About the Author
I'm Carrie, a cybersecurity engineer and writer, working for SafeLine Team. SafeLine is a free and open source web application firewall, self-hosted, very easy to use.
I'm writing this to introduce another robust open source cybersecurity tool for beginners and welcome any enthusiast to integrate SafeLine WAF with Suricata if possible and achieve better security performance for the environment.
Suricata is a high-performance network threat detection, intrusion detection, and prevention system (IDS/IPS) developed by the Open Information Security Foundation (OISF). This guide will introduce you to the basics of Suricata, including installation steps, basic configuration, and usage.
What is Suricata?
Suricata is an open-source network security engine that can perform the following functions:
- Intrusion Detection System (IDS)
- Intrusion Prevention System (IPS)
- Network Security Monitoring (NSM)
- Offline pcap file analysis
Suricata supports multi-threading, which allows it to utilize the performance advantages of multi-core processors. It also has a powerful rule set that can identify and respond to various network threats.
Installing Suricata
The method for installing Suricata varies depending on the operating system. Below are the installation steps for Ubuntu and CentOS.
Installing Suricata on Ubuntu
-
Update system packages:
sudo apt update
-
Install necessary dependencies:
sudo apt install software-properties-common
-
Add the Suricata PPA repository:
sudo add-apt-repository ppa:oisf/suricata-stable sudo apt update
-
Install Suricata:
sudo apt install suricata
-
Verify the installation:
suricata --build-info
Installing Suricata on CentOS
-
Update system packages:
sudo yum update
-
Install the EPEL repository:
sudo yum install epel-release
-
Install Suricata:
sudo yum install suricata
-
Verify the installation:
suricata --build-info
Configuring Suricata
After installation, you need to configure Suricata to ensure it operates correctly.
Configuration File Path
The main configuration file for Suricata is typically located at /etc/suricata/suricata.yaml
. It is recommended to back up the original configuration file before editing it:
sudo cp /etc/suricata/suricata.yaml /etc/suricata/suricata.yaml.bak
Editing the Configuration File
Open the configuration file for editing:
sudo nano /etc/suricata/suricata.yaml
In the configuration file, you can set parameters such as the network interface, log output location, and rule paths. Here are some key configuration items:
-
interface
: Specify the network interface that Suricata will monitor. For example:
af-packet: - interface: eth0
-
default-rule-path
: Specify the path to the rule files. For example:
default-rule-path: /etc/suricata/rules
-
output-directory
: Specify the log output directory. For example:
output-directory: /var/log/suricata/
Testing the Configuration File
After editing, you can test if the configuration file is correct:
sudo suricata -T -c /etc/suricata/suricata.yaml -v
Running Suricata
After configuration, you can start Suricata using the following command:
sudo systemctl start suricata
To enable Suricata to start at boot:
sudo systemctl enable suricata
Using Rules to Detect Threats
Suricata uses rules to detect network threats. You can obtain the latest rule sets from Emerging Threats.
Downloading Rule Sets
Use the following commands to download rule sets:
wget https://rules.emergingthreats.net/open/suricata-5.0/emerging.rules.tar.gz
tar -xzvf emerging.rules.tar.gz -C /etc/suricata/rules/
Updating Rule Paths
Ensure the correct rule path is specified in /etc/suricata/suricata.yaml
. For example:
rule-files:
- /etc/suricata/rules/emerging-threats.rules
Restarting Suricata
After updating the rules, restart Suricata to apply the changes:
sudo systemctl restart suricata
Viewing Logs and Alerts
Suricata records detected threat logs in the specified log directory. For example, the default log path is /var/log/suricata/
. You can view the logs using the following command:
cat /var/log/suricata/fast.log
Conclusion
This guide introduces the basics of Suricata, including installation steps, configuration methods, and basic usage. By correctly configuring and using Suricata, you can effectively detect and prevent network threats, enhancing network security. We hope this guide helps you understand and use Suricata better. For any questions or further assistance, please refer to the Suricata official documentation.
By following this guide, you should have a good starting point for working with Suricata. Happy monitoring!
Top comments (0)