Hello everyone, I want to test suricata ips on ubuntu with exploit of F5 Big IP CVE-2020-5902 for my IP.
It doesn’t matter if the attack is successful. What I want to see is for ips to detect this and show it in the logs. How can i do this , any idea? Thanks.
Hi. The easiest way to test is to just do IDS. That would be not block the actual traffic.
If the packets can be detected then they can also be blocked. IPS, aka blocking, is a bit harder to configure for a simple test.
I just want to make sure that you understand that Suricata as a program mostly just does network inspection, feature extraction, and provides a rule language for writing detection logic.
There is therefore a difference between testing whether Suricata can detect the attack (it most likely can) and if the most commonly used detection logic rulesets have already created detection logic for the attack.
That being said, just set up Suricata as the docs tell you too, and make sure that the attack traffic reaches the interface Suricata is listening to. Reading a pcap file is also an option.