Suricata anomaly detected from source IP address

This rule is part of a beta feature. To learn more, contact Support.
suricata

Classification:

anomaly

Set up the suricata integration.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when Suricata raises an anomaly based detection.

Strategy

The rule monitors the anomaly type of Suricata log for when there is an anomaly detected from a source IP address.

Triage and response

  1. Investigate the anomaly generated from {{@network.client.ip}} by anomaly type - {{@anomaly.type}} and anomaly event name - {{@anomaly.event}}
  2. Examine the reassembled traffic to understand the nature of the anomaly and determine if the anomaly is due to benign network issues or malicious activity.
  3. If the anomalies are deemed malicious, take steps to block the offending traffic and strengthen network defences.