The configuration of suricata.yaml refers to a new-added rule named alex.rules
root@LinuxTest:~# cat /etc/suricata/suricata.yaml|grep rules
## Step 2: select the rules to enable or disable
default-rule-path: /etc/suricata/rules
- emerging-all.rules
- app-layer-events.rules
- files.rules
- stream-events.rules
- decoder-events.rules
- http-events.rules
- tls-events.rules
- dns-events.rules
#- modbus-events.rules
- smtp-events.rules
- alex.rules
The content of the alex.rules
alert icmp any any -> any any (content:"|64656D6F6E616C6578|"; msg:"Show demonalex"; sid:1000888;)
Run Suricata
root@LinuxTest:~# suricata -c /etc/suricata/suricata.yaml -i eth0
Lauch a test case through Scapy:
>>> b=IP(dst='184.0.172.222')/ICMP()/'demonalex';send(b)
.
Sent 1 packets.
Check the alert of Suricata
root@LinuxTest:~# tail -n 10 -f /var/log/suricata/fast.log
12/11/2016-15:47:22.255835 [**] [1:1000888:0] Show demonalex [**] [Classification: (null)] [Priority: 3] {ICMP} 184.0.1.189:8 -> 184.0.172.222:0
12/11/2016-15:47:22.256266 [**] [1:1000888:0] Show demonalex [**] [Classification: (null)] [Priority: 3] {ICMP} 184.0.172.222:0 -> 184.0.1.189:0
No comments:
Post a Comment