From b02370a69a91c5c028be137943ba8095c4a8d55c Mon Sep 17 00:00:00 2001 From: Christian Risi <75698846+CnF-Gris@users.noreply.github.com> Date: Thu, 5 Jun 2025 10:27:29 +0200 Subject: [PATCH] V0.1.0 Suricata Logger Modified: - .gitignore: ignoring lua files - suricata.rules: added a rule to log every packet - suricata.yaml: specified alerts to dump whole packet bytes --- .gitignore | 8 +++++++- suricata/suricata.rules | 3 ++- suricata/suricata.yaml | 20 ++++++++++---------- 3 files changed, 19 insertions(+), 12 deletions(-) diff --git a/.gitignore b/.gitignore index a59def5..3a19988 100644 --- a/.gitignore +++ b/.gitignore @@ -19,4 +19,10 @@ _tmp/ !_tmp/.keep # tsconfig for bun -/tsconfig.json \ No newline at end of file +/tsconfig.json + +# Lua +lua_modules/ +.luarocks/ +lua +core \ No newline at end of file diff --git a/suricata/suricata.rules b/suricata/suricata.rules index 102ab3d..91e6148 100644 --- a/suricata/suricata.rules +++ b/suricata/suricata.rules @@ -1 +1,2 @@ -alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;) \ No newline at end of file +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;) +alert ip any any -> any any (msg:"General Logging"; sid:12;) diff --git a/suricata/suricata.yaml b/suricata/suricata.yaml index e9c439d..63d2207 100644 --- a/suricata/suricata.yaml +++ b/suricata/suricata.yaml @@ -153,13 +153,13 @@ outputs: types: - alert: - # payload: yes # enable dumping payload in Base64 - # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log - # payload-printable: yes # enable dumping payload in printable (lossy) format - # packet: yes # enable dumping of packet (without stream segments) - # metadata: no # enable inclusion of app layer metadata with alert. Default yes - # http-body: yes # Requires metadata; enable dumping of HTTP body in Base64 - # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format + payload: yes # enable dumping payload in Base64 + payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + payload-printable: yes # enable dumping payload in printable (lossy) format + packet: yes # enable dumping of packet (without stream segments) + metadata: no # enable inclusion of app layer metadata with alert. Default yes + http-body: yes # Requires metadata; enable dumping of HTTP body in Base64 + http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format # Enable the logging of tagged packets for rules using the # "tag" keyword. @@ -1053,8 +1053,8 @@ coredump: # This feature is currently only used by the reject* keywords. host-mode: auto -# Number of packets preallocated per thread. The default is 1024. A higher number -# will make sure each CPU will be more easily kept busy, but may negatively +# Number of packets preallocated per thread. The default is 1024. A higher number +# will make sure each CPU will be more easily kept busy, but may negatively # impact caching. #max-pending-packets: 1024 @@ -1089,7 +1089,7 @@ unix-command: # Magic file. The extension .mgc is added to the value here. #magic-file: /usr/share/file/magic -#magic-file: +#magic-file: # GeoIP2 database file. Specify path and filename of GeoIP2 database # if using rules with "geoip" rule option.