Hello! I’m trying to test one suricata rule, but seems like I’m doing something wrong, because my fast.log is empty. Rule:
alert http any any → any any (msg:“md5test”; filemd5:md5filetest.txt; sid:23; rev:1;)
In text file “md5filetest.txt” I have hash of another txt file, in an apache server.
As I understood so far, suricata should generate an alert when I go on “localhost/test.txt”. My fast.log is empty. Suricata is showing any error when I start it.
I start it with suricata -c /etc/suricata/suricata.yaml -q 0 -v for IPS mode.
Any other rule I tried works fine and generates alert. Is something I have to config in suricata.yaml?
Thank you for your time.
Hi,
Can you share a pcap with the network traffic and the md5
value for localhost/test.txt
?
How do I share the pcap? How do I acces it? Sorry. Im new into this.
You would need to generate the pcap when accessing the test.txt file using tcpdump or wireshark. If you aren’t familiar with either, there are a ton of videos and articles explaining how to use them.