[Oisf-users] Suricata not matching packets

Andreas Herz andi at geekosphere.org
Sat May 26 22:16:37 UTC 2018


Hi Bill,

can you tell us more about how you did configure suricata itself (config
file), how you run it, how you configured iptables.

If you want to drop something btw you first need to convert those alert
rules to drop rules.

On 21/05/18 at 11:11, Bill Uhl wrote:
> Hi,
> 
>  
> 
> I am setting up Suricata in IPS mode on CentOS 7.4. I have worked through
> the installation and configuration such that the packets are getting through
> iptables to Suricata. I have turned on DNS and HTTP logging and the packets
> are showing up in the logs. I have tried testing the system but it does not
> seem to generate any alerts or drop and packets. The drop.log and fast.log
> files remain empty.
> 
>  
> 
> I tried running the 'wget http://www.testmyips.com' test from the old
> documentation but only the request is logged in http.log. I grep'd for
> testmyips in the rules file but there is no match so I don't know if this
> test is still valid.
> 
>  
> 
> I also tried the test from here
> <https://web.nsrc.org/workshops/2015/pacnog17-ws/raw-attachment/wiki/Track2A
> genda/ex-suricata-config-test.htm> , using curl to send an outbound http
> request with user-agent BlackSun. I was able to find a rule that looks like
> it should match but again, nothing shows up in the fast.log or drop.log. The
> request does show up in the http.log file.
> 
>  
> 
> I am using the rules from Emerging Threats. PulledPork is updating them into
> a single large rule file which Suricata seems to be loading without errrors.
> 
>  
> 
> At this point, I don't know what else to look at or how else to test
> Suricata. Any help would be appreciated.
> 
>  
> 
> Bill
> 
>  
> 

> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/


-- 
Andreas Herz


More information about the Oisf-users mailing list