suricata install

debian/ubuntu

check the version you would get from the main repo

apt search suricata

versus the version you would get from the official repo

apt install software-properties-common
# dirmngr
add-apt-repository ppa:oisf/suricata-stable

ENTER

apt search suricata

and proceed (use official repo)

apt install suricata

alpine linux

apk add suricata
# suricata-openrc

from source (possibly as IPS)

see suricata-source

enabling community rules

enable all free-of-charge community rules

    suricata-update update-sources
    suricata-update list-sources | grep Name | cut -f2 -d:
    suricata-update list-enabled-sources

    for source in \
            et/open \
            oisf/trafficid \
    abuse.ch/sslbl-blacklist \
    abuse.ch/sslbl-ja3 \
    abuse.ch/sslbl-c2 \
    abuse.ch/feodotracker \
    abuse.ch/urlhaus \
            etnetera/aggressive \
            tgreen/hunting \
            malsilo/win-malware \
            stamus/lateral \
    aleksibovellan/nmap \
    ptrules/open \
            ; do
            suricata-update enable-source $source
    echo
    done; unset source

    #pawpatrules \

apply

    suricata-update

    ls -alhF /var/lib/suricata/rules/
    #ls -alhF /usr/local/share/suricata/rules/

ready to go

suricata -V
suricata --build-info | grep -i geoip

harden a little bit

    chmod 700 /etc/suricata/
    chmod 700 /var/log/suricata/

additional notes

get rid of a whole ruleset source

    suricata-update disable-source pawpatrules

troubleshooting

deal with errors while checking with suricata -T

built-in rulesets

    cd /usr/share/suricata/rules/
    #cd /usr/local/share/suricata/rules/

grep ... *.rules

source rulesets

cd /var/lib/suricata/update/cache/

for f in *.tar.gz; do
    dest=extract_${f$\.tar\.gz}
    echo extracting $dest/
    mkdir -p $dest/
    tar xvzf $f -C $dest/
    echo
done; unset f

grep ... */*.rules
grep ... */*/*.rules

resources

https://nsrc.org/workshops/2015/pacnog17-ws/attachments/ex-installing-suricata.htm

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Debian_Installation

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Installation

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation_-_Personal_Package_Archives_(PPA)

http://ppa.launchpad.net/oisf/suricata-stable/ubuntu/pool/main/s/suricata/

https://docs.suricata.io/en/latest/install.html#debian

https://docs.suricata.io/en/latest/install.html#ubuntu-from-personal-package-archives-ppa

https://computingforgeeks.com/how-to-install-suricata-ids-ips-on-debian/


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun