Suricata does not create alerts following attack tests


I recently installed Suricata (version 6.0.1) on my debian 11 machine.
I want to monitor my server on the enp3s0 interface corresponding to my network xx.xx.xx.xx/24. On this server, I have ssh access by open key as well as two Apache servers.

I have a fail2ban service that bans SSH access and denied authentication on Apache. However, I have no logs or alerts generated by Suricata. Is it because of Fail2ban?

I have a very restricted firewall, which only allows http/https/ssh/dns etc access. to certain IPs.

At the Suricata rules level, I left everything by default except for the addition of the “tgreen/hunting” source.

In the configuration file, I just indicated the network address in $HOME_NET.

The only logs generated in even.json are just stats.

Do you know why I have very few alerts?
(For example, if I hping a remote server to my server, no alerts are detected)

If you only enabled alerts type in eve output you won’t get protocol’s transactions logs, plus you only enabled the tgreen/ hunting rules and you have a small network, so it is normal.

I suggest that you add ETOpen rulset to have a wider coverage of attacks.

Sorry, I didn’t quite understand, I have to activate a few things in particular?

OK I will do it, thanks !

Suricata can alert on malicious traffic based on signatures but also records network protocols events in general.

You can enable those in suricata.yaml eve output section.

Please share your config and also how you run Suricata. You should see more events besides just stats if network traffic is captured properly.