Hi ! I’m following alerting documentation and trying to trigger 2100498 alert.
So I’m reading fast.log and then curl as it’s described in doc, but can’t see the alert. I tried twice in 2 different Suricata installs with same results.
Any hint to get it working?
Hi,
Can you see other traffic with Suricata? Do you have that rule in your rulefile and are you loading the correct rulefile?
It would be helpful to know where your Suricata instance is, what is your configuration, what is the rule file and the command line that you run Suricata with.
Yes I can see other traffic. I follow exactly what the document advice so it’s supposed that rule ID is already loaded (2100498).
Anyway, enabled sources are:
As mentioned above, I strictly followed doc, so I am reading like this:
sudo tail -f /var/log/suricata/fast.log
and trying to trigger using this:
$ curl http://testmynids.org/uid/index.html
uid=0(root) gid=0(root) groups=0(root)
But no alert can be read at fast.log
I also said that I tried in 2 installations: In one of them, the test now is working, but the second one still without working.
Not working version is: Suricata 6.0.10
What is the diff between the two versions where one is working?
Do you see the related flow event_type on both versions for the connection that you want to alert on?
Hi @Andreas_Herz sorry for late answer.
I now tested again and couldn’t trigger the alert on both
I’m not talking about the alert but do you see flow events for the connection?