From 107c12afd6ed180e529f8be5c164559d4f5fcf2d Mon Sep 17 00:00:00 2001
From: Jason Ish <ish@unx.ca>
Date: Fri, 4 Dec 2015 09:38:16 -0600
Subject: [PATCH] doc: adding your own rules

---
 doc/sphinx/adding-your-own-rules.rst | 60 ++++++++++++++++++++++++++++
 doc/sphinx/rules.rst                 |  1 +
 2 files changed, 61 insertions(+)
 create mode 100644 doc/sphinx/adding-your-own-rules.rst

diff --git a/doc/sphinx/adding-your-own-rules.rst b/doc/sphinx/adding-your-own-rules.rst
new file mode 100644
index 0000000000..303566fadc
--- /dev/null
+++ b/doc/sphinx/adding-your-own-rules.rst
@@ -0,0 +1,60 @@
+Adding Your Own Rules
+=====================
+
+If you would like to create a rule yourself and use it with Suricata,
+this guide might be helpful.
+
+Start creating a file for your rule. Type for example the following in
+your console:
+
+::
+
+  sudo nano local.rules
+
+Write your rule, see [[Suricata Rules]] and save it.
+
+Open yaml
+
+::
+
+  sudo nano /etc/suricata/suricata.yaml
+
+and make sure your local.rules file is added to the list of rules.
+
+Now, run Suricata and see if your rule is being loaded.
+
+::
+
+  suricata -c /etc/suricata/suricata.yaml -i wlan0
+
+If your rule failed to load, check if you have made a mistake anywhere
+in the rule. Mind the details; look for mistakes in special
+characters, spaces, capital characters etc.
+
+Next, check if your log-files are enabled in suricata.yaml.
+
+If you had to correct your rule and/or modify yaml, you have to
+restart Suricata.
+
+If you see your rule is successfully loaded, you can double check your
+rule by doing something that should trigger it.
+
+Enter:
+
+::
+
+  tail -f /var/log/suricata/fast.log
+
+If you would make a rule like this:
+
+::
+
+  alert http any any -> any any (msg:"Do not read gossip during work";
+  content:"Scarlett"; nocase; classtype:policy-violation; sid:1; rev:1;)
+
+Your alert should look like this:
+
+::
+
+  09/15/2011-16:50:27.725288  [**] [1:1:1] Do not read gossip during work [**]
+  [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.0.32:55604 -> 68.67.185.210:80
diff --git a/doc/sphinx/rules.rst b/doc/sphinx/rules.rst
index 67dcabd6c1..e0083392fc 100644
--- a/doc/sphinx/rules.rst
+++ b/doc/sphinx/rules.rst
@@ -14,3 +14,4 @@ Rules
    file-keywords
    thresholding
    rule-lua-scripting
+   adding-your-own-rules
-- 
2.47.2