count 1, seconds 30; reference:url,www.unicode.org/faq/idn.html; classtype:bad-unknown; sid:10000001; rev:1; metadata:created_at 2018_02_24, updated_at 2018_02_24;)

      Added “ - local.rules” to rule-files: section of /usr/local/etc/suricata/suricata.yaml

      And finally appended “local” to my dropsid.conf file

      Running pfSense 2.4.2_p1 and Suricata 4.0.3_1 (Inline IPS mode on both WAN and LAN)

      Thanks!

      1 Reply Last reply Reply Quote 1
      • bmeeksB
        bmeeks
        last edited by

        You must add custom rules within the GUI on pfSense.  Never edit any of the Suricata files directly!  The whole point of having the GUI on pfSense is to eliminate the need to edit the actual configuration files for Suricata.  The GUI recreates them each time you click SAVE or when you START/RESTART Suricata on an interface.  So any manual edits you make are immediately overwritten the next time you do something in the GUI.

        Add custom rules by editing the Suricata interface in question from the INTERFACES tab in Suricata.  Click the pencil icon to edit the interface, then click the RULES tab.  On the RULES tab choose "Custom" in the drop-down selector for which rules to view and a text window will open where you can type in your custom rules (one rule per line).  When done, click SAVE.  Go back to the INTERFACES tab and restart Suricata so it will pick up your new custom rule (or rules if you added several).

        With Custom rules you don't need to do anything with the dropsid.conf file.  If your custom rule is DROP, then your rule will drop traffic.  The purpose of dropsid.conf and the SID MGMT tab is to automate changing rule actions from ALERT to DROP.  Your custom rule already has the action of DROP, so you don't need to put it in the dropsid.conf.

        Bill

        1 Reply Last reply Reply Quote 0
        • D
          danjor404
          last edited by

          Oh good grief, I didn't realize there was already custom rules section.  Nothing like reinventing the wheel.  :-[  Thanks Bill

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.