assuming you installed Suricata already
vi /etc/default/suricata IFACE=eth0
wipe-out the comments
mv -i /etc/suricata/suricata.yaml /etc/suricata/suricata.yaml.dist sed -r '/[[:space:]]*#/d; /^$/d' /etc/suricata/suricata.yaml.dist > /etc/suricata/suricata.yaml.clean sed -r '/[[:space:]]*#/d; /^$/d' /etc/suricata/suricata.yaml.dist > /etc/suricata/suricata.yaml #s/enabled: no/enabled: yes/
define your subnet
vi /etc/suricata/suricata.yaml HOME_NET: "[YOUR_SUBNET1/24,YOUR_SUBNET2/24]" SSH_PORTS: "[22,2222]"
disable/enable a few things
stats
output / eve-log
output / stats
diff -bu /etc/suricata/suricata.yaml.clean /etc/suricata/suricata.yaml ll /var/log/suricata/ tail -F /var/log/suricata/suricata.log #/var/log/suricata/suricata-start.log
systemctl status suricata systemctl restart suricata
Start and enable
vi /etc/rc.local #!/bin/bash ifconfig eth0 up #self verbose /usr/local/bin/suricata --init-errors-fatal --af-packet -D #default -c /etc/suricata/suricata.yaml #default --pidfile /var/run/suricata.pid #-i eth0 -vvv --user=suri chmod +x /etc/rc.local
Reload – forget about HUP
suricatasc -c reload-rules #reload-rules, ruleset-reload-rules, ruleset-reload-nonblocking
Status – socket shows up after some time
ps auxww | grep suricata ls -lF /var/run/suricata.pid ls -lF /var/run/suricata/*
Stop – forget about kill
and pkill
suricatasc -c shutdown #pkill -9 suricata #ps auxww | grep suricata #rm -f /var/run/suricata.pid
check and reload
date ls -lhF /var/lib/suricata/rules/suricata.rules grep 2200003 /var/lib/suricata/rules/suricata.rules suricatasc -c reload-rules
curl http://testmyids.com/
gives
04/12/2020-17:27:27.241696 [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.1.1.247:50444 -> 31.3.245.133:80
while
curl -A BlackSun http://testmyids.com/noexist
gives – yep inline mode is already up there
04/12/2020-17:49:51.412249 [Drop] [**] [1:2008983:7] ET USER_AGENTS Suspicious User Agent (BlackSun) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.1.247:50496 -> 31.3.245.133:80
while re-starting Suricata
26/12/2018 -- 10:43:31 - <Warning> -- [ERRCODE: SC_ERR_NOT_SUPPORTED(225)] - dns-log is not available when Rust is enabled.
==> One may have to choose between C or Rust
Suricata.yaml https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
Basic Setup https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Basic_Setup
Installing and Configuring Suricata Rules https://nsrc.org/workshops/2015/pacnog17-ws/attachments/ex-suricata-rules.htm https://nsrc.org/workshops/2015/pacnog17-ws/raw-attachment/wiki/Track2Agenda/ex-suricata-config-test.htm
Suricata on FreeBSD 10 https://elatov.github.io/2015/01/suricata-on-freebsd-10/
\18. Interacting via Unix Socket https://suricata.readthedocs.io/en/suricata-4.1.2/unix-socket.html —> suricatasc
eventually force /var/run/suricata/suricata-command.socket
unix-command: enabled: yes
fix ethX
grep -E '[^#]*eth[0-9]' /etc/suricata/suricata.yaml #mv /etc/suricata/suricata.yaml /etc/suricata/suricata.yaml.tmp #sed 's/eth[0-9]/eth0/g' /etc/suricata/suricata.yaml.tmp > /etc/suricata/suricata.yaml #rm -f /etc/suricata/suricata.yaml.tmp