I am currently working on my thesis, where I need a set of suricata alerts, labeled with event type (benign, attack). For this, I’ve been using the cic-ids2017 data set (https://www.unb.ca/cic/datasets/ids-2017.html). I am using the Friday set, a day with both normal activity, and attacks (Port scan and DDoS Loit).
I run the PCAP file through suricata, using the emerging-threats ruleset (https://rules.emergingthreats.net/open/suricata-7.0.3/) to detect attacks. The rules are loaded, about 44500 rules as i remember. I get a bunch of alerts, which i then do my best to match with a corresponding csv file with labeled flows.
While the flows are not 1-to-1 with the alerts, i try my best to match each alert with one a row from the labeled flows, using src and dest ip, src and dest port, protocol, and checking of they both are within the same 5 min time window. With the friday set, i get around 50% of my alerts to match. Its not perfect, and I am open to the possibility that this could be the reason for it looking like no attack are being detected, as 50% of the alerts are unknown.
Here is my issue. The matches i get are only benign. I don’t get any attack matches. This could be either because of some mismatch between these bidirectional flows and the alerts (since i only get 50% matches), or the fact that no real attacks are actually being detected by Suricata.
Right now, i am exploring the possibility of suricata and its ruleset being the issue, since I have tried several datasets from CIC-IDS2017, and I still don’t get any attack detections.
I am very new to Suricata and rulesets, and I was assuming the emerging-threats ruleset would be enough to detect port scans or any other of the types used, especially in a synthetic dataset. I could really use some persepective from someone who is familiar with the ruleset and suricata.