Suricata anomaly detected from source IP address

This rule is part of a beta feature. To learn more, contact Support.
suricata

Classification:

anomaly

Set up the suricata integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when Suricata raises an anomaly based detection.

Strategy

The rule monitors the anomaly type of Suricata log for when there is an anomaly detected from a source IP address.

Triage and response

  1. Investigate the anomaly generated from {{@network.client.ip}} by anomaly type - {{@anomaly.type}} and anomaly event name - {{@anomaly.event}}
  2. Examine the reassembled traffic to understand the nature of the anomaly and determine if the anomaly is due to benign network issues or malicious activity.
  3. If the anomalies are deemed malicious, take steps to block the offending traffic and strengthen network defences.