Suricata is a free and open source, mature, fast and robust network threat detection engine.
Questions tagged [suricata]
15 questions
4
votes
0 answers
How can I get Suricata to alert on 1 packet every time
I am trying to write a Suricata signature for testing purposes to alert every time it is triggered with a single PCAP file containing a single packet, but this is proving to be harder than I thought.
For instance, I have the following rule.
alert…
MikeSchem
- 2,266
- 1
- 13
- 33
2
votes
1 answer
What is the best way to create a PCAP file containing malicious traffic?
I'm in my last year of university and for my honour's project I am tasked with comparing two intrusion detection systems, snort and suricata, hosted on a virtual machine on my PC.
As I have no access to networking devices such as switches etc, I was…
Conor
- 21
- 2
1
vote
0 answers
Can I write a suricata rule based on the timestamp the packet arrives on the host?
We have a need to check the arrival time of two relative packets, like packet1 and packet2, if packet2 arrives too late after packet1, we want an alert for it.
Is it possible to write a rule for this? I go through the suricata's doc and feel like…
cifer
- 111
- 2
1
vote
1 answer
Suricata and rules based on MAC address
I'm working on a project to implement SDN in a network. One of my flows is redirecting to the Suricata IDS and the flow works in layer 2 with MAC address.
Since I've read that Snort only works in layer 3, I would like to know if it's possible to…
loi219
- 113
- 5
1
vote
1 answer
Suricata bypass keyword
I have not found any examples on using the 'bypass' keyword.
Does it work in any rule? Are there performance implications using 'bypass'.
For example, would this bypass all tcp traffic?
alert tcp any any <> any any (msg:"Allow all TCP"; bypass;…
dcol
- 11
- 1
1
vote
1 answer
Custom Suricata's HTTP alert isn't triggered when using ".." as part of the scanned uri. Why?
I have a doubt with a Suricata custom rule.
If I do: alert http any any -> any 80 (msg:"blabla"; content:"abc"; http_uri; sid:1000000;) I can get requests to http://x.x.x.x/abc uri in fast.log file
But if I do: alert http any any -> any 80…
Osqui
- 113
- 4
0
votes
1 answer
I am noticing a malicious DNS query in Thunderbird
My Suricata IDS is generating this alert when starting Thunderbird:
ET INFO Observed DNS Query to .cloud TLD
You can analyze a json log:
{
"_index": "suricata-1.1.0-2022.02.11",
"_type": "_doc",
"_id": "Uvxd6X4Bz6KASDsJzj8a",
"_score": 1,
…
Ecofintech
- 1
- 1
0
votes
1 answer
suricata http rule to identify POST requests
I can’t figure it out / understand. Need to write a rule that catches an HTTP POST request from one ip address more than three times in 10 seconds and logs it.
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"HTTP post packet flood ";…
Norfo4ik
- 1
- 2
0
votes
1 answer
Suricata - How to use TCP Flags?
I wrote the following rules:
alert tcp any any -> 192.168.6.4 any (msg:"SYN"; flags: S;)
alert tcp any any -> 192.168.6.4 any (msg:"FIN"; flags: F;)
The SYN rule is matching. The FIN isn't. I can't find a part in their documentation for TCP…
flippie
- 3
- 2
0
votes
1 answer
Help in Suricata rule bitmask syntax problem
I have written the following rule in my Suricata rules file:
alert tcp any any <> any any (flow:established; content:"|65|"; offset:0; depth:1; byte_test:1, =, 3, 2, bitmask 0x03; msg:"detected"; classtype:bad-unknown; sid:222; rev:1;…
Khalid
- 140
- 6
0
votes
1 answer
Suricata Ripple20 rule for IP-in-IP resulting in 100M alerts
I found too many events in Suricata after recent update regarding this rule:
alert ip any any -> any any (msg:"ET EXPLOIT Possible CVE-2020-11900 IP-in-IP tunnel Double-Free"; ip_proto:4; metadata: former_category EXPLOIT;…
Giac
- 175
- 1
- 6
0
votes
1 answer
Suricata not matching a packet
What happens to a packet that has no matching rule in Suricata. I assume it is ignored, but haven't found any definitive info on this.
So, if my assumption is correct and the packet is ignored, would it be better to capture all non pass matched…
dcol
- 11
- 1
0
votes
1 answer
Loopback with Suricata
Is there any way of analyzing loopback traffic with Suricata?
I am trying it this way without success:
root@security-onion:/home/sar/TFM/alerts/suricata# suricata -c /etc/suricata/suricata.yaml -i lo -l . -k none
7/9/2018 -- 19:32:25 - -…
Neveralways
- 5
- 3
0
votes
1 answer
Analyzing Apache log with Snort
I need to analyze an Apache log with Snort and others IDS/WAFs (Suricata, mod_security and Shadow Daemon). In order to do so, I was thinking about create TCP packets with the GET and POST requests stored in the Apache log with Scapy in Python.…
Neveralways
- 5
- 3
0
votes
1 answer
Virustotal detecting threats in Suricata rule set
Virustotal scans are detecting threats from the Suricata default rule pack located https://rules.emergingthreats.net/open/suricata-4.0/
Is this a false…
calk93
- 1
- 1