Writing Suricata Rules for Dummies

-
Writing Suricata Rules for Dummies

Introduction

You’ve got Suricata running. Great. But then you open the rules file and see something like this:

alert tcp any any -> any 80 (msg:"Example rule"; sid:1000001; rev:1;)

Looks like gibberish, right? If you’re thinking “How am I ever supposed to write my own rules?” — you’re not alone.

Here’s the truth: Suricata rules aren’t magic, and they’re not as complicated as they first look. They’re just simple “if-then” statements for network traffic.

In this guide, you’ll learn how to read a rule, write your first custom one, and test it without breaking anything. By the end, you’ll go from staring blankly at rule syntax to writing working rules with confidence.

What is a Suricata Rule, Really?

At its core, a Suricata rule is just a simple instruction: “If this happens, then do that.”

Think of it like a security guard at the door. You tell the guard:

  • If someone walks in wearing a red hat, sound the alarm.

  • If someone tries to sneak in after midnight, write it down in the log.

Suricata works the same way — except instead of hats and doors, it’s watching packets on your network.

A rule tells Suricata three things:

  1. What to look for — the traffic pattern or content (e.g. HTTP request, DNS query, suspicious keyword).

  2. Where to look — the protocol, IPs, or ports it applies to.

  3. What to do about it — alert, drop, or log the traffic.

Once you see rules as if-then statements, they stop being intimidating.

Anatomy of a Basic Rule

Let’s take the example again:

alert tcp any any -> any 80 (msg:"Example rule"; sid:1000001; rev:1;)

Here’s what each piece means:

  • Action: alert → what to do when traffic matches (alert, drop, pass).

  • Protocol: tcp → which protocol to inspect (tcp, udp, icmp, etc.).

  • Source & Destination: any any -> any 80 → traffic from any IP/port going to port 80.

  • Options: (msg:"Example rule"; sid:1000001; rev:1;) → the details inside brackets.

Put it all together, and in plain English it says:
👉 “If TCP traffic goes from anywhere to port 80, raise an alert with the message ‘Example rule’ (rule ID 1000001, version 1).”

Writing Your First Custom Rule

Let’s write a simple one to spot HTTP traffic:

alert tcp any any -> any 80 (msg:"HTTP traffic detected"; sid:1000001; rev:1;)

How to test it:

  1. Add it to your local rules file:

    /var/lib/suricata/rules/local.rules

  2. Check the syntax:

    sudo suricata -T -c /etc/suricata/suricata.yaml -v

  3. Restart Suricata:

    sudo systemctl restart suricata

  4. Visit an HTTP site (e.g. http://example.com).

  5. Check the logs:

    tail -f /var/log/suricata/fast.log

If you see your alert message, congrats — you wrote your first rule 🎉.

Common Keywords Explained Simply

Inside the brackets, options define the details of your rule. The most useful ones for beginners are:

  • msg → alert message. Example:

    msg:"Possible SSH brute force";

  • sid → unique rule ID. Use 1,000,000+ for your custom rules. Example:

    sid:1000001;

  • rev → revision number. Start at rev:1; and bump it whenever you edit the rule.

  • content → match specific text. Example:

    content:"/wp-login.php";

  • http_uri → check the URI in HTTP requests. Example:

    content:"/admin"; http_uri;

  • flow → traffic direction. Example:

    flow:to_server,established;

  • classtype → optional category for the alert. Example:

    classtype:web-application-attack;

Example Rule:

alert http any any -> any 80 (msg:"Attempt to access admin page"; content:"/admin"; http_uri; sid:1000002; rev:1; classtype:web-application-attack;)

Plain English: “If HTTP traffic goes to port 80 and the URI contains ‘/admin’, raise an alert with this message.”

SID Ranges (Cheat Sheet)

Keep SIDs organised to avoid clashes:

  • 1–999,999 → Reserved for official/public rulesets (e.g. Emerging Threats).

  • 1,000,000–1,999,999 → Your custom rules.

  • 2,000,000+ → Rarely used, sometimes by vendors or researchers.

