I want advice on Writing Better Detection Rules

Hi everyone,

I am new to working with detection rules & signatures; so I thought this would be the best place to ask for some guidance. I have been experimenting with creating custom rules but I often get stuck when it comes to balancing accuracy with performance. Sometimes the rules I write trigger too many false positives & other times they miss important patterns completely.

I want to know how experienced members here approach writing strong detection rules. Do you follow a certain structure or checklist before finalizing? Also; how do you test & validate your rules in real-world scenarios without overwhelming your system with noise?

I have been brushing up on programming skills through different resources including a Golang Online Training which helped me understand performance trade-offs in coding. It made me wonder if similar principles apply when writing efficient signatures.

If anyone have Any advice, practical examples or shared experiences would be helpful for someone such as me who is trying to learn the ropes. Also i have check this Handling False Positive Reports as A Rule Writer! Special Guests: PCREs, Dalton, Dalton’s Flowsynth still need your advice.

Thank you.

Hi Morgan,

Welcome!

Within Emerging Threats, our team uses dynamic and static testing to review a rule’s assumed performance and false positive likelihood.

Our dynamic testing infrastructure is not available to the public. I will ask our team what they’d recommend as a substitute stack. However, I suspect our public alternative/suggestion will be related to submitting rules to Dalton and reviewing the profiling output (see: 11.9. Rule Profiling — Suricata 8.0.1-dev documentation).

Our static testing involves creating rules and peer reviewing them amongst the team. Our rule writing experience and technical backgrounds collectively impact the rules we create – and we’d be happy to share it with the open source community! If you have any rules or samples, you’d like to work on, please share them in the Discourse and let’s get started on creating some sleek rules.