Hi
I have a problem when I setup Suricata version 4.x and 5.x. The model I use is the NIDS.
I have successfully configured the span port and the IDS machine can receive the traffic
When using tcpmdump I can see the http protocol logs (tcpdump -i ens1 -n port 80).
But when I create the rule to test the content is
alert http any any -> $ HOME_NET any (msg: "HUNGHAY HTTP_TEST";)
Logs http protocol are not found in eve.json and fast.log.
Can you guys help me handle this problem.
Thanks
Hi,
It works for me (pruebas.rules):
alert http any any -> $HOME_NET any (msg: “HTTP_TEST”;classtype:policy-violation;sid:99990099;)
in suricata command line:
… -S /etc/suricata/rules/pruebas.rules
fast.log:
09/25/2020-14:34:57.218028 [] [1:99990099:0] HTTP_TEST [] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.1.209:631 -> 192.168.1.181:35260
Best Regards,
Hi
Thank you for the feedback.
I have checked and tested other ports on the switch. As a result, http log is found. I am thinking my problem is in the switch interface configuration mode.
I will test again on another system because our switch is being used for product environment.
Thank you very much
Hello,
Perfect. Thanks to you. You will tell us.