Edit Zeek (Bro) or Suricata Rules

I want to see syslog traffic on TCP 1514. Where’s the Bro and/or Suricata rule housed in RockNSM so I can edit to alert on this?

Bro scripts are stored under /usr/share/bro/site/. You can edit local.bro or create your own local directory of scripts similar to the default RockNSM scripts and then include them into local.bro.

Suricata rules use suricata-update using the default config. This will load any files located in /etc/suricata/rules ending with .rules, so this is a good place to put custom rules. When complete, manually run sudo -u suricata -g suricata suricata-update, merge your rules with the default ET Open Source ruleset into a single file at /var/lib/suricata/rules/suricata.rules. By default, this is run daily at 1200 UTC.