Question about rule

[ngms17]

I am trying to use ElastAlert with Suricata. My filter is currently like this.

filter:
- query:
    query_string:
      query: "suricata.eve.alert.signature: ET MALWARE"

I am not getting any hits though. I suspect that I have to put the exact value of "suricata.eve.alert.signature".

But what I want to do is to alert on any log that contains the words ET MALWARE, independent of what type of ET MALWARE alert it is

[ferozsalam]

Are you able to post the sort of document you expect to match against? Feel free to redact anything specific to your organisation.

[ngms17]

How can I change elasticsearch.py to my ES host instead of localhost?

[ngms17]

Also, i divided what i want into different rule files. I have defined in my config file the rules folder but still no rules are loaded

[ngms17]

If i knew where things are, i would not ask. Thanks for the help anyway.

[jertel]

@ngms17 To clarify, the trace logs are hard coded to show localhost:9200 for security reasons since the trace logs are typically sent to external parties to troubleshooting assistance. It isn't actually trying to use that host/port. So that's why you can disregard that part of the log output.

[ngms17]

Thank you! @jertel