[Oisf-users] Suricata not matching packets

Bill Uhl bill at greenlightnet.com
Mon May 21 15:11:14 UTC 2018


Hi,

 

I am setting up Suricata in IPS mode on CentOS 7.4. I have worked through
the installation and configuration such that the packets are getting through
iptables to Suricata. I have turned on DNS and HTTP logging and the packets
are showing up in the logs. I have tried testing the system but it does not
seem to generate any alerts or drop and packets. The drop.log and fast.log
files remain empty.

 

I tried running the 'wget http://www.testmyips.com' test from the old
documentation but only the request is logged in http.log. I grep'd for
testmyips in the rules file but there is no match so I don't know if this
test is still valid.

 

I also tried the test from here
<https://web.nsrc.org/workshops/2015/pacnog17-ws/raw-attachment/wiki/Track2A
genda/ex-suricata-config-test.htm> , using curl to send an outbound http
request with user-agent BlackSun. I was able to find a rule that looks like
it should match but again, nothing shows up in the fast.log or drop.log. The
request does show up in the http.log file.

 

I am using the rules from Emerging Threats. PulledPork is updating them into
a single large rule file which Suricata seems to be loading without errrors.

 

At this point, I don't know what else to look at or how else to test
Suricata. Any help would be appreciated.

 

Bill

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180521/28b8cf3f/attachment.html>


More information about the Oisf-users mailing list