Test Alert Rule

What is the most reliable rule to use for testing alerting is operating correctly? Caveat: as generic a rule as possible.

Is there a recommendation?

PING? DNS Query? HTTPS Traffic to unique URI?

Hi Don,

Check this out:
https://suricata.readthedocs.io/en/suricata-6.0.9/quickstart.html#alerting

That’s how I tested mine to make sure it was working. Hope this is what you were looking for.

Jamie

Thank you. I’ll take another look at it.

I’m looking for an ad-hoc “user please do $process, so we can confirm Suricata is working as intended.” Whether that’s PING 8.8.8.8 or Browse to a website to catch DNS resolution or http traffic. I was hoping there was a recommended best practice for high-fidelity alerts used to confirm traffic is seen, rule/alert is fired, and the monitoring team sees the alert.

What would be missing from the step described in the link? With that you can simply verify that it’s working from a basic perspective if the alert has hit and matches.