no zeek/suricata target then why there are config files of suricata and zeek rule files in the directory? #2793
-
|
I see no target for zeek and suricata rules in the sigmac -h output then what the config files of suricata https://github.com/SigmaHQ/sigma/blob/master/tools/config/ala-suricata.yml and zeek files are doing in the directory? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Sigma is not designed to make zeek or suricata rules. On the other hand there are rules on the alert logs of zeek or siricata. I hope I made myself clear |
Beta Was this translation helpful? Give feedback.
Sigma is not designed to make zeek or suricata rules.
So there is no backend.
On the other hand there are rules on the alert logs of zeek or siricata.
Like the antivirus rules. The rule does not detect the virus but the alert message of the antivirus.
ala-suricata is for mapping the suricata alert log fields to Azure Log Analytics.
So you can make a rule like "if I see a alert.signature like 'RDP' in the surica alert then i wake up the SOC with a critical alert" 😃
I hope I made myself clear