Test for domain (https): Test for domain (http): alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”TEST HOST”; flow:established,to_server; http.method; content:”GET”; http.host; content:”axxel.net”; classtype:unknown; sid:107500113; rev:3; metadata: created_at 2022_02_18, updated_at 2022_02_18;) Test for IP: Test for uri:
You can use the web interface to do that, but i had some issues soing so. It’s better (and much faster) to run this: /bin/su -s /bin/bash -c ‘cd /usr/share/python/scirius/ && . bin/activate && python bin/manage.py updatesuricata && deactivate’ www-data You can check your success by inspecting /etc/suricata/rules/scrirus.rules To check the plausibility/validity of your rules […]
You wanna monitor suricata via nagios? On Suricata machine do: 1. Create a pipe and set permissions. # mknod -m 666 /var/pipes/suricata.pipe p 2. Let suricata write the fast log to this pipe tuning the /etc/suricata/selks[VERSION]-addin.yaml: outputs: # a line based alerts log similar to Snort’s fast.log – fast: enabled: yes filename: /var/pipes/suricata.pipe append: yes […]
Hi folks! SELKS is great stuff. Read the manual. ;) https://jasonish-suricata.readthedocs.io/en/latest/ You can suppress alerts via web interface (and maybe desktop), but there are some limitations: 1. A suppress rule allows filterin either by source address OR by target address. 2. You can not import a bulk of suppress rules into a fresh installation. The […]
1. Manual update SELKS performs a daily suricata update (via /etc/crontab). To execute it manually call as www-data (!!!) NEVER RUN AS ROOT!!! # /bin/sh -c /bin/bash ‘cd /usr/share/python/scirius/ && . bin/activate && python bin/manage.py updatesuricata && deactivate’ www-data 2. fast.log rotation You MUST restart suricata to create a functional fast.log after logrotate. SIGHUP and/or […]
bytes and bones 