Stack Overflow
Stack Overflow

Questions tagged [suricata]

Suricata refers to the multi-threaded Snort implementation.

Suricata is is a multi-threaded fork of the open source IDS known as Snort that is owned and maintained by the OISF (Open Information Security Foundation). Unlike Snort, Suricata supports balancing the analysis load across multiple instances of the tool, allowing better overall utilization of the available processor cores and faster performance.

80 questions
0
votes
1 answer

Suricata Custom Ruleset will not Load into `suricata.rules`

I am running Suricata in IDS (af-packet) mode on Ubuntu 20.04.5 LTS (Focal Fossa) and deployed as the root user: NAME="Ubuntu" VERSION="20.04.5 LTS (Focal Fossa)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 20.04.5…
GangGreenTemperTatum
  • 1
  • 1
0
votes
1 answer

Is there anyway to write the UDP header rule, based on sticky buffer for Suricata?

Sticky buffer to match on the whole UDP header. Example rule: alert udp any any -> any any (udp.hdr; content:”|00 08|”; offset:4; depth:2; sid:1234; rev:5;) This above is only information given in Suricata documentation. I am using pyshark to…
M. Shoaib Mazhar
  • 1
0
votes
0 answers

Suricata IPS rules in AWS network firewall is not working

I have created the AWS network firewall lab, but I found my rules are not effective. I want to allow EC2 can only access ubuntu.com and github.com via HTTPS and SSH only, and drop other outbound connections Here are the rules: I can access any…
user1172579
  • 575
  • 1
  • 7
  • 22
0
votes
0 answers

Problem Executing Python in cron to email IDS logs (No MTA installed, discarding output)

I am a novice Python/Linux enthusiast running Suricata on a Linux VM and am trying to execute a Python script to email myself the fast.log logs every morning. What I first want to happen is a list of the latest 15 alerts to be created via tails…
robreiner
  • 1
  • 1
0
votes
0 answers

Can´t start the Suricata service

I installed Suricata but can´t actually start it. How can i do it? When i try to start it a error shows up saying: The Suricata service on local computer was started and stopped. Some services are stopped automatically if they are not being used by…
joao7640
  • 1
0
votes
1 answer

Custom Suricata Rules with Datasets of URL Domains in Base64

Any help appreciated on where I am being dumb here? Trying to configure a custom IDS rule in Suricata using a Dataset (which is an .lst file of base64-encoded domains) Following this article by IDS tower Additional Suricata…
GangGreenTemperTatum
  • 1
  • 1
0
votes
3 answers

Suricata IDS/Telegraf error: Client message is too long, disconnect him

I have a problem connecting Suricata with Telegraf, using unix_stream socket: Host: Ubuntu 20.04 Docker: SURICATA_VERSION=6.0.6 Docker: INFLUXDB_VERSION=2.1.1 Docker: TELEGRAF_VERSION=1.21 Suricata confg: - eve-log: enabled: yes filetype:…
sfl0r3nz05
  • 547
  • 8
  • 14
0
votes
1 answer

Not receiving traffic in suricata on proxmox host machine from other hosts

I am running proxmox on my server machine. I have attached a bridge adapter to it and 2 containers (A and B) are installed on proxmox. I have also install Suricata on the Proxmox machine for it to act as an IDS. I have setup promiscuous mode on my…
Noman Aziz
  • 1
0
votes
0 answers

How to parse eve.json output file from logstash using laravel

I want to parse the eve.json output file of logstash using Laravel. I have tried the JsonMachine package, but I'm getting Unexpected symbol '{' At position 0. Here is a sample output of the…
Nether Mariano
  • 1
0
votes
1 answer

Suricata dont drop packets

I have a server with Suricata (169.69.1.11) installed and a specific rule: drop ICMP any any -> 169.69.1.11 any (msg: "ping dropped";sid:10001;) In other VM I execute: ping 169.69.1.11 -c 5 so at this point, everything is bad because the pings…
user13643470
0
votes
1 answer

SURICATA - - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)]

When i execute sudo suricata -i enp0s8 -c suricata.yaml -s rules/misreglas.rules Get the output: - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "drop http $HOME_NET any -> any any (msg: "HTTP DROP";)" - [ERRCODE:…
user13643470
0
votes
1 answer

How python subprocess can detect a negative exit code? How to force it return 0 instead?

I'm using pkill to send USR2 signal to suricata by python subprocess as below: #!/usr/bin/python3 script_command='pkill -SIGUSR2 -f /usr/bin/suricata' exit_status = subprocess.call(script_command, env=self.config_environment, shell=True) the…
Nguyễn Louis
  • 63
  • 5
0
votes
1 answer

AWS Network Firewall Suricata rule specific TLS domain for SMTP over TLS

I am working on AWS Network Firewall with Suricata rule to filter specific source IP address to different destination by FQDN, mainly for HTTP and HTTPS. As I see HTTPS is use TLS SNI to filter, is it also possible to apply on SMTP over TLS? Sample…
WesKerT
  • 3
  • 2
0
votes
1 answer

Lua Script in suricata to detect the change in file

I am new in lua programming. I was looking for a lua script that can read the file being downloaded through Suricata from the internet and detect if file is changed. Any help would be appreciated. Thanks in advance. Something like this: function…
hamid
  • 11
  • 1
0
votes
1 answer

Suricata rule for accessing SMB share?

I've started to work with Suricata around a week ago and so far everything has been going surprisingly well. However, I am now trying to write my own rules and I tried to come up with a simple rule that throws an alert whenever any IP address tries…
cybel
  • 381
  • 2
  • 6
  • 16
1 2
3
4 5 6