Suricata Packet Log Location

Trel · Jul 9, 2014, 2:48 PM

I turned on packet logging for an interface to test with, but I can't find where to actually access those logs.

I kept getting the "Suspicious User Agent" alert so I wanted to look at the packets to see what actually it's flagging.

Cino · Jul 9, 2014, 3:11 PM

I turned on packet logging for an interface to test with, but I can't find where to actually access those logs.

I kept getting the "Suspicious User Agent" alert so I wanted to look at the packets to see what actually it's flagging.

i get a ton of them, mostly false positives for me but look here /var/log/suricata/suricata_'interface id'

Trel · Jul 9, 2014, 3:20 PM

@Cino:

@Trel:

I turned on packet logging for an interface to test with, but I can't find where to actually access those logs.

I kept getting the "Suspicious User Agent" alert so I wanted to look at the packets to see what actually it's flagging.

i get a ton of them, mostly false positives for me but look here /var/log/suricata/suricata_'interface id'

Based on the port being used and the machine it's coming from, I'm fairly certain I know what's triggering it

and if I'm reading the rule right: http://doc.emergingthreats.net/bin/view/Main/2001891

That's being triggered by "3a" or " agent" being in the user agent?