I have Suricata running with ET Telemetry Pro with a couple of rulests (dhsield, emerging-current-events, emerging-imap, emerging-malware, emerging-phishing, emerging-web-client, emerging-web-server — I just checked a few after after reading their description somewhere), running on both LAN and WAN. So far so good, it runs. But I am at a loss how I would see the results. Is there a way I can make sure that something is triggered so that I can see it actually detects something?
2023-01-11T01:01:47 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.autoit.ua' is checked but not set. Checked in 2807400 and 0 other sigs 2023-01-11T01:01:47 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.HTA.Download' is checked but not set. Checked in 2816701 and 0 other sigs 2023-01-11T01:01:47 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient.vulnerable' is checked but not set. Checked in 2016502 and 0 other sigs 2023-01-11T01:01:47 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient' is checked but not set. Checked in 2016503 and 5 other sigs 2023-01-11T01:01:47 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.binary' is checked but not set. Checked in 2029335 and 1 other sigs 2023-01-10T01:01:37 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.autoit.ua' is checked but not set. Checked in 2807400 and 0 other sigs 2023-01-10T01:01:37 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.HTA.Download' is checked but not set. Checked in 2816701 and 0 other sigs 2023-01-10T01:01:37 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient.vulnerable' is checked but not set. Checked in 2016502 and 0 other sigs 2023-01-10T01:01:37 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient' is checked but not set. Checked in 2016503 and 5 other sigs 2023-01-10T01:01:37 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.binary' is checked but not set. Checked in 2029335 and 1 other sigs 2023-01-09T14:56:21 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.autoit.ua' is checked but not set. Checked in 2807400 and 0 other sigs 2023-01-09T14:56:21 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.HTA.Download' is checked but not set. Checked in 2816701 and 0 other sigs 2023-01-09T14:56:21 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient.vulnerable' is checked but not set. Checked in 2016502 and 0 other sigs 2023-01-09T14:56:21 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient' is checked but not set. Checked in 2016503 and 5 other sigs 2023-01-09T14:56:21 Warning suricata [100198] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.binary' is checked but not set. Checked in 2029335 and 1 other sigs 2023-01-09T14:55:27 Warning suricata [100226] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 2023-01-09T14:55:27 Warning suricata [100226] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 2023-01-09T14:55:27 Warning suricata [100226] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 2023-01-09T14:55:27 Warning suricata [100226] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 2023-01-09T14:55:27 Warning suricata [100226] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rfb enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details. 2023-01-09T14:55:27 Warning suricata [100226] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
This is very simple. Make sure that the OPNsense test rules package is installed: "OPNsense-App-detect/test".Then you can download e.g. the Eicar testvirus via http:"http://www.eicar.org/download/eicar.com"If you then check your alerts, you should find a blocking event and not be able to download the file. Your browser or curl will then run into a timeout.
Quote from: seed on December 15, 2022, 04:50:33 pmThis is very simple. Make sure that the OPNsense test rules package is installed: "OPNsense-App-detect/test".Then you can download e.g. the Eicar testvirus via http:"http://www.eicar.org/download/eicar.com"If you then check your alerts, you should find a blocking event and not be able to download the file. Your browser or curl will then run into a timeout.Thank you and sorry for the late thank you. I actually forgot I already asked and I was distracted.I recently asked again because I found https://secure.eicar.org/eicar.com and I could download this one. But then I thought, moment, that is inside https so Suricata will not be able to see it and then I thought "given that all that web traffic is inside SSL, what use if Suricata for web traffic?". But that is more a suricata forum question