[Oisf-users] Properly testing Suricata for alerts

419telegraph298 at protonmail.com 419telegraph298 at protonmail.com
Wed Feb 13 05:00:36 UTC 2019


according to my suricata.yaml, tor rules are active :

# - emerging-web_specific_apps.rules
 - emerging-worm.rules
 - tor.rules

and the alerts should be turned on :

# Configure the type of alert (and other) logging you would like.
outputs:
  # a line based alerts log similar to Snort's fast.log
  - fast:
      enabled: yes
      filename: fast.log
      append: yes
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'




Sent from ProtonMail, encrypted email based in Switzerland.

Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, February 12, 2019 7:13 PM, <419telegraph298 at protonmail.com> wrote:

> Hey - I am not sure if the rule is set for tcpdump. What should I run foo.pcap with? Kismet or Tcpdump?
>
> Sent from ProtonMail, encrypted email based in Switzerland.
>
> Sent with ProtonMail Secure Email.
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Tuesday, February 12, 2019 4:24 PM, Andreas Herz andi at geekosphere.org wrote:
>
> > Hi,
> > you could use the -r foo.pcap mode to run a pcap that should trigger a
> > rule and see if this works. Are you certain the rule necessary for
> > checkmyids is active?
> > On 12/02/19 at 16:44, 419telegraph298 at protonmail.com wrote:
> >
> > > I was able to get Suricata's autoupdate system to work but am now having issues getting alerts generated - despite going on checkmyids.com, using Tor, and running wget testmyids.com and nmap from my pi w/ Suricata on it, nothing has been added to alerts:
> > > drwxr-xr-x 10 root root 4096 Feb 8 04:32 BriarIDS
> > > -rw-r----- 1 root root 25209352 Feb 12 16:42 eve.json
> > > -rw-r----- 1 root root 140588547 Feb 11 06:25 eve.json.1
> > > -rw-r----- 1 root root 315811 Feb 3 06:25 eve.json.2.gz
> > > -rw-r----- 1 root root 0 Feb 11 06:25 fast.log
> > > -rw-r----- 1 root root 0 Feb 11 06:25 fast.log.1
> > > -rw-r----- 1 root root 20 Feb 1 13:17 fast.log.2.gz
> > > -rw-r--r-- 1 root root 39 Jan 15 2007 index.html
> > > -rw-r----- 1 root root 13408670 Feb 12 16:42 stats.log
> > > -rw-r----- 1 root root 74700748 Feb 11 06:25 stats.log.1
> > > -rw-r----- 1 root root 212177 Feb 3 06:25 stats.log.2.gz
> > > -rw-r--r-- 1 root root 224 Feb 12 06:27 suricata.log
> > > -rw-r--r-- 1 root root 1345 Feb 11 06:25 suricata.log.1
> > > -rw-r--r-- 1 root root 487 Feb 2 06:26 suricata.log.2.gz
> > > Is this a permissions issue? When I had a previous install of Suricata I would be able to see the alerts generated when I ran Tor - should I just start adding rules to the config file to try to create sample alerts?
> > > Sent from ProtonMail, encrypted email based in Switzerland.
> > > Sent with ProtonMail Secure Email.
> >
> > > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > > Conference: https://suricon.net
> > > Trainings: https://suricata-ids.org/training/
> >
> > --
> > Andreas Herz
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
>
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/




More information about the Oisf-users mailing list