No alerts on Suricata logs for all rules

Help
,
1

Hi,

We are students.
As part of our exam, we installed Suricata on a Vagrant server and attempted some attacks. However, they do not appear in the logs, even though we successfully pinged the server from the attacking machine.

We would like to know if this could be due to network configuration issues.

Suricata version: 7.0.8
Linux Debian 24
Suricata installed from packages.

Thank you!

2

How did you configure Suricata and the network traffic forwarding?
Ideally also post your suricata.yaml, suricata.log, stats.log and the run command that you use.
Also, do you see the attack if you run tcpdump on the capture interface?

3

The ip address of Suricata, mentioned in the suricata.yaml (homenet) is the one belonging to the Vagrant server it is installed in. The attack is sent from another machine, that has another ip address.

Yes, we do see the attack when we run tcpdump on the capture interface.

It seems like we cannot upload attachments since we are new users. Is there any way we could send it? Or should we copy paste some parts of those files?

4

%YAML 1.1

Suricata configuration file. In addition to the comments describing all

options in this file, full documentation can be found at:

12.1. Suricata.yaml — Suricata 8.0.0-dev documentation

This configuration file generated by Suricata 7.0.8.

suricata-version: “7.0”

Step 1: Inform Suricata about your network

vars:

more specific is better for alert accuracy and performance

address-groups:
HOME_NET: “[10.0.2.0/24,172.28.128.200/24]”
#HOME_NET: “[192.168.0.0/16]”
#HOME_NET: “[10.0.0.0/8]”
#HOME_NET: “[172.16.0.0/12]”
# HOME_NET: “any”

EXTERNAL_NET: "!$HOME_NET"
#EXTERNAL_NET: "any"

HTTP_SERVERS: "$HOME_NET"
SMTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
AIM_SERVERS: "$EXTERNAL_NET"
DC_SERVERS: "$HOME_NET"
DNP3_SERVER: "$HOME_NET"
DNP3_CLIENT: "$HOME_NET"
MODBUS_CLIENT: "$HOME_NET"
MODBUS_SERVER: "$HOME_NET"
ENIP_CLIENT: "$HOME_NET"
ENIP_SERVER: "$HOME_NET"
5

Suricata.log

[4332 - Suricata-Main] 2025-03-10 17:25:04 Perf: detect: AppLayer MPM “toclient file_data (nfs)”: 17
[4332 - Suricata-Main] 2025-03-10 17:25:04 Perf: detect: AppLayer MPM “toclient file_data (nfs)”: 2
[4332 - Suricata-Main] 2025-03-10 17:25:04 Perf: detect: AppLayer MPM “toserver file_data (nfs)”: 17
[4332 - Suricata-Main] 2025-03-10 17:25:04 Perf: detect: AppLayer MPM “toserver file_data (nfs)”: 2
[4332 - Suricata-Main] 2025-03-10 17:25:04 Perf: detect: AppLayer MPM “toclient file_data (smb)”: 17
[4332 - Suricata-Main] 2025-03-10 17:25:04 Perf: detect: AppLayer MPM “toclient file_data (smb)”: 2
[4332 - Suricata-Main] 2025-03-10 17:25:04 Perf: detect: AppLayer MPM “toserver file_data (smb)”: 17
[4332 - Suricata-Main] 2025-03-10 17:25:04 Perf: detect: AppLayer MPM “toserver file_data (smb)”: 2

6

stats.log

flow.mgr.flows_notimeout | Total | 173
flow.mgr.flows_timeout | Total | 68
flow.mgr.flows_evicted | Total | 68
flow.mgr.flows_evicted_needs_work | Total | 10
memcap_pressure | Total | 5
memcap_pressure_max | Total | 5
flow.recycler.recycled | Total | 58
flow.recycler.queue_max | Total | 1
tcp.memuse | Total | 2490368
tcp.reassembly_memuse | Total | 573440
flow.memuse | Total | 7154304