- Newest
- Most votes
- Most comments
Hello,
It appears that you are trying to find the rule that was triggered by your Network Firewall which prompted the event in your logs. This is possible by looking at the signature_id or sid value in the JSON event output, in the text provided it would be "signature_id": 2804670. Each Suricata rule has a unique signature id which is used to determine the order in which the rules are enforced. This id is chosen when the rule is imported into the rule group. You can use the signature id to find the rule with the matching id which caused the alert.
Resources:
https://suricata.readthedocs.io/en/suricata-6.0.0/rules/meta.html#sid-signature-id
One correction to @Jacob_R's answer. The Signature ID (sid) does not determine the order in which the rules are enforced. It is purely a unique identifier. The rule evaluation order is determined by the settings in your firewall policy and rule group.
Resources:
https://suricata.readthedocs.io/en/suricata-6.0.1/rule-management/suricata-update.html
Relevant content
- asked 2 years ago
- asked 2 years ago
- asked 3 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago