Suricata rules are written in a custom rule language. Each rule consists of different fields, including the action, protocol, source and destination IP addresses, ports, and optional rule options
The basic format of a Suricata rule is as follows:
action proto source_ip source_port -> dest_ip dest_port (rule options)
action: The action to take when the rule matches, such as alert to generate an alert.
proto: The protocol (e.g., tcp, udp) to match.
source_ip/source_port: The source IP address and port.
dest_ip/dest_port: The destination IP address and port.
rule options: Optional parameters that provide additional context to the rule.
Simple Suricata Rules
Rule 1: Alert on Telnet Traffic:
alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"Telnet Connection Detected"; sid:1000001;)
This rule generates an alert for any Telnet connection from the local network to external servers.
Rule 2: Block Outbound SMB Traffic:
drop ip $HOME_NET any -> $EXTERNAL_NET any (msg:"Block Outbound SMB Traffic"; flow:to_server,established; content:"|FF|SMB"; sid:1000002;)
This rule blocks outbound SMB traffic from the local network to external servers.
Running Suricata
Open a command prompt with administrative privileges.
Navigate to the Suricata installation directory.
Start Suricata with the following command.
suricata.exe -c suricata.yaml -k none -S custom_rules.rules
Replace custom_rules.rules with the actual filename containing your rules.
suricata will start monitoring network traffic based on the specified rules.
Note: Make sure to test rules in a controlled environment before deploying them in a production environment. This artilce differs from my setup article were I share how to install and configure suricatas config_yaml file. In this example when we start suricata we use the following varibles -k and -S options in the Suricata command line have which have specific purposes related to configuration and rule management.
The -k option is used to set a Suricata keyword, which influences certain aspects of the Suricata engine’s behavior.
The -S option is used to specify a rule file or directory containing Suricata rules.
In my example, -k none is used to set the keyword to “none,” which means that Suricata will not load any default configuration files. Instead, it relies solely on the specified configuration file (in our case, suricata.yaml). This can be useful when you want to have full control over the configuration and avoid potential conflicts with default settings.
The -S specifies a rule file. This file contains the custom Suricata rules that you want Suricata to use for traffic analysis.(in our case, custom_rules.rules)
These are basic examples, and you should tailor them to your specific network environment and security requirements.