[Oisf-users] Sguil & Suricata Help

Darius Fattahipour fattahipour at yahoo.com
Mon Apr 17 03:08:47 UTC 2017


Thank you -- that was very helpful!

      From: Jason Ish <lists at ish.cx>
 To: oisf-users at lists.openinfosecfoundation.org 
 Sent: Sunday, April 16, 2017 7:50 PM
 Subject: Re: [Oisf-users] Sguil & Suricata Help
   
On 16/04/17 12:22 PM, Darius Fattahipour wrote:
> Hi,
> 
> I've been struggling to get suricata alerts appear in Sguil.  I've tried 
> many different types of configurations to no avail.  Here's the
> command I utilize:
> 
> suricata -c /etc/nsm/pching-VM-eth1/suricata.yaml -r inside.tcpdump -F 
> /etc/nsm/pching-VM-eth1/bpf-ids.conf
> 
> The inside.tcpdump is a pcap file.  I've also attached my suricata.yaml.

This is probably more of a Sguil issue than a Suricata issue.. But I 
believe that Sguil requires the unified2 log file which you don't appear 
to have enabled. Suricata won't get those events into Sguil for you 
though, that is a function of Sguil.

Jason
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users


   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170417/8c525965/attachment-0002.html>


More information about the Oisf-users mailing list