Questions tagged [suricata]
Suricata is a free and open source, mature, fast and robust network threat detection engine.
18 questions
0
votes
0
answers
34
views
Matching network alerts with labelled flow data in Suricata [closed]
I’m working with network traffic from the CICIDS 2017 dataset https://www.unb.ca/cic/datasets/ids-2017.html specifically the “Tuesday Working Hours” capture. The dataset contains a collection of false ...
1
vote
1
answer
295
views
ThreatFox alert on Cloudflare IP
On our company network, suricata just raised the following (single) alert:
{
"timestamp": "2024-01-05T12:42:28.511703+0100",
"flow_id": 1276412390854359,
&...
- 3,950
1
vote
1
answer
291
views
Snort / Suricata rules from HOME_NET with rule option flow:to_client
Reading through Suricata/Snort IDS rules, I can see examples such as below, and scratching my head to understand how is it feasible that a connection from home_network to external_network can have a ...
- 11
0
votes
0
answers
129
views
Suricata 6.x not decoding MPLS packets
Manuals say modern Suricata supports decoding GRE/MPLS/etc by default. My config file uses all the CPU cores with normal traffic. However, during analyzing MPLS traffic only 1 core is 100% busy and ...
- 1
1
vote
1
answer
1k
views
I am noticing a malicious DNS query in Thunderbird
My Suricata IDS is generating this alert when starting Thunderbird:
ET INFO Observed DNS Query to .cloud TLD
You can analyze a json log:
{
"_index": "suricata-1.1.0-2022.02.11",
...
- 111
2
votes
1
answer
575
views
What is the best way to create a PCAP file containing malicious traffic?
I'm in my last year of university and for my honour's project I am tasked with comparing two intrusion detection systems, snort and suricata, hosted on a virtual machine on my PC.
As I have no access ...
- 21
0
votes
1
answer
1k
views
suricata http rule to identify POST requests
I can’t figure it out / understand. Need to write a rule that catches an HTTP POST request from one ip address more than three times in 10 seconds and logs it.
alert http $EXTERNAL_NET any -> $...
- 111
1
vote
0
answers
270
views
Can I write a suricata rule based on the timestamp the packet arrives on the host?
We have a need to check the arrival time of two relative packets, like packet1 and packet2, if packet2 arrives too late after packet1, we want an alert for it.
Is it possible to write a rule for this? ...
- 131
0
votes
1
answer
4k
views
Suricata - How to use TCP Flags?
I wrote the following rules:
alert tcp any any -> 192.168.6.4 any (msg:"SYN"; flags: S;)
alert tcp any any -> 192.168.6.4 any (msg:"FIN"; flags: F;)
The SYN rule is matching....
0
votes
1
answer
290
views
Help in Suricata rule bitmask syntax problem
I have written the following rule in my Suricata rules file:
alert tcp any any <> any any (flow:established; content:"|65|"; offset:0; depth:1; byte_test:1, =, 3, 2, bitmask 0x03; msg:&...
- 303
0
votes
1
answer
393
views
Suricata Ripple20 rule for IP-in-IP resulting in 100M alerts
I found too many events in Suricata after recent update regarding this rule:
alert ip any any -> any any (msg:"ET EXPLOIT Possible CVE-2020-11900 IP-in-IP tunnel Double-Free"; ip_proto:4; ...
- 185
1
vote
1
answer
1k
views
Suricata and rules based on MAC address
I'm working on a project to implement SDN in a network. One of my flows is redirecting to the Suricata IDS and the flow works in layer 2 with MAC address.
Since I've read that Snort only works in ...
- 113
1
vote
1
answer
718
views
Suricata bypass keyword
I have not found any examples on using the 'bypass' keyword.
Does it work in any rule? Are there performance implications using 'bypass'.
For example, would this bypass all tcp traffic?
alert tcp any ...
- 11
0
votes
1
answer
663
views
Suricata not matching a packet
What happens to a packet that has no matching rule in Suricata. I assume it is ignored, but haven't found any definitive info on this.
So, if my assumption is correct and the packet is ignored, would ...
- 11
1
vote
1
answer
2k
views
Custom Suricata's HTTP alert isn't triggered when using ".." as part of the scanned uri. Why? [closed]
I have a doubt with a Suricata custom rule.
If I do: alert http any any -> any 80 (msg:"blabla"; content:"abc"; http_uri; sid:1000000;) I can get requests to http://x.x.x.x/abc uri in fast.log ...
- 113