tail -F /var/log/suricata/fast.log curl http://testmyids.com/ # doesn't work? curl -I http://example.net/ -A BlackSun grep BlackSun /etc/suricata/rules/suricata.rules
draft
in case you are sniffing a vpn link you might like to force the network path through it
internal_ip=x.x.x.x curl -i --resolve testmyids.com:80:$internal_ip http://testmyids.com/ curl -I --resolve example.net:80:$internal_ip http://example.net/ -A BlackSun
casual test
04/12/2020-17:27:27.241696 [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.1.1.247:50444 -> 31.3.245.133:80
this one with inline mode up and running
04/12/2020-17:49:51.412249 [Drop] [**] [1:2008983:7] ET USER_AGENTS Suspicious User Agent (BlackSun) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.1.247:50496 -> 31.3.245.133:80