Hi, everyone.
I’m a Suricata beginner.
I would like to find security incidents by using Suricata.
I have tested Suricata which is applied ET Pro rules in pcap offline mode.
PCAP includes malware traffic and so on.
After running Suricata, I checked fast.log and found the sid of almost alerts were 2200000-2299999.
All alerts count was 1760849, and the alerts count of sid 2200000-2299999 was 1711547.
My questions are below.
- What is the purpose of Suricata rules which have sid 2200000-2299999?
- My purpose of using Suricata is for finding security incidents.
Are these rules are helpful?
If possible, could you tell me your usecase?
Those are mentioned here http://sidallocation.org/ and are Suricata Event signatures. They’re not part of the ET Pro ruleset.
They focus mostly on detection of issues in the traffic, engine behavior and can also help debugging. Look into the different rules that you can find here: suricata/rules at master · OISF/suricata · GitHub
This can help detect malicious traffic but is not the pure or main focus. For that you would use rulesets like the ETPro
1 Like
Thank you for your reply.
I understand that the rules of sid 2200000-2299999 are used to troubleshoot the behavior of Suricata.
I have an additional question.
If I disable all the rules for Suricata Event signatures, will this affect the behavior of other rules, for example those in the ET Pro rule set?
No, there should be no direct interaction between those
1 Like
Thank you for your reply.
I will disable these rules.
When I face a problem, I will plan to enable these rules for debugging.