We use and love suricata. We’re implementing a solution where suricata feeds into Elasticstack using elastic’s new alerting feature and enriches or handles the alerts differently based on classification. We have some CI tests that run that test not only that surciata is working but more importantly our Elastic alerts are working. We run everything in docker.
Is there a “fake” pcap that will trigger all the suricata classifications so we can test both the input side and the elastic alerts run the right way?
I’ve looked at the CI jobs that run for travis runs in https://github.com/OISF/suricata-verify.
Those tests seem to be oriented to specific configurations or bugs but I may not have understood it 100% either.
We are trying to the do something similar for end to end flow and functionality validation. Run checks on all sensors in all locations. It would be nice to use a common PCAP if there is one instead of creating something internally.
There are several collections of pcaps and some are found in suricata-verify as well. You might just grab those and see if already some of the classification trigger. But you want to match specific rules right? If not you can just create simple pcaps and some simple rules and add the classification to the rules.
In general we also would like to have a more advanced public pcap collection or collaboration for different use cases. A first start is still suricata-verify.
Let us know if you have any ideas how such a “pcap space” should look like.