[Oisf-users] Suricata Heartbeat Alert

Cloherty, Sean E scloherty at mitre.org
Thu Aug 3 19:41:23 UTC 2017


We do something similar to that – we created a pcap and then a rule to match the content of the PCAP.  Hourly a cronjob uses tcpreplay to send the pcap out the listening interface of our suricata hosts.  If we don’t see one alert for that SID every hour on each box, then we alert and investigate.

From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of secres at linuxmail.org
Sent: Monday, July 31, 2017 09:10 AM
To: Jason Ish <ish at unx.ca>
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata Heartbeat Alert

You could also write a small script that would ping a target with a specific payload.  Then you could hava a sigantures that looks for that specific string of character and alert you then.  Just have it run as a cronjob at whatever interval you need.

Example:
ping -p deadbeef 123.12.3.1


Sent: Friday, July 28, 2017 at 8:38 AM
From: "Jason Ish" <ish at unx.ca<mailto:ish at unx.ca>>
To: oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>
Subject: Re: [Oisf-users] Suricata Heartbeat Alert
On 2017-07-28 07:37 AM, Charles Devoe wrote:
> Is there a way to have Suricata create a heartbeat alert? This alert
> would be a dummy alert and would be used to let us know that the
> Suricata system is up and working and all of our ancillary functions are
> also working.

No, Suricata does not support this. I know others have accomplished this
by using a custom rule and periodically injecting a special packet into
their network as a heartbeat. This is more a complete test as it tests
the actual packet reception by the monitoring system as well.

Jason

_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170803/383b6105/attachment-0002.html>


More information about the Oisf-users mailing list