I have a VM that act as a router which is NAT and linked to the inet network, 2 client VM linked to the inet network and my IDS VM also linked to the inet network with the promiscuous mode on ‘allow all’.
After installation I wrote this simple rule: alert icmp any any -> any any (msg:"PING detected"; sid:2; rev:1;)
but then when I run suricata -S testcimp.rules -i enp0s3 and ping my IDS VM using one of my client VM nothing shows up in the suricata terminal like if nothing happens.
I’m running suricata using suricata -S testicmp.rules -i enp0s3 -v the verbose tells me that the file is successfully loaded, I don’t understood what you meant by eve log entry or suricata generated pcap file, where do I choose which one to use, and which one should I use ?
Please share your suricata.yaml so we know where your logfiles should be located. This could be /usr/local/var/log/suricata or just in /var/log/suricata or somewhere else, depending on your build/config.
