Questions tagged [suricata]

Suricata refers to the multi-threaded Snort implementation.

Suricata is is a multi-threaded fork of the open source IDS known as Snort that is owned and maintained by the OISF (Open Information Security Foundation). Unlike Snort, Suricata supports balancing the analysis load across multiple instances of the tool, allowing better overall utilization of the available processor cores and faster performance.

80 questions

votes

1 answer

Suricata Error on running SC_ERR_NO_MD5_SUPPORT

I’m using Suricata 4.0.4, I want to check md5 of files with this rule: alert http any any -> any any (msg:"FILE MD5 Check against Malware Patrol blacklist"; filemd5: /root/2018.md5.txt; sid:10203040; rev:1;) but after running suricata, it…

rules snort suricata

asked Nov 22 '18 at 10:35

Giac

votes

2 answers

IDS Signature - Understanding Content

I am new to IDS signature tuning. So while studying signatures ; in the signatures I come across the section 'CONTENT' based on which the signature triggers alert. Now when I see something in content (example below); how to decipher the same…

snort intrusion-detection network-security suricata

asked Nov 19 '18 at 07:28

Avik Chowdhury

votes

1 answer

Can i get suricata to listen to localhost

I'm trying to get suricata to listen to the localhost interface, but it says that there is ERRCODE: SC_ERR_SYSCALL(50) failure to get feature via ioctl for 'lo' Is there anyway to achieve this?

intrusion-detection suricata libnids

asked Nov 13 '18 at 07:30

placid chat

votes

1 answer

suricata rule with FTP header

Why this simple rule is not working alert ftp any any -> any any (msg:"FILE PDF file claimed"; fileext:"pdf"; filestore; sid:2; rev:1;) It could not detect any pdf file transported by filezela as example

suricata

asked Sep 16 '18 at 01:44

Bakil Almuntaser

votes

1 answer

suricata custom rule to store and alert all pdf files

I am trying to add a new rule to Suricata to store any PDF file transfer in network. I try to achieve that by two rules alert http any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:3; rev:1;) and alert…

suricata

asked Sep 12 '18 at 14:15

Bakil Almuntaser

votes

1 answer

Regex PCRE matching on an URL with multiple parameters random values

Sample GET request I want to match on with regex PCRE: random.php?blue=value1&green=value2&red=value3&orange=value4&grey=value5&black=value6 Facts: random.php - The filename is random, only the ".php?" is fixed I have about 10 colors defined as…

regex pcre snort suricata

asked Dec 04 '17 at 12:16

Syntyche Ackerley

votes

1 answer

Feedback Request - Restarting Docker container on file change

I have this working but was wondering if there is any potential side effects or even a better way to do this. The example below is generic. I have a docker-compose file with two containers (container_1 and container_2). container_1 exposes a volume…

docker docker-compose suricata

asked Oct 10 '17 at 17:20

Patrick Neise

votes

1 answer

stopping suricata in nfqueue mode, with FW rules enabled, kills all connections

I have installed suricata 4.0 in IPS mode per the docs here: I can start it with /etc/init.d/suricata start, but as soon as i stop it with /etc/init.d/suricata stop it will drop all connections to the box and not allow further connections. I have…

suricata

asked Aug 29 '17 at 20:44

ekydfejj

votes

1 answer

Snort or Suricata whilst using Docker?

Guess I am going to use multiple docker files for my IDS/IPS - using microservice. Say more than 50 docker containers for it. Would you use Suricata or Snort? Is it really important that Snort is not multithread, and does it snort weaker than…

security containers microservices snort suricata

asked May 21 '17 at 13:02

Parsa Samet

votes

1 answer

what does this mean in suricata rule alert?

I installed and configured suricata to give errors. It gave me error like Jan 13 11:22:18 201612317 01/13/2017-11:22:18.308560 [] [1:2001219:20] ET SCAN Potential SSH Scan [] [Classification: Attempted Information Leak] [Priority: 2] {TCP} I wanted…

snort suricata

asked Feb 06 '17 at 14:17

Galpear Tech

votes

1 answer

By using sed change IP Address what ever it is in brackets and quotes as in Suricata.yaml

I need to change IP address using sed in suricata.yaml file infront of HOME_NET. HOME_NET: "[172.20.16.25]" I can manage what ever IP address by using the following regex. sed -i…

sed ubuntu-14.04 suricata

asked Dec 28 '16 at 14:44

Goforseeking

votes

0 answers

Error while rebuilding tcl 8.5 to disabling threadings

Im on installation of Squert Dashboard for suricata on Ubuntu Xenial 16.04 LTS Before install Squert I need to install Sguil (sgweel), sguil need tcl 8.3 (or better) and I found in source the current version of tcl is 8.5 so I installed it and run…

ubuntu package tcl rebuild suricata

asked Dec 22 '16 at 13:06

Ilies

votes

1 answer

Suricata gateway not decode http protocol

I have a test like this: My env: os:debian 8 A:172.20.0.1 (gateway suricata v3.2 ) B:172.20.0.2 (App Server) C:172.20.0.3 (Client) My network: client(C) ----> gateway suricata A (ids) -----> AppServer B My suricata build info: wget…

suricata

asked Dec 09 '16 at 06:57

lines

votes

1 answer

Suricata cygwin configuration libnet

I am trying to install Suricata on Cygwin for Windows but when I run the ./configure I get the Warning libnet version 1.1.x could not be found. Does anyone know how to fix this because I cannot find any solution.

cygwin libnet suricata

asked May 31 '16 at 11:26

laurensp

votes

1 answer

Suricata Windows inline mode

I'm setting up Suricata on Windows. I can test the inline mode but when I try to put it in inline mode so I can drop instead of alert. The problem is I get the error, cannot find the NF Queue. I first tried the automatic installation, but this way…

windows inline intrusion-detection suricata

asked May 23 '16 at 13:10

laurensp

Prev 1 2 3 4

6 Next