Hi, everyone.
I’m a Suricata beginner.
I would like to find security incidents by using Suricata.
I have tested Suricata which is applied ET Pro rules in pcap offline mode.
PCAP includes malware traffic and so on.
After running Suricata, I checked fast.log and found the sid of almost alerts were 2200000-2299999.
All alerts count was 1760849, and the alerts count of sid 2200000-2299999 was 1711547.
My questions are below.
- What is the purpose of Suricata rules which have sid 2200000-2299999?
- My purpose of using Suricata is for finding security incidents.
Are these rules are helpful?
If possible, could you tell me your usecase?