[Oisf-users] Properly testing Suricata for alerts

419telegraph298 at protonmail.com 419telegraph298 at protonmail.com
Wed Feb 13 00:13:55 UTC 2019 

Hey - I am not sure if the rule is set for tcpdump. What should I run foo.pcap with? Kismet or Tcpdump?



Sent from ProtonMail, encrypted email based in Switzerland.

Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, February 12, 2019 4:24 PM, Andreas Herz <andi at geekosphere.org> wrote:

> Hi,
>
> you could use the -r foo.pcap mode to run a pcap that should trigger a
> rule and see if this works. Are you certain the rule necessary for
> checkmyids is active?
>
> On 12/02/19 at 16:44, 419telegraph298 at protonmail.com wrote:
>
> > I was able to get Suricata's autoupdate system to work but am now having issues getting alerts generated - despite going on checkmyids.com, using Tor, and running wget testmyids.com and nmap from my pi w/ Suricata on it, nothing has been added to alerts:
> > drwxr-xr-x 10 root root 4096 Feb 8 04:32 BriarIDS
> > -rw-r----- 1 root root 25209352 Feb 12 16:42 eve.json
> > -rw-r----- 1 root root 140588547 Feb 11 06:25 eve.json.1
> > -rw-r----- 1 root root 315811 Feb 3 06:25 eve.json.2.gz
> > -rw-r----- 1 root root 0 Feb 11 06:25 fast.log
> > -rw-r----- 1 root root 0 Feb 11 06:25 fast.log.1
> > -rw-r----- 1 root root 20 Feb 1 13:17 fast.log.2.gz
> > -rw-r--r-- 1 root root 39 Jan 15 2007 index.html
> > -rw-r----- 1 root root 13408670 Feb 12 16:42 stats.log
> > -rw-r----- 1 root root 74700748 Feb 11 06:25 stats.log.1
> > -rw-r----- 1 root root 212177 Feb 3 06:25 stats.log.2.gz
> > -rw-r--r-- 1 root root 224 Feb 12 06:27 suricata.log
> > -rw-r--r-- 1 root root 1345 Feb 11 06:25 suricata.log.1
> > -rw-r--r-- 1 root root 487 Feb 2 06:26 suricata.log.2.gz
> > Is this a permissions issue? When I had a previous install of Suricata I would be able to see the alerts generated when I ran Tor - should I just start adding rules to the config file to try to create sample alerts?
> > Sent from ProtonMail, encrypted email based in Switzerland.
> > Sent with ProtonMail Secure Email.
>
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
>
> --
>
> Andreas Herz
>
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/

More information about the Oisf-users mailing list