[Oisf-users] Properly testing Suricata for alerts

Andreas Herz andi at geekosphere.org
Tue Feb 12 21:24:03 UTC 2019 

Hi,

you could use the -r foo.pcap mode to run a pcap that should trigger a
rule and see if this works. Are you certain the rule necessary for
checkmyids is active?

On 12/02/19 at 16:44, 419telegraph298 at protonmail.com wrote:
> I was able to get Suricata's autoupdate system to work but am now having issues getting alerts generated - despite going on [checkmyids.com](http://checkmyids.com/), using Tor, and running wget [testmyids.com](http://testmyids.com/) and nmap from my pi w/ Suricata on it, nothing has been added to alerts:
> 
> drwxr-xr-x 10 root root      4096 Feb  8 04:32 BriarIDS
> 
> -rw-r-----  1 root root  25209352 Feb 12 16:42 eve.json
> 
> -rw-r-----  1 root root 140588547 Feb 11 06:25 eve.json.1
> 
> -rw-r-----  1 root root    315811 Feb  3 06:25 eve.json.2.gz
> 
> -rw-r-----  1 root root         0 Feb 11 06:25 fast.log
> 
> -rw-r-----  1 root root         0 Feb 11 06:25 fast.log.1
> 
> -rw-r-----  1 root root        20 Feb  1 13:17 fast.log.2.gz
> 
> -rw-r--r--  1 root root        39 Jan 15  2007 index.html
> 
> -rw-r-----  1 root root  13408670 Feb 12 16:42 stats.log
> 
> -rw-r-----  1 root root  74700748 Feb 11 06:25 stats.log.1
> 
> -rw-r-----  1 root root    212177 Feb  3 06:25 stats.log.2.gz
> 
> -rw-r--r--  1 root root       224 Feb 12 06:27 suricata.log
> 
> -rw-r--r--  1 root root      1345 Feb 11 06:25 suricata.log.1
> 
> -rw-r--r--  1 root root       487 Feb  2 06:26 suricata.log.2.gz
> 
> Is this a permissions issue? When I had a previous install of Suricata I would be able to see the alerts generated when I ran Tor - should I just start adding rules to the config file to try to create sample alerts?
> 
> Sent from [ProtonMail](https://protonmail.ch), encrypted email based in Switzerland.
> 
> Sent with [ProtonMail](https://protonmail.com) Secure Email.

> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/


-- 
Andreas Herz

More information about the Oisf-users mailing list