so-suricata-testrule not triggering

[stummasino-matc]

Hi All
Anyone have tips on how to get the so-suricata-testrule script to work? It is successfully loading the rule but it does not alert on anything when run on the .pcap file.
The test set up:

1. Sent a simple text string with NetCat between two machines and captured it to a .pcap file with tcpdump
2. I have the same test rule loaded into the local.rules file and the rule is altering in the Security Onion Console (so I know the rule works on the sample data)
3. I run the same rule on the .pcap of that transaction and it does not alert. I did check the capture in Wireshark to make sure the test string was where it should be, and it is)

Here is the syntax I am using to run it:
sudo so-suricatata-testrule local.rules /home/student/test3.pcap

Anyone having problems getting this to work?

[andre-dessert]

Are you running a standalone or a distributed setup? In a distributed setup the so-suricata-testrule would need to be run on the Forward node. Are you running so-suricata-testrule in the folder where local.rules is located? It does not automatically no where to find this rule, so use the path to the file, not just the file name.