I created local rules and sent packets using Scapy. The only problem is when I used lo (localhost) the rules I created were working, but if I ran the enp0s3 (ethernet), the created rules were not found. Do I still need a config in the Suricata settings?
Can you give an example of a rule that was working with lo?
What version of Suricata are you using?
If the HOME_NET value is incorrect for enp0s3 but valid for lo that may be the cause. A sample rule would help along with the value of HOME_NET from the suricata config file suricata.yaml
Hi @Jeff_Lucovsky
We created our rules in Suricata, and it runs on my localhost computer. However, when we ran it on AWS, no results were displayed. We have a virtual machine instance in AWS with Suricata installed.
There are many differences between the 2 environments.
I suggest you use a packet sniffing tool tcpdump -i <interface> on your AWS instance and verify that the monitoring traffic is being received as intended.
My questions from my initial response are still open.
The HOME_NET value is the same as the enp0s3 interface value. Also, I already set the enp0s3 to the af-packet in the suricata.yaml
I will try your suggestion. Thank you!