Stack Overflow
Stack Overflow

Questions tagged [suricata]

Suricata refers to the multi-threaded Snort implementation.

Suricata is is a multi-threaded fork of the open source IDS known as Snort that is owned and maintained by the OISF (Open Information Security Foundation). Unlike Snort, Suricata supports balancing the analysis load across multiple instances of the tool, allowing better overall utilization of the available processor cores and faster performance.

80 questions
1
vote
1 answer

suricata in docker have Operation not permitted Error

I built a docker image that has suricata in, but when i'm trying to run suricata, there is an error below: 3/9/2018 -- 02:58:12 - - This is Suricata version 4.0.5 RELEASE 3/9/2018 -- 02:58:12 - - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when…
colin
  • 166
  • 1
  • 5
1
vote
1 answer

Suricata gui instead snorby

Hello I am looking for some gui for Surricata IDS. I tried Snorby from Snort but it is impossible to install it nowadays due to ruby compatibility. Any idea what to use ? Thank you
Ian
  • 11
  • 1
  • 4
1
vote
1 answer

Matching packet Content in a specific order with Suricata?

I'm attempting to create a Suricata rule that will match a packet if and only if all content is found and in a specific order. The problem with my current rule is that it will match even if the packet content is test2 test1. Is there a way to…
H. Ross
  • 470
  • 3
  • 17
1
vote
1 answer

How to make rule trigger on DNS rdata/IP address?

I currently have the following DNS Query Alert rule set up in Suricata (for test purposes): alert dns any any -> any any (msg:”Test dns_query option”; dns_query; content:”google”; nocase; sid:1;) Which is triggered when it captures DNS events…
Ahad Sheriff
  • 1,829
  • 8
  • 24
  • 46
0
votes
1 answer

suricata 7 conditional pcap just log the packet that triggers the specific rule, not the all tcp flow packets?

everyone: I have some questions about the Suricata 7 conditional pcap: 1). with alerts mode, I found that suricata just logged the packet that triggered some specific rules, not the all packets that belongs to one tcp flow, here is the problem, I…
The dream of salt fish
  • 13
  • 3
0
votes
0 answers

How to send rotated logfiles with Syslog-ng

Right now I am sending suricata eve.json raw logs(just the message) through Syslog-ng TLS transport to a Syslog-ng server which receives them, stores them, and sends them to ElasticSearch and Kibana using the Filebeat suricata module. And it works…
19mike95
  • 506
  • 2
  • 4
  • 19
0
votes
1 answer

Suricata inline mode (netfilterqueue) problem with droping by http.host

I have suricata running in inline mode : /usr/bin/suricata -c /etc/suricata/suricata.yaml -q 0 --pidfile /run/suricata.pid Iptables configuration chain 'forward', 'input' and 'output' are configured as below: iptables -L | grep NFQUEUE NFQUEUE …
admfotad
  • 197
  • 3
  • 11
0
votes
0 answers

problem in snort/suricata rule for https url path blocking by connection rate limiting in pfsense

I have https://example.com behind my pfsense, in pfsense I configured haproxy in tcp mode in both backend and front on port 443 in front, I can access my site with this configuration. I whant to use snort/suricata in pfsense too, too have connection…
Morteza
  • 1
  • 2
0
votes
0 answers

AWS Network Firewall with Suricata - alert egress traffic for TLS version older than 1.2

I’m trying to write Suricata rule that could alert on older versions of TLS. I’d like to detect whether TLS older than 1.2 is used for any egress traffic from my network to the Internet. I’m using AWS Network Firewall with stateful Suricata rules…
FlashGordon
  • 25
  • 4
0
votes
2 answers

Suricata unable to find pcap.h file while compiling in windows

Documentation for suricata windows compile: https://redmine.openinfosecfoundation.org/attachments/download/1175/SuricataWinInstallationGuide_v1.4.3.pdf 1 I have installed all the dependencies as mentioned in the documentation. Cloned the files. To…
Prateek
  • 1
0
votes
0 answers

Python script add field with sequence values

I have the following python script that gets values from a txt and construct a file with some needed values: f = open("url-threatview.txt") data = f.read().strip().split("\n") f.close() for line in data: protocol,null,hostport,*url =…
Bananas17
  • 1
  • 1
0
votes
0 answers

How to wait for network connectivity before starting a service in Windows?

I'm attempting to use Suricata IDS for monitoring the network events in a specific interface. I have been able to install the service and I am able to execute it. Everything seems to be working fine, except for the fact that the service might fail…
Admin
  • 19
  • 1
  • 3
0
votes
1 answer

How to get community id from lua script in suricata

I am using suricata with community id to correlate zeek and suricata logs. I need to get the value of community id for each tuple in lua script. Is there any method to get community id for suricata using lua?
Vignesh
  • 302
  • 3
  • 12
0
votes
0 answers

securityonion suricata is not populating the logs to a eve-2022-11-14-10:25.json

I am a beginner and I was trying out distributed deployment of securityonion, everything is working fine but suricata is not logging the logs (-rw-r--r-- 1 suricata suricata 0 Nov 14 10:25 eve-2022-11-14-10:25.json ) and also no logs are getting…
kunal h
  • 9
  • 3
0
votes
0 answers

IDSTower init-database failing

When running sudo ./IDSTower --init-database I get an error with the following message: 2022-11-13 21:08:40.937 [Error] An error occurred using the connection to database '""' on server '"localhost"'. [IDSTower] Can't connect to database, please…
Billf
  • 1
  • 1
1
2
3 4 5 6