Adding Local Rules¶
You can add rules in
/opt/so/saltstack/local/salt/idstools/localrules/local.rules on your manager. Within 15 minutes, Salt should then merge them into
/opt/so/rules/nids/local.rules and restart processes as necessary. You can force this to happen immediately:
From the manager:
salt $SENSORNAME_$ROLE state.apply suricata
From the node:
salt-call state.apply suricata
Let’s add a simple rule that’s really just a copy of the traditional
id check returned rootrule:
alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root 2"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:7000000; rev:1;)
From the manager, tell Salt to update:
sudo salt $SENSORNAME_$ROLE state.highstate
If you built the rule correctly, then Suricata should be back up and running.
You can then run
curl testmyids.comon the node to generate traffic which should cause this rule to alert (and the original rule that it was copied from, if it is enabled).