assuming you installed suricata already
for an network device NIDS – you need port mirroring in place
for an local NIDS – just pick the NIC you wanna sniff e.g. eth0
for an IPS – you need to be the gateway and you probably want to sniff the front-facing NIC
see suricata-install
check run modes for AF_PACKET_DEV
suricata --list-runmodes
wipe-out the comments
cd /etc/suricata/
mv -i suricata.yaml suricata.yaml.dist
sed -r '/[[:space:]]*#/d; /^$/d' suricata.yaml.dist > suricata.yaml.clean
sed -r '/[[:space:]]*#/d; /^$/d' suricata.yaml.dist > suricata.yaml
vi suricata.yaml
sample setup for a standalone server with public ip
HOME_NET: "[127.0.0.1/32, EXTERNAL-NIC/32]"
mention alternate SSH ports if there are some
SSH_PORTS: "[22,2222]"
eventually tune the network interface you want to sniff e.g. wg0 or wt0 on vpn gateways
:%s/eth[0-9]/wg0/g
:%s/eth[0-9]/wt0/g
and get rid of those
interface: default
avoid flooding disk usage on the IDS
outputs:
- eve-log:
types:
- files:
enabled: no
eventually enable specific protocols you need to trace
- eve-log:
types:
- pgsql:
enabled: yes
app-layer:
protocols:
pgsql:
enabled: yes
tune the default linux capture method and avoid ipv4 truncated packets under load – mmp tpacket-v3 should be enabled by default for IDS mode…
af-packet:
defrag: no # no need for IDS?
use-mmap: yes # better performance for IDS
tpacket-v3: yes # better performance for IDS
#checksum-checks: no
that one should be enabled by default for better performance
host-mode: sniffer-only # passive only runmode: workers # default for AF_PACKET_DEV was autofp
enable custom rules
rule-files: # absolute path - make sure you are using the updated ruleset - /var/lib/suricata/rules/suricata.rules - /etc/suricata/suricata.local
as such
vi /etc/suricata/suricata.local
e.g. for a Wireguard VPN gateway
# tunnel ip talking to internal network is fine - this rule to spot when it is NOT the case # 10.x.x.0/24 is included in 10.0.0.0/8 # inbound alert ip !10.0.0.0/8 any -> 10.0.0.0/8 any (msg:"TRANSIT public traffic towards internal network"; classtype:policy-violation; sid:2;) # outbound alert ip 10.0.0.0/8 any -> !10.0.0.0/8 any (msg:"TRANSIT internal traffic towards public network"; classtype:policy-violation; sid:1;)
e.g. for a Netbird VPN gateway
# tunnel ip talking to internal network is fine - this rule to spot when it is NOT the case # netbird nat carrier network 100.64.0.0/10 does not belong to 10/8 hence specific rule here # (as a side effect, we will also spot when internal network traffic goes through here, which it should not) # inbound alert ip !100.64.0.0/10 any -> 10.0.0.0/8 any (msg:"TRANSIT public traffic towards internal network"; classtype:policy-violation; sid:2;) # outbound alert ip 10.0.0.0/8 any -> !100.64.0.0/10 any (msg:"TRANSIT internal traffic towards public network"; classtype:policy-violation; sid:1;)
make sure you have enough space, otherwise, those logs will eat your drive alive even with log rotation enabled
df -hT
default location is
ls -alF /var/log/suricata/ du -sh /var/log/suricata/
otherwise tune it
vi /etc/suricata/suricata.yaml default-log-dir: /data/suricata/
check your conf
diff -bu /etc/suricata/suricata.yaml.clean /etc/suricata/suricata.yaml
eventually check manually
ifconfig wg0 && suricata --af-packet -i wg0
ifconfig wt0 && suricata --af-packet -i wt0
^C
finally proceed!
cp -pi /etc/default/suricata /etc/default/suricata.dist
vi /etc/default/suricata
IFACE=wg0
IFACE=wt0
systemctl restart suricata
ps auxfww | grep suricata
journalctl -xeu suricata
systemctl status suricata
systemctl enable suricata
within a dumb-init powered container
vi /etc/rc.local
#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:$PATH
ifconfig wg0 && suricata --af-packet -D -i wg0
# --init-errors-fatal
# -c /etc/suricata/suricata.yaml (default)
# --pidfile /var/run/suricata.pid (default)
# -vvv
# --user=suricat
chmod +x /etc/rc.local
systemctl list-unit-files | grep rc-local
and don’t forget to tweak log rotation accordingly
see suricata-ops
you can now proceed with rules tuning
eventually force /var/run/suricata/suricata-command.socket
unix-command:
enabled: yes
while re-starting Suricata
26/12/2018 -- 10:43:31 - <Warning> -- [ERRCODE: SC_ERR_NOT_SUPPORTED(225)] - dns-log is not available when Rust is enabled.
==> one needs to choose between C or Rust
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Quick_Start_Guide –> install / setup / rules update
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Basic_Setup
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
https://docs.suricata.io/en/latest/output/eve/eve-json-output.html ==> setup eve
https://elatov.github.io/2015/01/suricata-on-freebsd-10/ ==> nice walk-through with additional stuff
https://docs.suricata.io/en/latest/performance/runmodes.html
https://docs.suricata.io/en/latest/performance/high-performance-config.html