Hello,
Im new to Suricata and im trying to log a basic icmp alert. My problem its that in fast.log/eve.log i can only see the first alert even if i send an icmp packet every second.
I could “fix” it adding flow: to_server in the rule but as the flow says only log icmp packets to server. Am i missing something? I tried with threshold too but i couldnt find a solution for my problem.
My rule is:
alert icmp any any -> any any (msg:“ICMP detected”; sid: 889;)
The rule that workerd:
alert icmp any any -> any any (msg:“ICMP detected”; flow: to_server; sid: 889;)
In suricata 3.X the alert withouth flow worked well but in suricata 4.X, 5.X and 6.X i have this problem.
Thanks in advance, Adrian