Suricata : Network Based IDS2025/03/25 |
|
Install and configure Network Based IDS (Intrusion Detection System) [Suricata]. |
|
| [1] | Install Suricata. |
|
# install from EPEL [root@dlp ~]# dnf --enablerepo=epel -y install suricata
|
| [2] | Configure Suricata. |
|
[root@dlp ~]#
vi /etc/suricata/suricata.yaml
# line 18 : change to your local network
HOME_NET: "[10.0.0.0/24]"
# line 24 : possible to set external network
# default is the network other than the one specified above
EXTERNAL_NET: "!$HOME_NET"
#EXTERNAL_NET: "any"
# line 622 : change to your network interface
af-packet:
- interface: enp1s0
[root@dlp ~]#
vi /etc/sysconfig/suricata # change to your network interface OPTIONS="-i enp1s0 --user suricata " # update rules [root@dlp ~]# suricata-update 25/3/2025 -- 10:49:10 - <Info> -- Using data-directory /var/lib/suricata. 25/3/2025 -- 10:49:10 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml 25/3/2025 -- 10:49:10 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules. 25/3/2025 -- 10:49:10 - <Info> -- Found Suricata version 7.0.8 at /usr/sbin/suricata. 25/3/2025 -- 10:49:10 - <Info> -- Loading /etc/suricata/suricata.yaml 25/3/2025 -- 10:49:10 - <Info> -- Disabling rules for protocol pgsql 25/3/2025 -- 10:49:10 - <Info> -- Disabling rules for protocol modbus 25/3/2025 -- 10:49:10 - <Info> -- Disabling rules for protocol dnp3 25/3/2025 -- 10:49:10 - <Info> -- Disabling rules for protocol enip 25/3/2025 -- 10:49:10 - <Info> -- No sources configured, will use Emerging Threats Open ..... .....[root@dlp ~]# systemctl enable --now suricata |
| [3] | The alert log is stored under [/var/log/suricata]. For example, as stated in the official Suricata documentation, you can check the detection log by accessing [(Suricata server)/uid/index.html] via http from another host. |
|
[root@dlp ~]# ll /var/log/suricata total 4 -rw-r--r--. 1 suricata suricata 0 Mar 25 10:50 eve.json -rw-r--r--. 1 suricata suricata 0 Mar 25 10:50 fast.log -rw-r--r--. 1 suricata suricata 0 Mar 25 10:50 stats.log -rw-r--r--. 1 suricata suricata 1759 Mar 25 10:50 suricata.log[root@dlp ~]# cat /var/log/suricata/fast.log
03/25/2025-11:03:09.950891 [**] [1:2034567:1] ET HUNTING curl User-Agent to Dotted Quad [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.0.0.211:55808 -> 10.0.0.30:80
[root@dlp ~]# cat /var/log/suricata/eve.json | jq 'select(.event_type=="alert")'
{
"timestamp": "2025-03-25T00:44:54.901080+0000",
"flow_id": 1897831897634293,
"in_iface": "enp1s0",
"event_type": "alert",
"src_ip": "10.0.0.211",
"src_port": 41470,
"dest_ip": "10.0.0.30",
"dest_port": 80,
"proto": "TCP",
"pkt_src": "wire/pcap",
"metadata": {
"flowbits": [
"http.dottedquadhost"
]
},
"tx_id": 0,
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 2034567,
"rev": 1,
"signature": "ET HUNTING curl User-Agent to Dotted Quad",
"category": "Potentially Bad Traffic",
"severity": 2,
"metadata": {
"attack_target": [
"Client_Endpoint"
],
"confidence": [
"Medium"
],
"created_at": [
"2021_12_01"
],
"deployment": [
"Perimeter"
],
"signature_severity": [
"Informational"
],
"updated_at": [
"2021_12_01"
]
}
},
"http": {
"hostname": "10.0.0.30",
"url": "/uid/index.html",
"http_user_agent": "curl/8.5.0",
"http_content_type": "text/html",
"http_method": "GET",
"protocol": "HTTP/1.1",
"status": 404,
"length": 271
},
"app_proto": "http",
"direction": "to_server",
"flow": {
"pkts_toserver": 4,
"pkts_toclient": 3,
"bytes_toserver": 358,
"bytes_toclient": 638,
"start": "2025-03-25T00:44:54.900625+0000",
"src_ip": "10.0.0.211",
"dest_ip": "10.0.0.30",
"src_port": 41470,
"dest_port": 80
}
}
|
| Sponsored Link |
|
|