Hi All,
I’m new to suricata and have just set up centos 7.9 and installed Suricata. I’ve tried to follow the Suricata quick start documentation via : 2. Quickstart guide — Suricata 6.0.2 documentation
When i tried to run the alert rule as per the sample from the documentation , it kept returning to me as "bash: syntax error near unexpected token `(’ . May I check if there is anything wrong with the following and if i may have missed out some other steps
alert ip any any → any any (msg:“GPL ATTACK_RESPONSE id check returned root”; content:“uid=0|28|root|29|”; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
Hello, Can you please provide more information like the command line you are using to start Suricata?
As part of the quick start, assuming you did a suricata-update, that rule is there for informational purposes. You don’t need to do anything with it. Instead run the commands a few lines below, in particular:
curl http://testmynids.org/uid/index.html
then check your log file, /var/log/suricata/fast.log for the alert.
I’ve created my own custom rule called “local.rules” and place it under the default rule path /var/lib/suricata/rules
I then run the following command to reload the rule
suricata -c /etc/suricata/suricata.yaml -i
tcpreplay some pcaps file
4.i have checked from fast.log that the alerts are generated there.
I have few questions on the above
Whenever we made any changes to the .rules file, do we always need to run the command in [2] to reload the rules? May i check what is the purpose for this? Do we need to keep this running the background in order for the alerts to be generated when we replay any traffic?
i’ve read from the suricata documentation that the alerts should be generated in the eve.log. May i check what’s the difference between alerts generated in fast.log vs eve.log? i did tried to run the following command based on the suricata documentation but it didn’t return with any result