Pcap Analysis with Suricata
Contents
Pcap Analysis with Suricata
因為 Snort3 改得複雜且網路上資源太少, 記錄下利用 Suricata 讀取 Pcap 過 rule 並產生 event.
後續可利用 logstash … 等工具串接進去 SIEM
ENV
- MAC M1
- OrbStack Container
- Image: jasonish/suricata
USAGE
suricata -c suricata.yaml -r yourpcap.pcap
By configuring suricata.yaml in this way, you can ensure that only rule alerts are directed to eve.json as output.
%YAML 1.1
---
# Suricata configuration file. In addition to the comments describing all
# options in this file, full documentation can be found at:
# https://docs.suricata.io/en/latest/configuration/suricata-yaml.html
# This configuration file generated by Suricata 7.0.1.
suricata-version: "7.0"
vars:
address-groups:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
EXTERNAL_NET: "!$HOME_NET"
# Only alerts
outputs:
- eve-log:
enabled: yes
filename: eve.json
types:
- alert
# Your rules path
default-rule-path: /tmp
rule-files:
- suricata.rules
EXAMPLE
