[Oisf-users] Properly testing Suricata for alerts
Bjørn Ruberg
bjorn at ruberg.no
Wed Feb 13 06:37:41 UTC 2019
On 13.02.2019 06:00, 419telegraph298 at protonmail.com wrote:
> according to my suricata.yaml, tor rules are active :
>
> # - emerging-web_specific_apps.rules
> - emerging-worm.rules
> - tor.rules
This tells you that Suricata loads the rules *file*. It does not say
anything about which rule(s) in a file that are active.
As a side note, I thought you had switched to suricata-update, which
AFAIK concatenates all single rule files into one comon file?
> and the alerts should be turned on :
>
> # Configure the type of alert (and other) logging you would like.
> outputs:
> # a line based alerts log similar to Snort's fast.log
> - fast:
> enabled: yes
> filename: fast.log
> append: yes
> #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
Check eve.json as well, to be sure.
Then the next thing to check is the other condition I mentioned: whether
the rule is correctly configured to register the traffic, paying
particular attention to the HOME_NET and EXTERNAL_NET configuration of
your Suricata. When attempting to trigger alerts, verify the source and
destination addresses with tcpdump or similar.
--
Bjørn
More information about the Oisf-users
mailing list