Suricata : Network Based IDS2025/03/25 |
|
Install and configure Network Based IDS (Intrusion Detection System) [Suricata]. |
|
| [1] | Install Suricata. |
|
root@dlp:~# apt -y install suricata
|
| [2] | Configure Suricata. |
|
root@dlp:~#
vi /etc/suricata/suricata.yaml
# line 18 : change to your local network
HOME_NET: "[10.0.0.0/24]"
# line 25 : possible to set external network
# default is the network other than the one specified above
EXTERNAL_NET: "!$HOME_NET"
#EXTERNAL_NET: "any"
# line 615 : change to your network interface
af-packet:
- interface: enp1s0
# update rules root@dlp:~# suricata-update 25/3/2025 -- 00:06:37 - <Info> -- Using data-directory /var/lib/suricata. 25/3/2025 -- 00:06:37 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml 25/3/2025 -- 00:06:37 - <Info> -- Using /etc/suricata/rules for Suricata provided rules. 25/3/2025 -- 00:06:37 - <Info> -- Found Suricata version 7.0.3 at /usr/bin/suricata. 25/3/2025 -- 00:06:37 - <Info> -- Loading /etc/suricata/suricata.yaml 25/3/2025 -- 00:06:37 - <Info> -- Disabling rules for protocol pgsql 25/3/2025 -- 00:06:37 - <Info> -- Disabling rules for protocol modbus 25/3/2025 -- 00:06:37 - <Info> -- Disabling rules for protocol dnp3 25/3/2025 -- 00:06:37 - <Info> -- Disabling rules for protocol enip ..... .....root@dlp:~# systemctl restart suricata |
| [3] | The alert log is stored under [/var/log/suricata]. For example, as stated in the official Suricata documentation, you can check the detection log by accessing [(Suricata server)/uid/index.html] via http from another host. |
|
root@dlp:~# ll /var/log/suricata total 35220 drwxr-xr-x 2 root root 4096 Mar 24 23:51 ./ drwxrwxr-x 12 root syslog 4096 Mar 25 00:17 ../ -rw-r--r-- 1 root root 34256373 Mar 25 00:52 eve.json -rw-r--r-- 1 root root 189 Mar 25 00:44 fast.log -rw-r--r-- 1 root root 1757615 Mar 25 00:52 stats.log -rw-r--r-- 1 root root 21008 Mar 25 00:41 suricata.logroot@dlp:~# cat /var/log/suricata/fast.log
03/25/2025-00:44:54.901080 [**] [1:2034567:1] ET HUNTING curl User-Agent to Dotted Quad [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.0.0.211:41470 -> 10.0.0.30:80
root@dlp:~# cat /var/log/suricata/eve.json | jq 'select(.event_type=="alert")'
{
"timestamp": "2025-03-25T00:44:54.901080+0000",
"flow_id": 1897831897634293,
"in_iface": "enp1s0",
"event_type": "alert",
"src_ip": "10.0.0.211",
"src_port": 41470,
"dest_ip": "10.0.0.30",
"dest_port": 80,
"proto": "TCP",
"pkt_src": "wire/pcap",
"metadata": {
"flowbits": [
"http.dottedquadhost"
]
},
"tx_id": 0,
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 2034567,
"rev": 1,
"signature": "ET HUNTING curl User-Agent to Dotted Quad",
"category": "Potentially Bad Traffic",
"severity": 2,
"metadata": {
"attack_target": [
"Client_Endpoint"
],
"confidence": [
"Medium"
],
"created_at": [
"2021_12_01"
],
"deployment": [
"Perimeter"
],
"signature_severity": [
"Informational"
],
"updated_at": [
"2021_12_01"
]
}
},
"http": {
"hostname": "10.0.0.30",
"url": "/uid/index.html",
"http_user_agent": "curl/8.5.0",
"http_content_type": "text/html",
"http_method": "GET",
"protocol": "HTTP/1.1",
"status": 404,
"length": 271
},
"app_proto": "http",
"direction": "to_server",
"flow": {
"pkts_toserver": 4,
"pkts_toclient": 3,
"bytes_toserver": 358,
"bytes_toclient": 638,
"start": "2025-03-25T00:44:54.900625+0000",
"src_ip": "10.0.0.211",
"dest_ip": "10.0.0.30",
"src_port": 41470,
"dest_port": 80
}
}
|
| Sponsored Link |
|
|