Difference between revisions of "HowTo Setup Suricata - A Simple Live Configuration"
From NST Wiki
Jump to navigationJump to search (→Configuration - Rule File) |
(→Configuration - Suricata) |
||
Line 20: | Line 20: | ||
- suricata.rules | - suricata.rules | ||
- /opt/icmp.rules | - /opt/icmp.rules | ||
+ | |||
+ | == Start Suricata == | ||
+ | Start suricata in "run in pcap live mode". Example interface and hosts: Suricata Interface: "ens34", Suricata Host: 10.222.222.252, Ping Host: 10.222.222.251. | ||
+ | |||
+ | Suricata host command line (Start up suricata): | ||
+ | [root@probe tmp]# suricata -i ens34 | ||
+ | i: suricata: This is Suricata version 7.0.4 RELEASE running in SYSTEM mode | ||
+ | i: threads: Threads created -> W: 4 FM: 1 FR: 1 Engine started. |
Revision as of 12:23, 24 April 2024
Overview
Suricata is a multi-threaded intrusion detection/prevention engine. This page shows one how to configure suricata to "run in pcap live mode" for creating alerts with an ICMP Ping rule.
Configuration - Rule File
We will create a simple rule file for ICMP detection in directory: "/opt" with a file name: "icmp.rules". Documentation for setting up suricata rules can be found: here.
[root@probe tmp]# cat /opt/icmp.rules alert ip any any <> any any (msg: "ICMP Ping"; ip_proto: icmp; sid: 1000001;)
Configuration - Suricata
One needs to add the location of the ICMP rules file to the suricata configuration file: "/etc/suricata.yaml". This is done in the "rule-files" section.
Before:
rule-files: - suricata.rules
After:
rule-files: - suricata.rules - /opt/icmp.rules
Start Suricata
Start suricata in "run in pcap live mode". Example interface and hosts: Suricata Interface: "ens34", Suricata Host: 10.222.222.252, Ping Host: 10.222.222.251.
Suricata host command line (Start up suricata):
[root@probe tmp]# suricata -i ens34 i: suricata: This is Suricata version 7.0.4 RELEASE running in SYSTEM mode i: threads: Threads created -> W: 4 FM: 1 FR: 1 Engine started.