SID number to get alert rules for pcap files and malware alert detection without internet connection

Hi,
I have configured suricata in my environment. how do i get alert or drop to get in my suricata. Which rule i need to enable to get it. I am new to suricata…

Also in my setup i dont have internet connection, but i want to generate alert for pcap file OR any malware detected alert in my suricata setup. Is there any rules to enable to get any malware/virus alert SID or regix ID in suricata

Hello,

(sorry for a delayed answer)

About rules: if you use Suricata-update (it should come bundled with Suri if you have it installed via packages), you can enable some open rulesets that will have many rules to help detect suspicious activities in your network (or pcap).

Malwares and other suspicious activities may have very different behaviors, so you need to know what you are trying to detect on your network - to some extent - to know what rule(s) you want/need.

You said that your setup doesn’t have internet connection. If you just want to check that your Suricata is working, nonetheless, you can run it over any pcap with a very simple and generic rule such as

alert ip any any -> any any (msg: "Very generic IP rule"; sid: 20220719;)

This rule should work because it will generate an alert for any traffic seen on any port, regardless if UDP or TCP or application layer protocol. (it is only for testing, really)

About detecting suspicious activities in a network without access to the internet, I suppose that if you managed to set up Suricata in such a way that it could inspect all intranet activity, provided that you had a good ruleset, you would be able to detect anomalous activities - but here I’m just supposing and can’t offer much advice…

A how-to on how to get started with Suricata-update:

Hope these answers can help a bit!

2 Likes

Thanks Ju Fajardini… sorry for late reply… this links helps me …

1 Like