Currently suricata V 6.0.13 is installed on my vm.
I’m receiving event_type such as tls,dns, snmp, fileinfo ,anomaly and http etc .
unfortunatly not alerts are seen.
What could be reason for this issue ?
I appreciate your help !
What rule set are you using?
Hi @Jeff_Lucovsky ,
I’m using ET Open ruleset.
Could you share the Suricata configuration file you’re using?
There are a couple of things that could be causing no alerts
- Traffic doesn’t contain traffic that generates alerts.
- Alerts aren’t properly configured.
- Ruleset
You’re using ET Open which is commonly used in the community. The traffic may be “clean” (free of conditions that would trigger an alert).
Since you’re seeing Suricata logs (tls, flow, etc) that means Suricata is seeing traffic.
suricata.yaml.ens1.yaml (70.7 KB)
Hi @Jeff_Lucovsky ,
Please find the config file.
Thanks for sending your Suricata configuration file.
I’m running a test setup using Suricata 6.0.13 and it’s generating alerts.
The configuration file you’re using is sending alerts to syslog — I changed this to use eve.json by changing the filetype value to regular (was syslog).
Thank you for looking into this.
Changing alerting to syslog or filetype could really be reason of this issue?
As same configuration is applied to other devices and they are working fine.
just wanted to confirm if encapsulation with gre protocol (for traffic mirroring) is supported by Suricata ?
Yes, Suricata 6.0.x and later support GRE ecapsulation
I don’t think syslog vs regular for the filetype option is an issue; I was listing the differences between my testing configuration.
Can you post stats entries? Depending on your configuration, these will be in stats.log or in entries inside of the eve.json reporting framework as stats event-type entries.