Hi, everyone.
I’m a Suricata beginner.
Could you help me with my problem?

Environment

OS: Debian 12
Software: Suricata 7.0.6 (installed from Git)

Backgournd

I want to make sure all alerts are logged to fast.log.
I created the following test rule:
alert http $HOME_NET any → $EXTERNAL_NET any (msg:“TEST: HTTP Request to a *.suricata.test Domain”; flow:established,to_server; http.host; content:“.suricata.test”; endswith; classtype:bad-unknown; sid:1000000; rev:1; metadata:created_at 2024_08_05;)

Problem

I sent 56 http requests which had “test1.suricata.test” domain.
But there were only 2 alerts recorded in the fast.log.

My requests

If there are 56 packets that match the conditions for the rule, I want 56 alerts to be recorded in fast.log.

I upload the following files. Please check it.

• suricata.yaml
  suricata.yaml (84.0 KB)

• suricata.rules
  suricata.rules (252 Bytes)

• log dir
  alert-debug.log (3.8 KB)
  eve.json (375.4 KB)
  fast.log (388 Bytes)
  stats.log (184.3 KB)
  suricata.log (5.7 KB)
  log.9.1722843724.pcap (45.3 KB)

If you would like to know more details, please let me know.

can it detect traffic on other ip not suricata ip?

Thank you for your reply.

Yes, 2 IP addresses in log.9.1722843724.pcap are not suricata IP.
If you have any additional questions, feel free to ask me.

I have a problem with the /var/log/suricata/fast.log file, when I attack towards ip 192.168.9.10, namely the server, and in /var/log/suricata/fast.log the traffic is running but towards ip suricata 192.168.9.20 in the log, help me solve this so that the target ip is as intended.

Sorry, I don’t have a good resolution because I’m not a Suricata professional…
Do you have a NAT setting somewhere on your network?
You should post your problem with your network diagram and configuration
I’m sorry I couldn’t be of help.

If you just use the content match you will end up with much more alerts (the 56), but if you look for the amount of “http” events you see that there are also just 2 so that explains why you end up with 2 alerts based on the specific signature.

You will see this as well in the stats.log:

app_layer.flow.http                           | Total                     | 1
app_layer.tx.http                             | Total                     | 2

Thank you for your reply and I’m sorry for my late reply.

If you just use the content match you will end up with much more alerts (the 56)

Is it possible to configure it to only use the content match? How can I do this?
Is there a performance impact if I use only content matching?

if you look for the amount of “http” events you see that there are also just 2 so that explains why you end up with 2 alerts based on the specific signature.

What is the basis for Suricata counting http events? Is it the src ip or src port combination?

Can you explain a bit more what you want to achieve?

The performance impact depends on many factors, so hard to tell.

If it detects a http connection it will show up to be at least one event for http.