suricata | selks | some basic alert rules

Test for domain (https): Test for domain (http): alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”TEST HOST”; flow:established,to_server; http.method; content:”GET”;; content:””; classtype:unknown; sid:107500113; rev:3; metadata: created_at 2022_02_18, updated_at 2022_02_18;) Test for IP: Test for uri:

SELKS | Suricata | update the rulesets

You can use the web interface to do that, but i had some issues soing so. It’s better (and much faster) to run this: /bin/su -s /bin/bash -c ‘cd /usr/share/python/scirius/ && . bin/activate && python bin/ updatesuricata && deactivate’ www-data You can check your success by inspecting /etc/suricata/rules/scrirus.rules To check the plausibility/validity of your rules […]

SELKS | suricata | Scirius | Elasticsearch | Hints

1. Manual update SELKS performs a daily suricata update (via /etc/crontab). To execute it manually call as www-data (!!!) NEVER RUN AS ROOT!!! # /bin/sh -c /bin/bash ‘cd /usr/share/python/scirius/ && . bin/activate && python bin/ updatesuricata && deactivate’ www-data 2. fast.log rotation You MUST restart suricata to create a functional fast.log after logrotate. SIGHUP and/or […]