Suricata drop/ Alerts to external Database

ashokdev7 · December 16, 2021, 7:57am

Hi All ,
I have few doubts if you can help it will be nice

Many rules have action : alert , so is the traffic allowed by just alerting ? .
If I want to send alert , drop this malicious traffic to a external database for further analysis how can I do that.

jufajardini · December 16, 2021, 10:02am

Hi!

If you are running Suricata in IDS mode, it will generate alerts based on rules, but won’t drop the traffic (if you want malicious traffic to be dropped, consider the IPS mode - but that depends on the network setup you have, to really work);
If you want to capture the malicious traffic if certain alerts happen, the released Suricata versions don’t have that capability as of yet. But Conditional PCAP logging is one of the new features for Suricata 7, which should be released within a few months.

Mr Éric Leblond is the contributor for this addition. See his presentation during SuriCon2021:

ashokdev7 · December 16, 2021, 5:57pm

Hi , Got it thanks .
Just to make sure section 13 in read the docs is sufficient for IPS setting ?

jufajardini · December 16, 2021, 6:04pm

I’m not an expert in that regard, so can’t help there

But if you encounter any issues, as you know, this forum is your friend ^^

Topic		Replies	Views
SID number to get alert rules for pcap files and malware alert detection without internet connection Help	2	669	July 28, 2022
Pcap Capture - Include 3WHS and remaining flow data before TCP/HTTP alert	1	51	August 7, 2024
Capture file not always exsits for alerts (Suricata v.7 Conditional PCAP)	4	512	April 23, 2023
Conditional PCAP may not log packets for all alerts	1	629	April 29, 2023
Conditional pcap-log fails to log packets for some alerts when using "pcap-file-continuous" flag Help suricata	7	1084	July 31, 2023