👉 Tip: Create your own numbering scheme. Example:

  • 1000000–1000099 → HTTP rules

  • 1000100–1000199 → DNS rules

  • 1000200–1000299 → SSH rules

Testing Your Rule Safely

  1. Add rule to local.rules:

    /var/lib/suricata/rules/local.rules

  2. Test syntax before restarting:

    sudo suricata -T -c /etc/suricata/suricata.yaml -v

  3. Restart Suricata:

    sudo systemctl restart suricata

  4. Generate test traffic (visit site, run curl, or replay a PCAP).

  5. Check alerts in:

    /var/log/suricata/fast.log

✅ Always test in a lab or with PCAPs before putting rules into production.

Avoiding Common Mistakes

  • Reusing SIDs → Always pick unique IDs.

  • Not updating rev → Increment when you edit a rule.

  • Rules that are too broad → Avoid any any -> any any.

  • Overusing any → Be specific with ports/protocols.

  • Testing on live systems → Use a lab or PCAPs first.

  • Performance issues → Keep rules simple and targeted.

  • Vague msg values → Be descriptive so alerts are meaningful.

Next Steps

Now that you’ve written and tested your first rules, here’s how to keep going:

  1. Stay organised

    • Keep all custom rules in:

      /var/lib/suricata/rules/local.rules

    • Track your SIDs to avoid duplicates.

  2. Learn from existing rules

    • Check the Emerging Threats Open ruleset.

    • Study how experienced rule writers use keywords.

  3. Experiment

    • Try new keywords like dns_queryhttp_host, or pcre (regex).

    • Build rules step by step, testing as you go.

  4. Use PCAPs for safe testing

    • Replay packet captures to check if your rules trigger.

  5. Keep learning

👉 Bottom line: Suricata rules are just structured “if-then” statements for network traffic. Start simple, be specific, and test carefully. With practice, you’ll go from “dummy” rules to powerful detections tailored to your network.


Comments

Post a Comment

Popular posts from this blog

Suricata on Mikrotik(IDS+IPS) = Part 4 - Configuration of the IPS Part

-
Image
  Configuration Disclaimer:  this one again is only for  ubuntu 18.04  and login as  root  user to be sure Make sure you have a good understanding of the suricata rules before doing this This might cause some disconnection from the site or services you are visiting and even the internet if not properly configured. In the real environment it is best not to run as root user but for the sake of just testing it I opted to run as root configure the following rules on your mikrotik router: /ip firewall filter add action=drop chain=input comment="Block bad actors" src-address-list=Blocked /ip firewall filter add action=drop chain=forward comment="Drop any traffic going to bad actors" dst-address-list=Blocked create a user group with all policies checked except telnet create a user allowing your local addresses with the group you created earlier Lets Start ... 1.      Install PHP         apt install php -y 2.   Navigate...
Read more

Why upload comes first before download

-
Image
Before we dive into why upload comes first, let’s quickly define upload and download in data communication. Upload refers to sending data from your device to a remote server or another device. This happens when you send an email, upload a file to the cloud, or even just request a webpage. Download is the process of receiving data from a remote source to your device. This includes streaming videos, loading webpages, or saving files from the internet. Think of it like a conversation: when you ask someone a question (upload), they respond with an answer (download). The same applies to internet communication—before you can receive data, you must first send a request. Why Upload Comes First in Data Communication Now that we understand uploads and downloads, let’s put it in simple human terms. Imagine you’re having a conversation with a friend: You ask a question (Upload): Before your friend can give you an answer, you first need to say something—whether it’s a question, a request, or a ...
Read more

Suricata on Mikrotik(IDS+IPS) = Part 3 - Configuration of the IDS Part

-
Image
Configuration Disclaimer:  this one is only for ubuntu 18.04 and login as root user to be sure In the real environment it is best not to run as root user but for the sake of just testing it I opted to run as root configure the following rules on your mikrotik router: /tool sniffer set streaming-enabled=yes streaming-server=<ip_of_the_server> /tool sniffer set filter-ip-address=<an_example_filter_ip> tool sniffer print ; tool sniffer start ; tool snifer stop Lets Start ... 1.     Configure the correct time zone and NTP synchronization         systemctl start systemd-timesync           systemctl status systemd-timesyncd         dpkg-reconfigure tzdat a 2.     Add the suricata in the repository    add-apt-repository ppa:oisf/suricata-stable 3.     Update the package database:         ...
Read more