Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Alerts that go up

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 3 Posters 423 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      oscar.pulgarin
      last edited by

      I am working with Suricata to map some alerts and vulnerabilities, the alerts are raised but only the name of the alert, IP and other parameters are visible.
      But something important is missing and that is that I want to know what information raises those specific alerts, that is, a practical case, passwords and users in plain text, I want to know that information
      Can?

      S bmeeksB 2 Replies Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @oscar.pulgarin
        last edited by

        @oscar-pulgarin The default in Suricata is to log HTTP requests but IIRC that is the URL, I don't think it logs the contents of packets. So, maybe, if the value is passed by querystring? (In which case the web server is probably also logging it in plaintext, so hopefully not common)

        HTTPS of course is encrypted and not visible to Suricata.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks @oscar.pulgarin
          last edited by bmeeks

          @oscar-pulgarin said in Alerts that go up:

          I am working with Suricata to map some alerts and vulnerabilities, the alerts are raised but only the name of the alert, IP and other parameters are visible.
          But something important is missing and that is that I want to know what information raises those specific alerts, that is, a practical case, passwords and users in plain text, I want to know that information
          Can?

          You can enable packet capture in Suricata, but it will consume a lot of logging space so be prepared for that. You can quickly exhaust disk space on pfSense and crash the firewall. You will find the settings under the INTERFACE SETTINGS tab in the Logging section. You can also do this via EVE JSON logging configurable on the same tab.

          But the vast majority of web traffic now is encrypted (HTTPS). Encrypted traffic cannot be analyzed nor logged by Suricata. Only plaintext HTTP traffic would be visible in a packet capture. But hardly anything is transported using plaintext HTTP these days.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.