Suricata

Andreas Herz wrote:

We need more information, like suricata version and so on.

Also I doubt that you want to add the IP Address with -i, you need to add the device you want to liste nat.

It's the latest Windows version on this page https://suricata-ids.org/download/

Could you please explain how to add the device I want to liste nat? And if there is any other command to make sure there are no no hardware or OS rootkit or malware?

Thanks

I believe Andreas meant the following: In the configuration-file, the operating-systems are listed. You can add your IP-address behind the name of the operating system you make use of.

host-os-policy:
windows: [0.0.0.0/0]
bsd: []
bsd_right: []
old_linux: []
linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
old_solaris: []
solaris: ["::1"]
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []

Wait for her to answer your questions.

Jessy L wrote:

It's the latest Windows version on this page https://suricata-ids.org/download/

Could you please explain how to add the device I want to liste nat? And if there is any other command to make sure there are no no hardware or OS rootkit or malware?

Ok with Windows it's totally different, thus you added the IP instead of the device. You might want to show us your config and you might want to look into the logfiles if you see any traffic at all within suricata.

There is no command to make sure there is no rootkit or malware, you can just use rules to look into network traffic and if they don't trigger (assuming suricata runs correct) the chances are not that high. But that sounds like you want to use Suricata as a HIDS althought it's primarily a NIDS.

Robbie Tem wrote:

Wait for her to answer your questions.

His :)

Andreas Herz wrote:

Jessy L wrote:

It's the latest Windows version on this page https://suricata-ids.org/download/

Could you please explain how to add the device I want to liste nat? And if there is any other command to make sure there are no no hardware or OS rootkit or malware?

Ok with Windows it's totally different, thus you added the IP instead of the device. You might want to show us your config and you might want to look into the logfiles if you see any traffic at all within suricata.

There is no command to make sure there is no rootkit or malware, you can just use rules to look into network traffic and if they don't trigger (assuming suricata runs correct) the chances are not that high. But that sounds like you want to use Suricata as a HIDS althought it's primarily a NIDS.

Robbie Tem wrote:

Wait for her to answer your questions.

His :)

Is it right to use the suricata -c suricata.yaml -i WIFI IP4 ADDRESS command with Windows then?

There are about 20 connections listed for every 3 hours in the eve.json file if that's what you meant by you might want to look into the logfiles if you see any traffic at all within suricata?

I copied and pasted the suricata.yaml config file to https://pastebin.com/DJPpPfdh Are the rules good and settings good?

Thanks

Can you try -
suricata -c suricata.yaml -i ip_address_here

and attach the last update in the stats.log after a few hrs run ? (maybe you dont see that much traffic on the interface?)

Peter Manev wrote:

Can you try -
suricata -c suricata.yaml -i ip_address_here

and attach the last update in the stats.log after a few hrs run ? (maybe you dont see that much traffic on the interface?)

https://pastebin.com/QjeQKZzQ

Andreas Herz wrote:

Jessy L wrote:

It's the latest Windows version on this page https://suricata-ids.org/download/

Could you please explain how to add the device I want to liste nat? And if there is any other command to make sure there are no no hardware or OS rootkit or malware?

Ok with Windows it's totally different, thus you added the IP instead of the device. You might want to show us your config and you might want to look into the logfiles if you see any traffic at all within suricata.

There is no command to make sure there is no rootkit or malware, you can just use rules to look into network traffic and if they don't trigger (assuming suricata runs correct) the chances are not that high. But that sounds like you want to use Suricata as a HIDS althought it's primarily a NIDS.

https://pastebin.com/QeaLMv8q is what Peter asked for.

Is it right to use the suricata -c suricata.yaml -i WIFI IP4 ADDRESS command with Windows then?

I copied and pasted the suricata.yaml config file to https://pastebin.com/jF7CU9XM Are the rules good and settings good?

There is no command to make sure there is no rootkit or malware, you can just use rules to look into network traffic and if they don't trigger (assuming suricata runs correct) the chances are not that high. But that sounds like you want to use Suricata as a HIDS althought it's primarily a NIDS.

When I inspect the eve.json file contents I find no suspicious DNS or IP addresses, is that enough to know the chances are not that high?

@Jessy L - could you please attach the requested outputs as files as the pastebin links shared previously are no longer available anymore(outdated).