Suricata not working in Analyst build #7403
-
|
I am using so-import-pcap to import some sample malware captures (that used to trigger the alerts before). Looking in the /nsm/suricata directory I can see that it is creating empty log files. Any idea what could be going wrong?
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Ok, found out what was happening (not sure how this happened though). The HOME_NET variable in the '/opt/so/conf/suricata/suricata.yaml' file somehow got set to '[ ]' and was causing all of the rules to error out. This was the first error message: Fixed it by setting sudo salt-call state.apply suricata |
Beta Was this translation helpful? Give feedback.
Ok, found out what was happening (not sure how this happened though). The HOME_NET variable in the '/opt/so/conf/suricata/suricata.yaml' file somehow got set to '[ ]' and was causing all of the rules to error out.
This was the first error message:
2/3/2022 -- 19:18:29 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address rangeFixed it by setting
in /opt/so/saltstack/local/pillar/global.sls
sudo salt-call state.apply suricata