tested on bionic
Assuming you got port mirroring in place
link to the mirrored switch port,
echo -eth3 > /sys/class/net/bond0/bonding/slaves ifconfig eth3 up
if this is a XEN guest,
brctl addbr sniffeth3
brctl addif sniffeth3 eth3
brctl show
ifconfig sniffeth3 up
ifconfig eth3 up
ifconfig sniffeth3
ifconfig eth3
root = "/dev/xvda1 ro console=hvc0 netcfg/do_not_use_netplan=true"
# KEEP IPV6 -- ipv6.disable=1
vif = [ 'bridge=pubbr0, vifname=sne-sniff.0',
'bridge=sniffeth3, vifname=sne-sniff.1' ]
first things first, check that you can sniff from that interface,
ifconfig -a ifconfig eth1 up tcpdump -i eth1 arp
…seeing some ARPs? All fine.
make sure the sniffing interface comes up at startup,
vi /etc/network/interfaces auto eth1 iface eth1 inet manual
check the version you would get from the main repo,
apt search suricata # 3.2
versus the one you find on the official repo (4.1.2),
apt install software-properties-common dirmngr add-apt-repository ppa:oisf/suricata-stable #apt-get update apt search suricata # 4.1.2 apt install suricata
cd /etc/suricata/ cp -pi suricata.yaml suricata.yaml.dist
wipe-out the comments
sed -r '/[[:space:]]*#/d; /^$/d' suricata.yaml.dist > suricata.yaml.dist.clean
enable everything
sed -r '/[[:space:]]*#/d; /^$/d; s/enabled: no/enabled: yes/g' suricata.yaml.dist > suricata.yaml
define your subnet
vi suricata.yaml
HOME_NET: "[YOUR_SUBNET1/24,YOUR_SUBNET2/24]"
EXTERNAL_NET: "!$HOME_NET"
eventually force /var/run/suricata/suricata-command.socket
unix-command: enabled: yes
not built-in
- alert-prelude:
enabled: no
Rust instead of C
- dns-log:
enabled: no
fix ethX
egrep '[^#]*eth[0-9]' suricata.yaml mv suricata.yaml suricata.yaml.badeth sed 's/eth[0-9]/eth1/g' suricata.yaml.badeth > suricata.yaml
also there
vi /etc/default/suricata IFACE=eth1
and check,
diff -bu suricata.yaml.dist.clean suricata.yaml
make sure you have enough space, otherwise, those logs will eat your hard drive alive
df -h systemctl stop suricata mv /var/log/suricata/ /data/ ln -s /data/suricata /var/log/ vi /etc/suricata/suricata.yaml default-log-dir: /data/suricata/ systemctl start suricata
chown -R root:root /etc/suricata/ useradd -r suri -s /bin/false vipw --> change home dir to /var/run/suricata chown -R suri:suri /var/lib/suricata/ chown -R suri:suri /var/run/suricata/ chown -R suri:suri /var/log/suricata/
run as user,
cat >> suricata.yaml <<-EOF run-as: user: suri group: suri EOF vi /etc/default/suricata RUN_AS_USER=suri
suricata --build-info | less
…look for NFQ
vi /etc/default/suricata IFACE=eth1 tail -F /var/log/suricata/suricata.log /var/log/suricata/suricata-start.log & systemctl status suricata systemctl restart suricata
after some time this should show up
ls -lF /var/run/suricata/suricata-command.socket
gives
/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -vvv
assuming eth1 is a dedicated interface for mirroring,
vi /etc/rc.local #!/bin/bash #self verbose ifconfig eth1 up /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth1 --init-errors-fatal & #--pidfile /var/run/suricata.pid --af-packet -D -vvv #--user=suri chmod +x /etc/rc.local
simple -HUP does not seem to work
ps auxww | grep suricata pkill suricata /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth1 --init-errors-fatal &
vi START-SURICATA chown -R root:root /etc/suricata/ chown -R suri:suri /var/lib/suricata/ chown -R suri:suri /var/run/suricata/ chown -R suri:suri /data/suricata/ systemctl start suricata chmod +x START-SURICATA
and check,
systemctl status suricata ps auxww | grep suricata
see http://pub.nethence.com/security/suricata-rules
when starting it for the first time,
26/12/2018 -- 10:43:31 - <Warning> -- [ERRCODE: SC_ERR_NOT_SUPPORTED(225)] - dns-log is not available when Rust is enabled. 26/12/2018 -- 10:43:31 - <Warning> -- [ERRCODE: SC_ERR_NOT_SUPPORTED(225)] - Prelude support not compiled in. Reconfigure/recompile with --enable-prelude to add Prelude support.
==> tweak the config as shown above
- http-log:
enabled: yes
- tls-log:
enabled: yes # Log TLS connections.
- tls-store:
enabled: yes
- dns-log:
enabled: yes