Custom rules in Suricata – best practices?

elenagilbert · September 24, 2025, 04:25:47 AM

Hi everyone,

I've been experimenting with Suricata on OPNsense and am considering adding custom rules to detect specific traffic patterns in my network. Before I dive in, I'd like to know:

What's the best practice for managing custom rules without breaking updates?

Do you keep them in a separate file, or is there a recommended method within OPNsense to make sure they persist?

Are there any performance concerns when mixing official rule sets (ET/OpenAppID) with custom rules?

Would love to hear how others handle this.

someone · September 30, 2025, 02:34:58 AM

I put all my custom rules and blocklists in opnsense.test.rules, its persistant except on rule update
Keep a copy and send it back to router via SFTP
SFTP to get the rules and replace them

keeka · October 02, 2025, 10:45:50 PM

I'm in the process of modifying Suricata config and adding custom rules. For the latter, I took the approach outlined in https://forum.opnsense.org/index.php?topic=7209.0 which seems to work for opnsense 25.7, surviving rule downloads and saving config via the UI.

Custom rules in Suricata – best practices?

elenagilbert

September 24, 2025, 04:25:47 AM

someone

September 30, 2025, 02:34:58 AM #1

keeka

October 02, 2025, 10:45:50 PM #2