Rule Testing

So, you have already captured some network traffic to PCAPs and want to test your created rules against it? Fine.

rm eve.json 
suricata -S my-rules.rules -c /etc/suricata/suricata.yaml  -l . -v -k none -r sample.pcap 
cat eve.json | jq

Or as one-liner:

rm eve.json ; suricata -S my-rules.rules -c /etc/suricata/suricata.yaml  -l . -v -k none -r sample.pcap ; cat eve.json | jq

What does that mean?

• rm eve.json will remove the eve.json file from your current working directory
• suricata <...>
  • -S <your-single-rule>
  • -c <path to your normal suricata config>
  • -l <path to your Logging directory> here the working directory
  • -v use verbose cli output (you can add more)