Q: How do I test a new custom rule?

A:

You can and will write your own custon rules and "import" them into the DC. Once imported, the rules are stored in a database format and you won't be able to export them again. So it pays to write them and test them ahead of time. Fortunately, each IDS has all the tools you'll need to formulate and test rules: Snort, vi, and tcpdump.

1. Log into the IS as root and change to a subdir for use in creating and testing rules.
2. Use tcpdump (or Snort) to create a pcap file for use in testing your rule. It must contain at least one packet of the type your rule is intended to detect, and might also contain some similar packets that you don't want your rule to detect (false positives). We'll call this file test.pcap
3. Use vi to create a rules file containing the one rule you are working on. We'll call this file 'test.rule'. Start the rule with alert.
4. Make a log directory ./logs
5. Run Snort using the following command line to test your rule against the pcap file. (It does not seem to run properly without telling it where to log to with -l or -b.)

   snort -T -c test.rule  (to test syntax)
   snort -vd -c test.rule -r test.pcap -A console -l logs