Highest Voted 'suricata' Questions - IT Security Stack Exchange

4

votes

0 answers

How can I get Suricata to alert on 1 packet every time

I am trying to write a Suricata signature for testing purposes to alert every time it is triggered with a single PCAP file containing a single packet, but this is proving to be harder than I thought. For instance, I have the following rule. alert…

asked Jul 11 '18 at 21:44

MikeSchem

2,266
1
13
33

2

votes

1 answer

What is the best way to create a PCAP file containing malicious traffic?

I'm in my last year of university and for my honour's project I am tasked with comparing two intrusion detection systems, snort and suricata, hosted on a virtual machine on my PC. As I have no access to networking devices such as switches etc, I was…

network ids snort suricata pcap

asked Jan 25 '22 at 14:44

Conor

21
2

1

vote

0 answers

Can I write a suricata rule based on the timestamp the packet arrives on the host?

We have a need to check the arrival time of two relative packets, like packet1 and packet2, if packet2 arrives too late after packet1, we want an alert for it. Is it possible to write a rule for this? I go through the suricata's doc and feel like…

ids suricata

asked Apr 22 '21 at 15:22

cifer

111
2

1

vote

1 answer

Suricata and rules based on MAC address

I'm working on a project to implement SDN in a network. One of my flows is redirecting to the Suricata IDS and the flow works in layer 2 with MAC address. Since I've read that Snort only works in layer 3, I would like to know if it's possible to…

ids mac-address ethernet filtering suricata

asked Jul 01 '20 at 17:16

loi219

113
5

1

vote

1 answer

Suricata bypass keyword

I have not found any examples on using the 'bypass' keyword. Does it work in any rule? Are there performance implications using 'bypass'. For example, would this bypass all tcp traffic? alert tcp any any <> any any (msg:"Allow all TCP"; bypass;…

suricata

asked Oct 07 '19 at 16:02

dcol

11
1

1

vote

1 answer

Custom Suricata's HTTP alert isn't triggered when using ".." as part of the scanned uri. Why?

I have a doubt with a Suricata custom rule. If I do: alert http any any -> any 80 (msg:"blabla"; content:"abc"; http_uri; sid:1000000;) I can get requests to http://x.x.x.x/abc uri in fast.log file But if I do: alert http any any -> any 80…

http suricata uri

asked Mar 19 '19 at 21:58

Osqui

113
4

0

votes

1 answer

I am noticing a malicious DNS query in Thunderbird

My Suricata IDS is generating this alert when starting Thunderbird: ET INFO Observed DNS Query to .cloud TLD You can analyze a json log: { "_index": "suricata-1.1.0-2022.02.11", "_type": "_doc", "_id": "Uvxd6X4Bz6KASDsJzj8a", "_score": 1, …

suricata thunderbird

asked Feb 11 '22 at 18:47

Ecofintech

1
1

0

votes

1 answer

suricata http rule to identify POST requests

I can’t figure it out / understand. Need to write a rule that catches an HTTP POST request from one ip address more than three times in 10 seconds and logs it. alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"HTTP post packet flood ";…

http ids suricata

asked Oct 25 '21 at 15:41

Norfo4ik

1
2

0

votes

1 answer

Suricata - How to use TCP Flags?

I wrote the following rules: alert tcp any any -> 192.168.6.4 any (msg:"SYN"; flags: S;) alert tcp any any -> 192.168.6.4 any (msg:"FIN"; flags: F;) The SYN rule is matching. The FIN isn't. I can't find a part in their documentation for TCP…

ids tcp suricata

asked Dec 21 '20 at 12:01

flippie

3
2

0

votes

1 answer

Help in Suricata rule bitmask syntax problem

I have written the following rule in my Suricata rules file: alert tcp any any <> any any (flow:established; content:"|65|"; offset:0; depth:1; byte_test:1, =, 3, 2, bitmask 0x03; msg:"detected"; classtype:bad-unknown; sid:222; rev:1;…

ids suricata

asked Oct 04 '20 at 04:53

Khalid

140
6

0

votes

1 answer

Suricata Ripple20 rule for IP-in-IP resulting in 100M alerts

I found too many events in Suricata after recent update regarding this rule: alert ip any any -> any any (msg:"ET EXPLOIT Possible CVE-2020-11900 IP-in-IP tunnel Double-Free"; ip_proto:4; metadata: former_category EXPLOIT;…

ids suricata

asked Jul 08 '20 at 06:39

Giac

175
1
6

0

votes

1 answer

Suricata not matching a packet

What happens to a packet that has no matching rule in Suricata. I assume it is ignored, but haven't found any definitive info on this. So, if my assumption is correct and the packet is ignored, would it be better to capture all non pass matched…

suricata

asked Oct 07 '19 at 15:08

dcol

11
1

0

votes

1 answer

Loopback with Suricata

Is there any way of analyzing loopback traffic with Suricata? I am trying it this way without success: root@security-onion:/home/sar/TFM/alerts/suricata# suricata -c /etc/suricata/suricata.yaml -i lo -l . -k none 7/9/2018 -- 19:32:25 - -…

ids snort suricata

asked Sep 07 '18 at 17:35

Neveralways

5
3

0

votes

1 answer

Analyzing Apache log with Snort

I need to analyze an Apache log with Snort and others IDS/WAFs (Suricata, mod_security and Shadow Daemon). In order to do so, I was thinking about create TCP packets with the GET and POST requests stored in the Apache log with Scapy in Python.…

python snort waf mod-security suricata

asked Sep 04 '18 at 15:56

Neveralways

5
3

0

votes

1 answer

Virustotal detecting threats in Suricata rule set

Virustotal scans are detecting threats from the Suricata default rule pack located https://rules.emergingthreats.net/open/suricata-4.0/ Is this a false…

virus antivirus scan suricata

asked Aug 27 '18 at 16:17

calk93

1
1

Questions tagged [suricata]