suricata setup

assuming you installed suricata already

introduction

for an network device NIDS – you need port mirroring in place

for an local NIDS – just pick the NIC you wanna sniff e.g. eth0

for an IPS – you need to be the gateway and you probably want to sniff the front-facing NIC

install

see suricata-install

setup

wipe-out the comments

    cd /etc/suricata/
    mv -i suricata.yaml suricata.yaml.dist
    sed -r '/[[:space:]]*#/d; /^$/d' suricata.yaml.dist > suricata.yaml.clean
    sed -r '/[[:space:]]*#/d; /^$/d' suricata.yaml.dist > suricata.yaml
    vi /etc/suricata/suricata.yaml

sample setup for a standalone server with public ip

    HOME_NET: "[127.0.0.1/32, EXTERNAL-NIC/32]"

mention alternate SSH ports if there are some SSH_PORTS: "[22,2222]"

eventually tune the network interface

    :%s/eth[0-9]/NIC-HERE/g

eventually disable those logs, that’s too noisy – e.g. we do not necessarily need to know about EVERY DNS query! – note we keep flow to enable self-made accounting and eventually spot tunnels (covert channels)

stats:
  enabled: no

outputs:
  - eve-log:
      types:
        - dns:
            enabled: no
        - files:
            enabled: no
        - stats:
            enabled: no
  - stats:
      enabled: no

eventually enable specific protocols you need to trace

        - pgsql:
            enabled: yes

enable custom rules

rule-files:
  - suricata.rules
  - /etc/suricata/suricata.local

ready to go

harden a little bit

chmod 700 /etc/suricata/
chmod 700 /var/log/suricata/

handy symlinks

cd /etc/suricata/

# binaries
ln -s /var/lib/suricata/rules

# source
ln -s /usr/local/share/suricata/rules

check your conf

    diff -bu /etc/suricata/suricata.yaml.clean /etc/suricata/suricata.yaml

and see suricata-ops

storage requirements

make sure you have enough space, otherwise, those logs will eat your drive alive even with log rotation enabled

df -hT

default location is

ls -alF /var/log/suricata/
du -sh /var/log/suricata/

otherwise tune it

vi /etc/suricata/suricata.yaml

default-log-dir: /data/suricata/

systemctl restart suricata

and don’t forget to tweak log rotation accordingly

acceptance

see suricata-acceptance

suricata rules tuning

you can now proceed with rules tuning

additional notes

eventually force /var/run/suricata/suricata-command.socket

    unix-command:
      enabled: yes

troubleshooting

while re-starting Suricata

    26/12/2018 -- 10:43:31 - <Warning> -- [ERRCODE: SC_ERR_NOT_SUPPORTED(225)] - dns-log is not available when Rust is enabled.

==> one needs to choose between C or Rust

resources

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Quick_Start_Guide –> install / setup / rules update

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Basic_Setup

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml

https://docs.suricata.io/en/latest/output/eve/eve-json-output.html ==> setup eve

moar

https://elatov.github.io/2015/01/suricata-on-freebsd-10/ ==> nice walk-through with additional stuff


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun