>Fast.log file is not collecting properly tried almost everything.. Suricata doesnt work

Please include the following information with your help request:

  • Suricata version - Suricata 7.0.2
  • Operating system and/or Linux distribution - Windows 11
  • How you installed Suricata (from source, packages, something else) - windows installer file

I went through multiple posts , will share few more details as well :

  1. default-rule-path: C:\Program Files\Suricata\rules\
  2. address-groups:
    HOME_NET: “[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]”
    #HOME_NET: “[192.168.0.0/16]”
  3. stats:
    enabled: yes
  4. a line based alerts log similar to Snort’s fast.log

  • fast:
    enabled: yes
    filename: fast.log
    append: yes
    • eve-log:
      enabled: yes
      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
      filename: eve.json
  1. include the name of the input pcap file in pcap file processing mode

    pcap-file: false
  2. disabled you will get the default: console output.

outputs:

  • console:
    enabled: yes

    type: json

  • file:
    enabled: yes
    level: info
    filename: suricata.log

    format: “[%i - %m] %z %d: %S: %M”

    type: json

  • syslog:
    enabled: no
    facility: local5
    format: "[%i] <%d> – "

    type: json

  1. or for investigating suspected false positives.

  • alert-debug:
    enabled: yes
    filename: alert-debug.log
    append: yes
    9)# Linux high speed capture support
    af-packet:
  • interface: eth0
    Did tr it with Ethernet but no luck, so left it default
  1. Either way i use -i IP address so interface in yaml wont matter
  2. created an alert.rules and this is in it [ alert icmp any any → $HOME_NET any (msg:“GPL ICMP Address Mask Reply undefined code”; icode:>0; itype:18; classtype:attempted-admin; sid:2100387; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;) ] ignore the “]”
  3. alert debug is empty + fast log
  4. I ran nmap intense scan but nothing…

Please help as fast as u can as this is very urgent, im on a project.
suricata.yaml (85.8 KB)
fast.log (464 Bytes)
stats.log (1.1 MB)

Quick update -
When i was updating packages in a vm on Ubuntu it generated these alerts in fast.log… But the ping rule i created doesnt trigger at all. Also ran nmap multiple times but doesnt trigger that too.
Downloaded all rules from emerging threats as well.

I would first check for the flow event in the JSON output, if your ICMP traffic was actually seen. Can you confirm that this flow is seen by Suricata?