suricata all.rules file is not reading or merging rules from /nids/local.rules/ #9222
Replies: 1 comment
-
Please note that the documentation says that Salt should copy rules from
You shouldn't directly modify all.rules. Please follow the instructions at https://docs.securityonion.net/en/2.3/local-rules.html. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
QUERY 1:
I went through the paragraph of tuning rules which goes like this:
You can add NIDS rules in /opt/so/saltstack/local/salt/idstools/local.rules on your manager. Within 15 minutes, Salt should then copy those rules into /opt/so/rules/nids/local.rules. The next run of idstools should then merge /opt/so/rules/nids/local.rules into /opt/so/rules/nids/all.rules which is what Suricata reads from.
I followed each line and added a custom rule in /opt/so/saltstack/local/salt/idstools/local.rules at manager.
But the same was not reflected in all.rules file (I waited for 15 mins).
What might be the reason? Am I doing anything wrong?
QUERY 2:
Also when I append a rule to all.rules file at manager It gets reflected in all.rules file at forward node but after 01:00 PM it gets restored to default.
Beta Was this translation helpful? Give feedback.
All reactions