Thanks for the Metasploit rule crafting - just what I was looking for. Regarding 12:15 where you setup your rule file, instead of shifting out of the default /var/lib/suricata/rules, why not just put under rule-files: an entry like: - /etc/suricata/rules/metasploit.rule - I noticed that the pre-existing rules in /etc/suricata/rules fail for me. I just did two new installations of suricata on different machines last night, and adding a pre-made rule from /etc/suricata/rules (like http-events.rule, in fact any of them other than suricata.rule) will fail on rule testing. I wondered if /etc/suricata was perhaps no longer a supported directory.
Thanks man, really simple and crisp.
Really appreciate this... Tq
Thanks for the Metasploit rule crafting - just what I was looking for. Regarding 12:15 where you setup your rule file, instead of shifting out of the default /var/lib/suricata/rules, why not just put under rule-files: an entry like: - /etc/suricata/rules/metasploit.rule - I noticed that the pre-existing rules in /etc/suricata/rules fail for me. I just did two new installations of suricata on different machines last night, and adding a pre-made rule from /etc/suricata/rules (like http-events.rule, in fact any of them other than suricata.rule) will fail on rule testing. I wondered if /etc/suricata was perhaps no longer a supported directory.