Identify the rule(s) you want to enable.
Connect to the Sheriff Console through SSH and use your credentials to log in. The Sheriff Setup menu displays.
Place the rule you want to enable into /etc/suricata/rules/local.rules
and save your changes. One way to do this is to copy the rule(s) from the original rule file and paste it into local.rules,
making sure to remove the "#" at the beginning of the line.
The following example performs these tasks in a Linux one-liner
# cat /etc/suricata/rules/emerging_pro-policy.rules | grep 2009294 | cut -d'#' -f2 >> /etc/suricata/rules/local.rules
In this command, grep is used to search for the unique ID of a disabled Credit Card Policy Rule, copy it from /etc/suricata/rules/emerging_pro-policy.rules,
remove the "#" at the beginning of the line (using cut), and paste it to /etc/suricata/rules/local.rules.
Open local.rules to confirm that the rule was copied correctly
# cat /etc/suricata/rules/local.rules alert ip any any > any any (msg:"ET POLICY Credit Card Number Detected in Clear (15 digit dashed 2)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800)-\d{6}-\d{5} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2009294; classtype:policy-violation; sid:2009294; rev:1;)
Note: To ensure that the rule doesn't conflict with existing rules, you should use a SID between 5,000,000 and 5,999,999.
Repeat the command for all the rules you want to enable.
Using a command line text editor of your choice, add a reference to local.rules at the bottom of /etc/suricata/rule-files.yaml
%YAML 1.1 --- default-rule-path: /etc/suricata/rules rule-files: - emerging_pro-activex.rules - emerging_pro-attack_response.rules - emerging_pro-chat.rules [...] - suricata-smtp-events.rules - suricata-stream-events.rules - local.rules
perl /usr/share/vigilante/scripts/create_sidmap.pl /etc/suricata/rules
Restart the Sheriff NIDS service for your changes to take effect
#service suricata restart
Restart the Sheriff Agent service to digest the changes
#service vigilante-agent restart