Suricata custom rules



  • I’m attempting to add a custom rules file to Suricata but can’t seem to find any guides specific to pfSense.  I’ve followed the instructions found on Suricata's wiki https://suricata.readthedocs.io/en/latest/rule-management/adding-your-own-rules.html and added my local.rules file to suricata.yaml but it’s not showing up under the “Available Rules Categories”.  Can anyone tell me what I’m doing wrong?  Any help would be appreciated.  Here’s what I’ve done so far:

    Created custom rules file:  /usr/local/etc/suricata/rules/local.rules

    Added a single signature to the file:

    drop udp $HOME_NET any -> any 53 (msg:"Custom DNS Query to a international unicode domain name"; content:"|0c|xn|2d|2d|"; nocase; fast_pattern:only; threshold: type limit, track by_src, count 1, seconds 30; reference:url,www.unicode.org/faq/idn.html; classtype:bad-unknown; sid:10000001; rev:1; metadata:created_at 2018_02_24, updated_at 2018_02_24;)
    

    Added “ - local.rules” to rule-files: section of /usr/local/etc/suricata/suricata.yaml

    And finally appended “local” to my dropsid.conf file

    Running pfSense 2.4.2_p1 and Suricata 4.0.3_1 (Inline IPS mode on both WAN and LAN)

    Thanks!



  • You must add custom rules within the GUI on pfSense.  Never edit any of the Suricata files directly!  The whole point of having the GUI on pfSense is to eliminate the need to edit the actual configuration files for Suricata.  The GUI recreates them each time you click SAVE or when you START/RESTART Suricata on an interface.  So any manual edits you make are immediately overwritten the next time you do something in the GUI.

    Add custom rules by editing the Suricata interface in question from the INTERFACES tab in Suricata.  Click the pencil icon to edit the interface, then click the RULES tab.  On the RULES tab choose "Custom" in the drop-down selector for which rules to view and a text window will open where you can type in your custom rules (one rule per line).  When done, click SAVE.  Go back to the INTERFACES tab and restart Suricata so it will pick up your new custom rule (or rules if you added several).

    With Custom rules you don't need to do anything with the dropsid.conf file.  If your custom rule is DROP, then your rule will drop traffic.  The purpose of dropsid.conf and the SID MGMT tab is to automate changing rule actions from ALERT to DROP.  Your custom rule already has the action of DROP, so you don't need to put it in the dropsid.conf.

    Bill



  • Oh good grief, I didn't realize there was already custom rules section.  Nothing like reinventing the wheel.  :-[  Thanks Bill


Log in to reply