Does suricata provides attacks/alerts with its counters?

Hi Team,

If I have a attack like TROJAN:SUBSEVEN:SCAN generated for x number of times, does suricata provide this any ware in its logs or other options.
similarly all the attacks and number of times they have been generated.

Hi, Suricata will provide an alert for each occurrence of the attack. It will not, however, offer summary values.

Yes @KAMALKUMARM Suricata logs attack events and including their types and frequencies. You can find this information in. You can use tools like jq to parse and count specific alerts.
Also check the fast log for a quick reference of alerts. Use your SIEM system to query and analyze alert frequencies :slightly_smiling_face:

@Akiragi , could you please share more info on this ?
where can I find alerts and their frequencies ?

Suricata alerts are logged based on values in the suricata configuration file (suricata.yaml by default)

With the default configuration, alerts are sent to

  • fast.log One line per alert, contains the alert’s signature id (sid) and message and the 5-tuple
  • eve.json One JSON record per alert, contains the alert details and the timestamp

Both of these files are put into the “default logging directory”.

  • Specified on the command line -l /path/to/log/directory
  • Or, if not specified on the command line, from default-log-dir in the configuration file

You can use jq to process the eve.json file – note that the alerts have an event_type of alert (there are other types of log records in this file).

You can use the timestamps to calculate frequencies and other secondary telemetry