Suricata Packet Log Location



  • I turned on packet logging for an interface to test with, but I can't find where to actually access those logs.

    I kept getting the "Suspicious User Agent" alert so I wanted to look at the packets to see what actually it's flagging.



  • @Trel:

    I turned on packet logging for an interface to test with, but I can't find where to actually access those logs.

    I kept getting the "Suspicious User Agent" alert so I wanted to look at the packets to see what actually it's flagging.

    i get a ton of them, mostly false positives for me but look here /var/log/suricata/suricata_'interface id'



  • @Cino:

    @Trel:

    I turned on packet logging for an interface to test with, but I can't find where to actually access those logs.

    I kept getting the "Suspicious User Agent" alert so I wanted to look at the packets to see what actually it's flagging.

    i get a ton of them, mostly false positives for me but look here /var/log/suricata/suricata_'interface id'

    Based on the port being used and theĀ  machine it's coming from, I'm fairly certain I know what's triggering it

    and if I'm reading the rule right: http://doc.emergingthreats.net/bin/view/Main/2001891

    That's being triggered by "3a" or " agent" being in the user agent?