Hi. You define the signature sources yourself.
Suricata might, depending on your installation method, ship with some rules preconfigured.
suricata-update can liste some public and commercial rule sources. https://suricata-update.readthedocs.io/en/latest/index.html
Here is one simple take on how you could write your signature. alert ip any any -> any any (msg:"TCP side 1"; content:"POST admin.php"; flowbit:set, placeholdername; sid:1;) alert ip any any -> any any (msg:"TCP side 2"; content:"Hi friend"; flowbit:isset, placeholdername; sid:2;)
Woops. I had a feeling writing the comment that something was off, and indeed there were multiple typos.
I edited the comment to include the mgs keyword before "TCP side 1". That keyword just specifies and arbitrary message that will be shown when the rule triggers.
The rules above should trigger when one package in a session contains “POST admin.php” and a subsequent message contains “Hi friend”.
The rules can be modified to be TCP only by swapping alert ip with alert tcp. You can also limit one rule to clients and one rule to servers by the “flow” keyword. You can also match specific HTTP fields using the http keywords if that is what you want.
Indeed it is two different signatures. One for each “message”.
They relate to each other through the flowbit keyword. Documentation was linked earlier.
My interpetation of your question: “Can suricata ‘show’/alert/log two different signatures on one pcap file?”. Let me know if I misunderstood.
Yes. All rules matching traffic patterns in the pcap will “trigger” and be logged, relevant packet metadata and some packet payload with the matching traffic pattern will also be logged for each rule.
I would recommend just writing some rules and trying it out.