Alert logs not triggered

Nacy · November 25, 2020, 2:34pm

I cannot see alerts logs in fast.log
I used ubuntu 16.04 and suricat 6

suricatalfon · November 26, 2020, 8:12am

Hi,

Do you have any rule activated that detects ping icmp ?.

On the other hand, try using a pcap to check if it generates other types of alerts. Also put here your suricata.yaml to review.

Nacy · November 26, 2020, 4:47pm

This is my rule et my suricata.yaml file

suricatalfon · November 26, 2020, 5:25pm

Hí,

Much of the content of the yaml is missing. Try the following:

check that your rule is active in yaml.
try these rules:

alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg: “Outbound ICMP detected”; sid:1; rev:1; classtype:icmp-custom-event;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: “Inbound ICMP detected”; sid:2; rev:1; classtype:icmp-custom-event;)

Topic		Replies	Views
Fast.log enabled but not generating logs Help suricata	7	1683	July 11, 2023
Some alerts are not logged in fast.log Help rules , suricata	7	57	August 30, 2024
I can only see the first alert of a rule Help	2	1854	December 15, 2020
Suricata does not write to fast.log and cannot produce alert-debug.log Help	9	14331	May 29, 2020
Testing ping alert rule Rules suricata	5	4242	July 27, 2022