Questions tagged [suricata]

Suricata refers to the multi-threaded Snort implementation.

Suricata is is a multi-threaded fork of the open source IDS known as Snort that is owned and maintained by the OISF (Open Information Security Foundation). Unlike Snort, Suricata supports balancing the analysis load across multiple instances of the tool, allowing better overall utilization of the available processor cores and faster performance.

80 questions

votes

1 answer

Suricata DHCP Parsing

I am working on a capability using Suricata that would alert me to specific vender identifiers from DHCP Inform packets. I have Suricata configured with the DHCP logging enabled and the extended option set to 'yes'. This ensures all DHCP packets are…

asked Aug 17 '21 at 14:52

Jason

votes

1 answer

how to add bytes, session and source parameter in kibana to visualise suricata logs?

I redirected all the logs(suricata logs here) to logstash using rsyslog. I used template for rsyslog as below: template(name="json-template" type="list") { constant(value="{") constant(value="\"@timestamp\":\"") …

logstash kibana elastic-stack rsyslog suricata

asked Jun 07 '21 at 09:26

Abhishek Kumar

votes

1 answer

How should I add my rule file to Suricata?

I was looking into suricata and I could not understand something about configuration file. As in the documentation we need to add our rule file to the suricata.yaml like this: default-rule-path: /usr/local/etc/suricata/rules rule-files: -…

security suricata ids

asked Apr 23 '21 at 19:55

cyber-researcher

votes

1 answer

Adding automatic firewall rules pfsense

We want to add firewall block rules automatically after detecting malicious IPs on pfsense. The time spent manually on this issue is going to waste in most cases. We're looking for ways to automate this and looking for custom packages on pfsense.…

firewall pfsense suricata

asked Apr 12 '21 at 12:33

Nyquillus

votes

1 answer

Suricata rule for SQLI

I need some help am still new to suricata. am learning and my splunk event shows theres an automated SQLI attack . 10.157.31.87 - - [02/Jan/2021:17:30:50 +0000] "GET /images.php?id=bXlzcWwgLS11c2VyPXJvb3QgLS1wYXNzd29yZD1yb290Cg== HTTP/1.1" 200 31…

suricata

asked Jan 02 '21 at 17:54

joel

votes

1 answer

suricata url_decode and base64_decode

In Suricata 6.0.0 beta 1, I noticed that the url_decode rule keyword is added. And why url_decode supported in transformation while base64_decode implemented in another way? For example, it needs base64_decode combining with base64_data to alert? It…

suricata

asked Aug 18 '20 at 03:03

Yixuan Fang

votes

2 answers

The ports always returns 0 when I run suricata based dpdk

I have installed DPDK-19.11.1 LTS successfully as follows： And the NIC I have bound as follows: If I run an example (dpdk/dpdk-stable-19.11.3/examples/skeleton/build/basicfwd)，the function rte_eth_dev_count_avail() returns the ports I bound with…

dpdk suricata

asked Jul 29 '20 at 03:21

startkz

votes

1 answer

Send Pcap from Suricata to Kafka

I configured suricata.yaml to obtain the pcap output, and I need send it to Kafka. In suricata document, there is nothing about the configuration to send to kafka. How can I send directly pcap output to kafka? Could kafka listen to suricata…

apache-kafka pcap suricata

asked Apr 06 '20 at 15:35

Tran Ngoc Nhat Huyen

votes

1 answer

Suricata to Filebeat to Kafka, routing to topics by event-type

I discovered Filebeat a couple days ago. I have it sending data to Kafka directly if I hard code the topic name in filebeat.yml. But I can't seem to figure out how to dynamically compute the topic name based on suricata event type. I've enabled…

apache-kafka filebeat suricata

asked Jan 15 '20 at 00:10

medloh

votes

1 answer

Snort / Suricata Network Topology - Is this acceptable?

I run a small business network with around a 500mbit Internet connection and want to introduce an NIPS (network intrusion prevention system). I have identified SNORT or SURICATA as the software of choice (and maybe Zeek which I know less about).…

networking snort suricata

asked Jan 13 '20 at 05:15

Chooka

votes

1 answer

Is there any site for searching about suricata rule's description?

I want to find some descriptions about suricata rules. For example, Rule name: ET ATTACK_RESPONSE Cisco TclShell TFTP Read Request Rule info: content:"|00 01 74 63 6C 73 68 2E 74 63 6C|"; SID: 2009244, ... other else. I would like to know the…

suricata

asked Jan 13 '20 at 01:32

chung

votes

1 answer

Suricata HOME_NET config question (SPAN port)

As a project I have a physical firewall (IP: 10.0.0.2) with a SPAN port configured to a physical linux (CentOS 6) (IP: 10.0.0.3) on which I am running Suricata IDS. Theoretically I should receive all the traffic to the box through an interface I…

security snort intrusion-detection suricata

asked Oct 23 '19 at 13:46

Jan Novak

votes

1 answer

Suricata - base64_decode and base64_data

Latest Suricata added support to base64_decode and base64_data (https://suricata.readthedocs.io/en/latest/rules/base64-keywords.html). On the other hand, there is no way to apply the rule to the HTTP client body only. For example, something like:…

suricata

asked Sep 09 '19 at 19:29

indelgort

votes

2 answers

Only Output Rule Alerts to Suricata EVE

I have Suricata setup as HIDS on a couple of lab instances, and wrote some sample rules to alert on custom User-Headers and internal IPs I can easily trigger for purpose of teaching someone how to use Suricata. For an advanced use case, I want to…

json network-security suricata

asked Aug 13 '19 at 14:44

burningjenkinscontainer

votes

1 answer

Error while compiling suricata on amazon linux

I am trying to install suricata in Amazon Linux ec2 instance I got the following error while compiling error: process didn't exit successfully: rustc -vV (exit code: 1) --- stdout rustc 1.35.0 binary: rustc commit-hash: unknown commit-date:…

linux security amazon-ec2 network-security suricata

asked Jul 19 '19 at 09:39

sarah_91

Prev 1 2 3

5 6 Next