Hello. I have a Netcat server (running like this: ncat -k -l -p 9999) in a machine where Suricata is running too. When another machine connects with that server with a Netcat client and Suricata has a rule like this: alert ip any any → any any (msg: “Bla bla”;sid:1000000;) , any traffic between client and server is detected without trouble
But when I put a rule like this: alert ip any any → any any (msg: “Bla bla”;content:“malware”;sid:1000000;) and I send the word “malware” from netcat client to netcat server, I don’t get anything in fast.log file.
I know this rule can’t be simpler, but I can’t understand why Suricata doesn’t react! It’s very frustrating.
Thanks a lot!!
P.S: My Suricata version is 6.0.4 (the one which comes in official repositories of Ubuntu 22.04)