why is the 2.4 standalone and manage node no alert from suricata

[majungman]

Version

2.4.0

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

other (please provide detail below)

Hardware Specs

Meets minimum requirements

CPU

20

RAM

100000

Storage for /

1000

Storage for /nsm

1000

Network Traffic Collection

span port

Network Traffic Speeds

more than 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

No, there are no additional clues

Detail

why is there no suricata alert after i install the 2.4 ,i dont know what i missed out but there is no error , just that no alert , even if i import some pcap supposed to flag some alert but it doesnt

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[majungman]

when trying to run so-rule-update

the suricata log

only have the IDH alerts

[TotieBash]

The IP address CIDR block of the network you want to monitor, is it in Suricata "HOME_NET"?

SO > Administration > Configuration > suricata > config > vars > address-groups > HOME_NET

By default the following RFC1918 CIDR blocks are entered:
192.168.0.0/16
10.0.0.0/8
172.16.0.0/12

If your network is inside these CIDR blocks then the setting is correct. If it is not, then add your CIDR block.

[majungman]

but there is not a single alert , i tried ping using kali in the home_net range but no alerts too.

[dougburks]

Looking at your first screenshot, it's failing to download the rules. Do you have Internet access? If not, you might consider an airgap installation:
https://docs.securityonion.net/en/2.4/airgap.html

For additional troubleshooting steps, please see the Troubleshooting Alerts section of the documentation:
https://docs.securityonion.net/en/2.4/suricata.html#troubleshooting-alerts

[majungman]

hihi, thanks for the reply,
is it all the rules will be in the /nsm/rules/suricata ? because when i ls there is nothing in it . is that the issues ?

[majungman]

and how can i import the rules ? or where (soup location ?) can i copy the files to /nsm/rules/suricata?

[dougburks]

If your machine is supposed to have Internet access then you should figure out why it's not reaching the Internet and then it should automatically download the rules for you.

If your machine is NOT supposed to have Internet access, then you will want to choose the airgap option.