Hello,
I’m trying to get suricata to alert on traffic from my public site. I’m currently mirroring the traffic to Suricata, and the source IP would be another public address.
I’ve written some sample test rules:
alert icmp x.x.x.x any <> any any (msg:“ICMP connection attempt:”; sid:1000002; rev:1;)
alert tcp x.x.x.x 22 <> any any (msg:“SSH connection attempt:”; sid:1000003; rev:1;)
alert tcp x.x.x.x 3000 <> any any (msg:“TCP connection to App:”; sid:1000004; rev:1;)
If i use my browser and hit x.x.x.x, Suricata is not picking it up. I do a tcpdump and can see the mirrored traffic hit the interface.
Does suricata not support two non-rfc1918 for monitoring? I attempted something like
alert icmp x.x.x.x any <> y.y.y.y any (msg:“ICMP connection attempt:”; sid:1000002; rev:1;)
replacing y.y.y.y with my ISP address, but it’s still not triggering any alerts when i ping.
Any guidance is appreciated. Thanks.