What is the most reliable rule to use for testing alerting is operating correctly? Caveat: as generic a rule as possible.
Is there a recommendation?
PING? DNS Query? HTTPS Traffic to unique URI?
Hi Don,
Check this out:
https://suricata.readthedocs.io/en/suricata-6.0.9/quickstart.html#alerting
That’s how I tested mine to make sure it was working. Hope this is what you were looking for.
Jamie
1 Like
Thank you. I’ll take another look at it.
I’m looking for an ad-hoc “user please do $process, so we can confirm Suricata is working as intended.” Whether that’s PING 8.8.8.8 or Browse to a website to catch DNS resolution or http traffic. I was hoping there was a recommended best practice for high-fidelity alerts used to confirm traffic is seen, rule/alert is fired, and the monitoring team sees the alert.
What would be missing from the step described in the link? With that you can simply verify that it’s working from a basic perspective if the alert has hit and matches.
Yes!
curl http://testmynids.org/uid/index.html
worked!
Suricata Heartbeat, as we have successfully implemented:
- Signature for DNS query (UDP53) for a very specific FQDN
- PCAP of that UDP Packet
- Replay PCAP using tcpreplay on the Suricata monitor interface
now to set a schedule to replay that tcpreplay, write appropriate siem alerts/reports.