What is the proper way to verify that Suricata is ready to inspect traffic?

marcus · August 26, 2025, 08:35:10 PM

I'm trying to make sure that my test processes are being conducted correctly.

I've been monitoring the suricata process with top from a root shell and I've noticed that it is still quite busy after the Web UI has shown things like saving or applying settings has completed, or after the box beeps the speaker to signal that it's finished booting.

I've had no luck finding an answer to this with a web search.

Is the log file a reliable indicator?

Thanks -

someone · September 30, 2025, 02:52:59 AM

Yes the logs are good.
Then verify suricata is working.
Under user defined rules, make a rule
Source 1.1.1.1 or 8.8.8.8, whichever one you dont use in DNS
Action drop
save or apply
wait till it finishes by checking log that rules are completed
or about 5 minutes
ping 1.1.1.1 or 8.8.8.8 from a terminal, ctl c to stop
check alerts, check log
should see it dropped
delete rule
save or apply

What is the proper way to verify that Suricata is ready to inspect traffic?

marcus

August 26, 2025, 08:35:10 PM

someone

September 30, 2025, 02:52:59 AM #1