How to only use local.rules #2469
-
|
How would I disable all security onion rules except for local.rules? This is for a lab environment on writing suri rules and I do not want to load all the other rules and waste time. I just want to load/update local.rules to test them. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
We have a new tool that was released with 2.3.21 that might be of help - Point it to your custom rule and a pcap (full path) and it will run run Suricata with that custom rule + all.rules against the target PCAP. Make sure to run it on a node that has the sensor role:
|
Beta Was this translation helpful? Give feedback.
-
|
I am doing something similar when developing rules. If you comment out the 'cp' line add the line to remove the old 'all.rules' file in the script it will only run the file containing your test rule and not all the rest. |
Beta Was this translation helpful? Give feedback.
We have a new tool that was released with 2.3.21 that might be of help -
so-suricata-testrule $RuleFile $FullPathToPCAPPoint it to your custom rule and a pcap (full path) and it will run run Suricata with that custom rule + all.rules against the target PCAP. Make sure to run it on a node that has the sensor role: