Suricata Intrusion Detection

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF and its supporting vendors.

Installation

Install suricata from the repo.

 sudo pacman -S suricata suricata-emerging-rules

Configuration

The main configuration file is /etc/suricata/suricata.yaml.

You should change the following parts of the config in order to make it run:

 default-log-dir: /var/log/suricata/     # where you want to store log files
  classification-file: /etc/suricata/classification.config
  reference-config-file: /etc/suricata/reference.config
  HOME_NET: "[10.0.0.0/8]"                # your local network
  host-os-policy:   ..                    # according to the OS running the ips
  magic-file: /usr/share/file/misc/magic.mgc 

Web interface

You may use snorby [1] as web interface.

Starting Suricata

Manual startup

You may start the suricata service manually with: # /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0

Systemd service configuration

To start suricata automatically at system boot, enable suricata@<interface>.service.

For example, if the network interface is eth0 , the service name is suricata@eth0.service.

Copy service configuration

Copy manual at system boot suricata@<interface>.service.

 [Unit]
Description=Suricata Intrusion Detection Service listening on '%I'
After=network.target

[Service]
Type=forking
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml -i %i -D
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target

 

 Tip: If the service file is not yet included in packages .Place this file under /usr/lib/systemd/system/suricata@.service

Update database rules:

suricata-update list-sources

Now we will enable all of the (free) rules sources, for a paying source you will need to have an account and pay for it of course. When enabling a paying source you will be asked for your username / password for this source. You will only have to enter it once since suricata-update saves that information.

suricata-update enable-source ptresearch/attackdetection
suricata-update enable-source oisf/trafficid
suricata-update enable-source sslbl/ssl-fp-blacklist

 

Calogero Scarnà
Calogero Scarnà
Articoli: 299

Newsletter

Inserisci il tuo nome e il tuo indirizzo email qui sotto e iscriviti alla nostra newsletter