assuming you installed suricata already
for an network device NIDS – you need port mirroring in place
for an local NIDS – just pick the NIC you wanna sniff e.g. eth0
for an IPS – you need to be the gateway and you probably want to sniff the front-facing NIC
see suricata-install
wipe-out the comments
cd /etc/suricata/
mv -i suricata.yaml suricata.yaml.dist
sed -r '/[[:space:]]*#/d; /^$/d' suricata.yaml.dist > suricata.yaml.clean
sed -r '/[[:space:]]*#/d; /^$/d' suricata.yaml.dist > suricata.yaml
vi /etc/suricata/suricata.yaml
sample setup for a standalone server with public ip
HOME_NET: "[127.0.0.1/32, EXTERNAL-NIC/32]"
mention alternate SSH ports if there are some
SSH_PORTS: "[22,2222]"
eventually tune the network interface
:%s/eth[0-9]/NIC-HERE/g
eventually disable those logs, that’s too noisy
– e.g. we do not necessarily need to know about EVERY DNS query!
– note we keep flow to enable self-made accounting and eventually spot tunnels (covert channels)
stats:
enabled: no
outputs:
- eve-log:
types:
- dns:
enabled: no
- files:
enabled: no
- stats:
enabled: no
- stats:
enabled: no
eventually enable specific protocols you need to trace
- pgsql:
enabled: yes
enable custom rules
rule-files: - suricata.rules - /etc/suricata/suricata.local
harden a little bit
chmod 700 /var/log/suricata/
handy symlinks
cd /etc/suricata/ # binaries ln -s /var/lib/suricata/rules # source ln -s /usr/local/share/suricata/rules
check your conf
diff -bu /etc/suricata/suricata.yaml.clean /etc/suricata/suricata.yaml
and see suricata-ops
make sure you have enough space, otherwise, those logs will eat your drive alive even with log rotation enabled
df -hT
default location is
ls -alF /var/log/suricata/ du -sh /var/log/suricata/
otherwise tune it
vi /etc/suricata/suricata.yaml default-log-dir: /data/suricata/ systemctl restart suricata
and don’t forget to tweak log rotation accordingly
you can now proceed with rules tuning
eventually force /var/run/suricata/suricata-command.socket
unix-command:
enabled: yes
while re-starting Suricata
26/12/2018 -- 10:43:31 - <Warning> -- [ERRCODE: SC_ERR_NOT_SUPPORTED(225)] - dns-log is not available when Rust is enabled.
==> one needs to choose between C or Rust
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Quick_Start_Guide –> install / setup / rules update
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Basic_Setup
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
https://docs.suricata.io/en/latest/output/eve/eve-json-output.html ==> setup eve
https://elatov.github.io/2015/01/suricata-on-freebsd-10/ ==> nice walk-through with additional stuff