Questions and answers from April 2021's Webinar: An introduction to writing Suricata Rules

Hi folks,

As we weren’t able to answer all questions asked during the awesome webinar Tatyana Shishkova presented on writing Suricata Rules, we decided to bring such questions to the forum, so they can still have an answer.

I’ll share each question and answer pair as a different reply. All the answers have been provided by members of the OISF team.

Edit: I will update this post with the link to the webinar recording, as soon as it has been published!
Edit II: In case you’ve missed the webinar, or you would like to rewatch it, you can find it now on our YouTube channel: Webinar - An Introduction to Writing Suricata Rules with Tatyana Shishkova - YouTube

Feel free to ask follow-up questions here, if anything is unclear!

Question:

What is the preferred SIEM backend solution for Suricata to handle and sort Alerts and messages? I am currently using Graylog Elasticsearch based backend. It works just fine nonetheless it would be nice to know the experience from others.

Answer: No, the best is to use what you already know.

Question:

is it possible to match on none IP traffic? e.g some routing protocols are not IP

Answer: No, matches are IP only.

Question:

Can Suricata differentiate between the legitimate network traffic such as network communication and such or do we have to write rules to differentiate that

Answer: No, you need to define what’s legitimate. Suricata can detect anomalies, or packets that are out of spec for the protocol in use.