need some assistance with Suricata and how the alerts are being logged. We have not made any changes to the Suricata configuration regarding rules except that we added a third-party rule set in addition to the default rules. The Suricata is configured to log to eve.json. We are using a splunk forwarder to forward the logs from eve.json to splunk.
We have noticed that all the alerting only seems to come from a single category (see below). How do we enable other categories?
The category part of the event is from the associated rule and its classtype. The classtype points to a classification defined in the classification.config file that is referenced in the suricata.yaml.
The action in the event is determined by the action set for the rule. So if the rules action is alert then you will see allowed, if the rules action is reject then you would see blocked.
What is the proper configuration for providing a list of rules and ensuring that any rule in any category will be matched and alert on?
Keeping in mind as you we are troubleshooting that the rules file given to us by the analysts cannot be shared with anyone. These are Alienvault’s proprietary rules