I want to see syslog traffic on TCP 1514. Where’s the Bro and/or Suricata rule housed in RockNSM so I can edit to alert on this?
Bro scripts are stored under
/usr/share/bro/site/. You can edit
local.bro or create your own local directory of scripts similar to the default RockNSM scripts and then include them into
Suricata rules use
suricata-update using the default config. This will load any files located in
/etc/suricata/rules ending with
.rules, so this is a good place to put custom rules. When complete, manually run
sudo -u suricata -g suricata suricata-update, merge your rules with the default ET Open Source ruleset into a single file at
/var/lib/suricata/rules/suricata.rules. By default, this is run daily at 1200 UTC.