My company is trying to initiate using suricata for all her IPS and IDS. i am working on integrating the process into the server. the problem i’m having is logs are not being generated into the “fast.log” file. and won’t be able to send any form of alert. it is enabled in the suricata.yaml config file. and the correct interface and ip address is also listed in the config file. Any help you can give will be well appreciated. Pasted below is a view of my suricata.yaml file output. Thank you so much.
Configure the type of alert (and other) logging you would like.
outputs:
- fast:
enabled: yes
filename: fast.log
append: yes
Hi,
A few preliminary questions:
- Suricata version
- Which ruleset(s)
- What packet acquisition method
- Operating system
- Machine type
There could be many things happening
- There’s no ruleset or the ruleset failed to load (see
suricata.log
for output)
- There’s no traffic (see
stats.log
for non-zero, increasing packet and byte counts)
- Suricata starts but fails (see
suricata.log
)
- The traffic doesn’t trigger any alerts
There can be many
Thank you for this reply.
please give me three minutes to log in and provide you with all these details.
the details are as follows;
-
This is Suricata version 6.0.13 RELEASE.
-
alert tcp any any → $HOME_NET 22 (msg:“Inbound SSH traffic detected”; sid:100001; rev:1;)
alert tcp $HOME_NET any → any 22 (msg:“Outbound SSH traffic detected”; sid:100002; rev:1;)
the variable for $HOME_NET is already configured in suricata.yaml.
3 i used “ping”, “scapy” , www.testmynids.org.
-
fedora
-
I am running suricata inside a container to test a server.
For the previous container i was working with. the stat.log was not empty but The fast.log and eve.json were both empty.
Please what other suggestion do you have that could help me sort this out.
Can you supply your suricata.yaml
configuration file and stats.log
?