Suricata : Network Based IDS2025/08/17 |
|
Install and configure Network Based IDS (Intrusion Detection System) [Suricata]. |
|
| [1] | Install Suricata. |
|
root@dlp:~# apt -y install suricata jq
|
| [2] | Configure Suricata. |
|
root@dlp:~#
vi /etc/suricata/suricata.yaml
# line 18 : change to your local network
HOME_NET: "[10.0.0.0/24]"
# line 24 : possible to set external network
# default is the network other than the one specified above
EXTERNAL_NET: "!$HOME_NET"
#EXTERNAL_NET: "any"
# line 622 : change to your network interface
af-packet:
- interface: enp1s0
# update rules root@dlp:~# suricata-update 16/8/2025 -- 11:53:43 - <Info> -- Using data-directory /var/lib/suricata. 16/8/2025 -- 11:53:43 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml 16/8/2025 -- 11:53:43 - <Info> -- Using /etc/suricata/rules for Suricata provided rules. 16/8/2025 -- 11:53:43 - <Info> -- Found Suricata version 7.0.10 at /usr/bin/suricata. 16/8/2025 -- 11:53:43 - <Info> -- Loading /etc/suricata/suricata.yaml 16/8/2025 -- 11:53:43 - <Info> -- Disabling rules for protocol pgsql 16/8/2025 -- 11:53:43 - <Info> -- Disabling rules for protocol modbus 16/8/2025 -- 11:53:43 - <Info> -- Disabling rules for protocol dnp3 16/8/2025 -- 11:53:43 - <Info> -- Disabling rules for protocol enip 16/8/2025 -- 11:53:43 - <Info> -- No sources configured, will use Emerging Threats Open 16/8/2025 -- 11:53:43 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-7.0.10/emerging.rules.tar.gz. ..... .....root@dlp:~# systemctl restart suricata |
| [3] | The alert log is stored under [/var/log/suricata]. For example, as stated in the official Suricata documentation, you can check the detection log by accessing [(Suricata server)/uid/index.html] via http from another host. |
|
root@dlp:~# ll /var/log/suricata total 12 -rw-r--r-- 1 root root 0 Aug 16 11:50 eve.json -rw-r--r-- 1 root root 0 Aug 16 11:50 fast.log -rw-r--r-- 1 root root 0 Aug 16 11:50 stats.log -rw-r--r-- 1 root root 11108 Aug 16 11:55 suricata.logroot@dlp:~# cat /var/log/suricata/fast.log
08/16/2025-12:03:24.726143 [**] [1:2034567:1] ET HUNTING curl User-Agent to Dotted Quad [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.0.0.230:41668 -> 10.0.0.30:80
root@dlp:~# cat /var/log/suricata/eve.json | jq 'select(.event_type=="alert")'
{
"timestamp": "2025-08-16T12:03:24.726143+0900",
"flow_id": 1146939758689087,
"in_iface": "enp1s0",
"event_type": "alert",
"src_ip": "10.0.0.230",
"src_port": 41668,
"dest_ip": "10.0.0.30",
"dest_port": 80,
"proto": "TCP",
"pkt_src": "wire/pcap",
"metadata": {
"flowbits": [
"http.dottedquadhost"
]
},
"tx_id": 0,
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 2034567,
"rev": 1,
"signature": "ET HUNTING curl User-Agent to Dotted Quad",
"category": "Potentially Bad Traffic",
"severity": 2,
"metadata": {
"attack_target": [
"Client_Endpoint"
],
"confidence": [
"Medium"
],
"created_at": [
"2021_12_01"
],
"deployment": [
"Perimeter"
],
"signature_severity": [
"Informational"
],
"updated_at": [
"2021_12_01"
]
}
},
"http": {
"hostname": "10.0.0.30",
"url": "/uid/index.html",
"http_user_agent": "curl/8.14.1",
"http_content_type": "text/html",
"http_method": "GET",
"protocol": "HTTP/1.1",
"status": 404,
"length": 271
},
"app_proto": "http",
"direction": "to_server",
"flow": {
"pkts_toserver": 4,
"pkts_toclient": 3,
"bytes_toserver": 359,
"bytes_toclient": 638,
"start": "2025-08-16T12:03:24.725794+0900",
"src_ip": "10.0.0.230",
"dest_ip": "10.0.0.30",
"src_port": 41668,
"dest_port": 80
}
}
|
| Sponsored Link |
|
|