Hi everyone,
I’m experiencing an issue with Suricata 7.0.9 running in IDS mode using af-packet on Debian. The installation appears to work fine, and the service is active. I’ve verified the following:
- The configuration loads correctly (
suricata -Treturns no errors). - Over 34,000 rules are successfully loaded from multiple
.rulesfiles. - The
eve.jsonlog file is created and regularly updated. - I’m monitoring interface
enp1s0, which shows traffic intcpdump. - Only test ICMP alerts and a single GPL SNMP public access alert are being generated.
- The
eve.jsonfile containsdnsandflowevents but almost no actual alerts. - Even after scanning the system with
nmap, very few alerts are triggered. - Wazuh integration is working, and I can see alerts that are present in
eve.json.
Things I have tried:
- Verified that the rules are uncommented and active.
- Tested using different rule files.
- Changed
cluster-idinaf-packetto avoid conflicts. - Confirmed that
suricata.yamlpoints to the correct rules path.
Has anyone faced a similar issue? What else should I check to ensure Suricata is properly processing rules and generating expected alerts?
Any help would be greatly appreciated!