IDS/IPS Alerts (Snort/Suricata)

NetworkPerimeter SecurityNetwork CaptureSIEM / Log Aggregator

Location

IDS/IPS alert logs (Snort alert files, Suricata eve.json, SIEM-ingested alerts)

Description

Signature-based and anomaly-based intrusion detection alerts with rule SID, severity, source/destination IP and port, protocol, alert message, and reference to the triggering packet.

Forensic Value

IDS alerts provide immediate, high-confidence indicators when signature matches occur for known exploits, malware communication patterns, or policy violations. Suricata eve.json output includes the triggering rule details and associated flow metadata. Even in high-noise environments, filtering by severity and correlating with other artifacts narrows the focus. Alert timestamps establish the earliest detection of malicious activity, supporting timeline construction.

Tools Required

SuricataSnortSIEM (Splunk, Elastic)SquilSguil

Collection Commands

Suricata

cat /var/log/suricata/eve.json | jq 'select(.event_type=="alert") | {timestamp, src_ip, dest_ip, dest_port, alert: .alert.signature, severity: .alert.severity}' > suricata_alerts.json

Snort

snort -r capture.pcap -c /etc/snort/snort.conf -A full -l /tmp/snort_output/ && cat /tmp/snort_output/alert > snort_alerts.txt

Splunk

index=ids sourcetype=suricata:alert earliest=-7d severity<=2 | stats count by alert.signature, src_ip, dest_ip | sort -count | head 50

MITRE ATT&CK Techniques

T1190T1595T1071T1059T1203

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical