V0.1.0 Suricata Logger

Modified: - .gitignore: ignoring lua files - suricata.rules: added a rule to log every packet - suricata.yaml: specified alerts to dump whole packet bytes
2025-06-05 10:27:29 +02:00 · 2025-06-05 10:27:29 +02:00 · b02370a69a
commit b02370a69a
parent c3bc1d993e
3 changed files with 19 additions and 12 deletions
--- a/.gitignore
+++ b/.gitignore
@ -19,4 +19,10 @@ _tmp/
 !_tmp/.keep
 # tsconfig for bun
-/tsconfig.json
+/tsconfig.json
 # Lua
 lua_modules/
 .luarocks/
 lua
 core
--- a/suricata/suricata.rules
+++ b/suricata/suricata.rules
@ -1 +1,2 @@
-alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 alert ip any any -> any any (msg:"General Logging"; sid:12;)
--- a/suricata/suricata.yaml
+++ b/suricata/suricata.yaml
@ -153,13 +153,13 @@ outputs:
      types:
        - alert:
-            # payload: yes             # enable dumping payload in Base64
+            payload: yes             # enable dumping payload in Base64
-            # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+            payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
-            # payload-printable: yes   # enable dumping payload in printable (lossy) format
+            payload-printable: yes   # enable dumping payload in printable (lossy) format
-            # packet: yes              # enable dumping of packet (without stream segments)
+            packet: yes              # enable dumping of packet (without stream segments)
-            # metadata: no             # enable inclusion of app layer metadata with alert. Default yes
+            metadata: no             # enable inclusion of app layer metadata with alert. Default yes
-            # http-body: yes           # Requires metadata; enable dumping of HTTP body in Base64
+            http-body: yes           # Requires metadata; enable dumping of HTTP body in Base64
-            # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format
+            http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format
            # Enable the logging of tagged packets for rules using the
            # "tag" keyword.
@ -1053,8 +1053,8 @@ coredump:
 # This feature is currently only used by the reject* keywords.
 host-mode: auto
-# Number of packets preallocated per thread. The default is 1024. A higher number 
+# Number of packets preallocated per thread. The default is 1024. A higher number
-# will make sure each CPU will be more easily kept busy, but may negatively 
+# will make sure each CPU will be more easily kept busy, but may negatively
 # impact caching.
 #max-pending-packets: 1024
@ -1089,7 +1089,7 @@ unix-command:
 # Magic file. The extension .mgc is added to the value here.
 #magic-file: /usr/share/file/magic
-#magic-file: 
+#magic-file:
 # GeoIP2 database file. Specify path and filename of GeoIP2 database
 # if using rules with "geoip" rule option.
`@ -1 +1,2 @@`
	`alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0\|28\|root\|29\|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)`	`alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0\|28\|root\|29\|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)`
		`alert ip any any -> any any (msg:"General Logging"; sid:12;)`