2 questions folks - firstly, any good documentation on using suricata if you have no idea what you doing and secondly (to validate my first point) any suggestions with regard to the observed trojan that seems to be coming from (source) my nethservers red interface (this isnt its public ip which is provided by a dreytek router the nethserver sits behind)
There’s some documentation:
http://docs.nethserver.org/en/v7/suricata.html
http://docs.nethserver.org/projects/nethserver-devel/en/latest/nethserver-suricata.html
http://docs.nethserver.org/projects/nethserver-devel/en/latest/nethserver-evebox.html
https://suricata.readthedocs.io/en/suricata-4.1.2/
The ET TROJAN message seems to be a false positive, see IPS Network Problem
Here are good default settings and as recommended here, to minimize problems like false positives it’s easier to run the IPS on a Nethserver with gateway services(like firewall, proxy, fail2ban for example) only.
1 Like
thanks Markuz ill review those docs and appreciate your efforts as always - ah yes a dedicated firewall suddenly makes a lot of sense - its been on my mind for a while but i can now appreciate the necessity!