Suricata anomaly detected from source IP address

Classification:

anomaly

Set up the suricata integration.

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when Suricata raises an anomaly based detection.

The rule monitors the anomaly type of Suricata log for when there is an anomaly detected from a source IP address.

Investigate the anomaly generated from {{@network.client.ip}} by anomaly type - {{@anomaly.type}} and anomaly event name - {{@anomaly.event}}
Examine the reassembled traffic to understand the nature of the anomaly and determine if the anomaly is due to benign network issues or malicious activity.
If the anomalies are deemed malicious, take steps to block the offending traffic and strengthen network defences.