[Oisf-users] Properly testing Suricata for alerts

Bjørn Ruberg bjorn at ruberg.no
Tue Feb 12 19:16:58 UTC 2019


On 12.02.2019 17:44, 419telegraph298 at protonmail.com wrote:
> I was able to get Suricata's autoupdate system to work but am now having
> issues getting alerts generated - despite going on checkmyids.com
> <http://checkmyids.com/>, using Tor, and running wget testmyids.com
> <http://testmyids.com/>and nmap from my pi w/ Suricata on it, nothing
> has been added to alerts:

By "added to alerts", what do you mean? If you think of Snort's alert
log, the equivalent is fast.log. However, depending on your logging
config, you might not see it there, but you should see the alerts in
eve.json.

[...]

> Is this a permissions issue? When I had a previous install of Suricata I
> would be able to see the alerts generated when I ran Tor - should I just
> start adding rules to the config file to try to create sample alerts? 

Whether a rule triggers or not depends on several factors, including but
not limited to
* whether a corresponding rule is indeed active, and
* whether the rule's source and/or destination matches the traffic.

Note that I'm not asking you to show us any and all rules you may have
activated, nor how they look; you should be able to find that out.

There are plenty of tutorials on how to create simple rules and how to
test them. Start out simple - for instance, start Suricata with only one
test rule triggering on ICMP traffic - and make sure the basic setup
works. Then move on to complex and automated rulesets.

-- 
Bjørn


More information about the Oisf-users mailing list