Questions tagged [suricata]

Suricata refers to the multi-threaded Snort implementation.

Suricata is is a multi-threaded fork of the open source IDS known as Snort that is owned and maintained by the OISF (Open Information Security Foundation). Unlike Snort, Suricata supports balancing the analysis load across multiple instances of the tool, allowing better overall utilization of the available processor cores and faster performance.

80 questions

votes

1 answer

How to mirror traffic to Suricata container

My goal is to sniff all traffic of the"attacker" container with suricata so all its suspicious traffic makes an alert jump. So my planning was to have something like this: So that both containers could have internet acces through the host with…

asked Jul 05 '23 at 08:11

19mike95

votes

1 answer

error when running manage.py migrate

I got an errors that I can't fix when I'm trying to run Scirius project on my Ubuntu 16.04 LTS and I'm newbie in this field. can someone help me out, I need to run this project that I cloned from https://github.com/StamusNetworks/scirius python…

python django ubuntu-16.04 suricata

asked Jul 13 '18 at 19:21

Nasser AlSnayen

votes

2 answers

Using snort/suricata, I want to generate an SSH alert for every failed login to my Home Network

I am setting up an Intrusion Detection System (IDS) using Suricata. I want to write a custom rule which will generate an alert whenever a failed login attempts occur to my virtual machine. Example: alert tcp any any -> $HOME_NET 22 (msg:"SSH Brute…

ssh alert rules snort suricata

asked Dec 10 '17 at 19:05

Siddesh S

votes

0 answers

MHN Suricata Wordpot/Cowrie ELK Stack only a few events in ELK

I successfully installed MHN from github. After deploying several sensors I observed that the honeymap and attack page of MHN registers attacks (nmap or logins to wordpot or cowrie) correctly. However the ELK Stack is only picking up the wordpot and…

json proxy suricata

asked Nov 23 '17 at 09:32

emcewees

votes

1 answer

Suricata for Custom logs

I would like to use suricata as IDS for AWS VPC flow logs (offline mode). Anyone implemented already or any other IDS suitable for this scenario. Thanks in advance

amazon-web-services suricata

asked Aug 04 '16 at 06:09

D Sathish Kumar

vote

0 answers

Suricata fail to block when using nfqueue mode

I'm setting suricata on debian 10 to block expected request with run command as below: /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -q 3 -q 4 -q 5 -D -v --user=logstash Whenever I receives a request which is…

c debian netfilter suricata nftables

asked Dec 16 '21 at 17:12

Nguyễn Louis

vote

1 answer

AWS network firewall with Suricata rules

I'm looking into implementing AWS Network Firewall with Suricata IPS rules, and find it really hard to find real examples and ideas of what is relevant regarding rules etc. Our customer put emphasis on IPS, IDS and anti-malware. My setup today is…

amazon-web-services web-application-firewall suricata

asked Nov 18 '21 at 18:15

Patrik Bäckström

vote

1 answer

Compare files and comment the same lines in new file

Goal: I want compare two Suricata rule files and comment out the same lines (alerts "SIDs") from file1 in file2 unless it already commented out. I understand there is better way to do this with the Suricata threshold file but I unfortunately don't…

bash text-processing suricata

asked May 08 '21 at 21:42

grizzly

vote

1 answer

Challenging regex clause in Python - Suricata / fast.log

any regex wizards able to help? I'm trying to get the regex to parse the Suricata fast log. So far I found a old post that kind of works here but would like to get all the data out of the log. So far I can get the time, date, source ip, source port,…

python regex suricata

asked Mar 22 '21 at 10:56

CodeMcCodeFace

vote

0 answers

Building Suricata could not compile 'der-parser'

I'm trying to build Suricata following the tutorial of [Rapid7][1] I did it before, but in the new machine I stack at this problem... My steps: # suricata static build apt-get install libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev…

suricata

asked Dec 16 '20 at 20:03

Ecofintech

vote

1 answer

what does "EAL: No available hugepages reported in hugepages-1048576kB" mean in dpdk?

I'm new to DPDK, and I'm installing a DPDK version of suricata on the server. When I run suricata --list-dpdkports, it shows EAL: Detected 128 lcore(s) EAL: Detected 1 NUMA nodes EAL: Multi-process socket /tmp/dpdk/rte/mp_socket EAL: Selected IOVA…

dpdk suricata

asked Nov 05 '20 at 13:57

Eric sun

vote

0 answers

Is it normal to connect when traffic accessing a specific port is dropped in suricata IPS mode?

I am experimenting on suricata ips. The currently accessible web server is open on port 8891. I added the following to the suricata rule to block traffic to this server. drop tcp any any -> $HOME_NET 8891 (msg:"test drop msg";…

suricata ids

asked Aug 25 '20 at 04:56

윤태일

vote

2 answers

How to run Suricata on PCAP mode and get results in fast.log

I'm trying to get suricata to alert on a pcap in the fast.log file instead of a network interface as it says it does in the documentation, but I can't get any output in fast.log. My Setup docker image ubuntu:latest Suricata 5.0.2 # suricata…

malware suricata ids

asked Apr 10 '20 at 00:42

MikeSchem

vote

1 answer

How to send Suricata log to Kafka?

After install and config Suricata 5.0.2 according to document https://suricata.readthedocs.io/. I try to change some configuration in suricata.yaml by adding: - alert-json-log: enabled: yes filetype: kafka kafka: brokers: >…

apache-kafka suricata ids

asked Feb 18 '20 at 14:22

Tran Xu

vote

1 answer

How to define a few addresses in HOME_NET in suricata.yml?

I am trying to configure suricata in my network. When I set one HOME_NET in /etc/suricata/suricata.yml as : HOME_NET: "[172.20.5.0/24]" everything works fine. But when I try to define more than one pool of addresses as: HOME_NET:…

security suricata

asked Oct 28 '19 at 12:20

roffensive

2 3 4 5 6 Next