Setting up & operating Suricata

assuming you installed Suricata already

Binary post-install specific

vi /etc/default/suricata

IFACE=eth0

Shared post-install

wipe-out the comments

mv -i /etc/suricata/suricata.yaml /etc/suricata/suricata.yaml.dist
sed -r '/[[:space:]]*#/d; /^$/d' /etc/suricata/suricata.yaml.dist > /etc/suricata/suricata.yaml.clean
sed -r '/[[:space:]]*#/d; /^$/d' /etc/suricata/suricata.yaml.dist > /etc/suricata/suricata.yaml
#s/enabled: no/enabled: yes/

define your subnet

vi /etc/suricata/suricata.yaml

    HOME_NET: "[YOUR_SUBNET1/24,YOUR_SUBNET2/24]"

    SSH_PORTS: "[22,2222]"

disable/enable a few things

Ready to go

diff -bu /etc/suricata/suricata.yaml.clean /etc/suricata/suricata.yaml

ll /var/log/suricata/
tail -F /var/log/suricata/suricata.log
#/var/log/suricata/suricata-start.log

Binary specific

    systemctl status suricata
    systemctl restart suricata

Old school daemon

Start and enable

vi /etc/rc.local

#!/bin/bash

ifconfig eth0 up

#self verbose
/usr/local/bin/suricata --init-errors-fatal --af-packet -D
#default -c /etc/suricata/suricata.yaml
#default --pidfile /var/run/suricata.pid
#-i eth0 -vvv --user=suri

chmod +x /etc/rc.local

Reload – forget about HUP

suricatasc -c reload-rules
#reload-rules, ruleset-reload-rules, ruleset-reload-nonblocking

Status – socket shows up after some time

ps auxww | grep suricata
ls -lF /var/run/suricata.pid
ls -lF /var/run/suricata/*

Stop – forget about kill and pkill

suricatasc -c shutdown
#pkill -9 suricata
#ps auxww | grep suricata
#rm -f /var/run/suricata.pid

Updating rules

check and reload

date
ls -lhF /var/lib/suricata/rules/suricata.rules
grep 2200003 /var/lib/suricata/rules/suricata.rules

suricatasc -c reload-rules

Acceptance

curl http://testmyids.com/

gives

04/12/2020-17:27:27.241696  [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.1.1.247:50444 -> 31.3.245.133:80

while

curl -A BlackSun http://testmyids.com/noexist

gives – yep inline mode is already up there

04/12/2020-17:49:51.412249  [Drop] [**] [1:2008983:7] ET USER_AGENTS Suspicious User Agent (BlackSun) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.1.247:50496 -> 31.3.245.133:80

Troubleshooting

while re-starting Suricata

26/12/2018 -- 10:43:31 - <Warning> -- [ERRCODE: SC_ERR_NOT_SUPPORTED(225)] - dns-log is not available when Rust is enabled.

==> One may have to choose between C or Rust

Resources

Suricata.yaml https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml

Basic Setup https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Basic_Setup

Installing and Configuring Suricata Rules https://nsrc.org/workshops/2015/pacnog17-ws/attachments/ex-suricata-rules.htm https://nsrc.org/workshops/2015/pacnog17-ws/raw-attachment/wiki/Track2Agenda/ex-suricata-config-test.htm

Suricata on FreeBSD 10 https://elatov.github.io/2015/01/suricata-on-freebsd-10/

\18. Interacting via Unix Socket https://suricata.readthedocs.io/en/suricata-4.1.2/unix-socket.html —> suricatasc

Optional

eventually force /var/run/suricata/suricata-command.socket

unix-command:
  enabled: yes

fix ethX

grep -E '[^#]*eth[0-9]' /etc/suricata/suricata.yaml
#mv /etc/suricata/suricata.yaml /etc/suricata/suricata.yaml.tmp
#sed 's/eth[0-9]/eth0/g' /etc/suricata/suricata.yaml.tmp > /etc/suricata/suricata.yaml
#rm -f /etc/suricata/suricata.yaml.tmp

HOME | GUIDES | BENCHMARKS | html