From: Victor Julien Date: Thu, 29 Mar 2018 08:01:50 +0000 (+0200) Subject: doc: improve making sense of alerts X-Git-Tag: suricata-4.1.0-rc1~170 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ac1ed24cb429c4137c9fac9d2142967da84f98b8;p=thirdparty%2Fsuricata.git doc: improve making sense of alerts --- diff --git a/doc/userguide/make-sense-alerts.rst b/doc/userguide/make-sense-alerts.rst index 735b1f9aa9..42696c3246 100644 --- a/doc/userguide/make-sense-alerts.rst +++ b/doc/userguide/make-sense-alerts.rst @@ -54,24 +54,24 @@ search engine. It's not always straight forward and sometimes not all of that information is available publicly. Usually asking about it on the -signature support lists helps a lot then. +signature support channel helps a lot then. -For the Emerging Threats list this is: -http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs - -For the VRT ruleset: -https://lists.sourceforge.net/lists/listinfo/snort-sigs +In :doc:`../rule-management/suricata-update` more information on the rule +sources and their documentation and support methods can be found. In many cases, looking at just the alert and the packet that triggered -it won't be enough to be conclusive. When running an IDS engine like -Suricata, it's always recommended to combine it with full packet -capturing. Using tools like Sguil or Snorby, the full TCP session or -UDP flow can be inspected. +it won't be enough to be conclusive. When using the default Eve settings +a lot of metadata will be added to the alert. For example, if a rule fired that indicates your web application is -attacked, looking at the full TCP session might reveal that the web +attacked, looking at the metadata might reveal that the web application replied with 404 not found. This will usually mean the attack failed. Usually, not always. +Not every protocol leads to metadata generation, so when running an +IDS engine like Suricata, it's often recommended to combine it with +full packet capture. Using tools like Evebox, Sguil or Snorby, the +full TCP session or UDP flow can be inspected. + Obviously there is a lot more to Incidence Response, but this should get you started.