Please include the following information with your help request:
- Suricata version - Suricata 7.0.2
- Operating system and/or Linux distribution - Windows 11
- How you installed Suricata (from source, packages, something else) - windows installer file
I went through multiple posts , will share few more details as well :
- default-rule-path: C:\Program Files\Suricata\rules\
- address-groups:
HOME_NET: “[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]”
#HOME_NET: “[192.168.0.0/16]” - stats:
enabled: yes -
a line based alerts log similar to Snort’s fast.log
- fast:
enabled: yes
filename: fast.log
append: yes
-
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
- eve-log:
-
include the name of the input pcap file in pcap file processing mode
pcap-file: false -
disabled you will get the default: console output.
outputs:
- console:
enabled: yestype: json
- file:
enabled: yes
level: info
filename: suricata.logformat: “[%i - %m] %z %d: %S: %M”
type: json
- syslog:
enabled: no
facility: local5
format: "[%i] <%d> – "type: json
- alert-debug:
enabled: yes
filename: alert-debug.log
append: yes
9)# Linux high speed capture support
af-packet: - interface: eth0
Did tr it with Ethernet but no luck, so left it default
- Either way i use -i IP address so interface in yaml wont matter
- created an alert.rules and this is in it [ alert icmp any any → $HOME_NET any (msg:“GPL ICMP Address Mask Reply undefined code”; icode:>0; itype:18; classtype:attempted-admin; sid:2100387; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;) ] ignore the “]”
- alert debug is empty + fast log
- I ran nmap intense scan but nothing…
Please help as fast as u can as this is very urgent, im on a project.
suricata.yaml (85.8 KB)
fast.log (464 Bytes)
stats.log (1.1 MB)