- 최신
- 최다 투표
- 가장 많은 댓글
Hello,
It appears that you are trying to find the rule that was triggered by your Network Firewall which prompted the event in your logs. This is possible by looking at the signature_id or sid value in the JSON event output, in the text provided it would be "signature_id": 2804670. Each Suricata rule has a unique signature id which is used to determine the order in which the rules are enforced. This id is chosen when the rule is imported into the rule group. You can use the signature id to find the rule with the matching id which caused the alert.
Resources:
https://suricata.readthedocs.io/en/suricata-6.0.0/rules/meta.html#sid-signature-id
One correction to @Jacob_R's answer. The Signature ID (sid) does not determine the order in which the rules are enforced. It is purely a unique identifier. The rule evaluation order is determined by the settings in your firewall policy and rule group.
Resources:
https://suricata.readthedocs.io/en/suricata-6.0.1/rule-management/suricata-update.html
관련 콘텐츠
- AWS 공식업데이트됨 일 년 전