Difference between revisions of "HowTo Setup Suricata - A Simple Live Configuration"
m (Rwh moved page HowTo Setup Suricata A Simple Live Configuration to HowTo Setup Suricata - A Simple Live Configuration: Page name change) |
(→Review the Suricata Alert Log) |
||
(24 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
__TOC__ | __TOC__ | ||
== '''Overview''' == | == '''Overview''' == | ||
− | '''[https://oisf.net/ Suricata]''' is a multi-threaded intrusion detection/prevention engine. | + | '''[https://oisf.net/ Suricata]''' is a multi-threaded intrusion detection/prevention engine. This page shows one how to configure '''suricata''' to "run in pcap live mode" for detecting ICMP packets and generating alerts with a simple [https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ICMP Ping] rule. It shows how quickly one can set up '''suricata''' using the command-line for protocol packet flow detection. |
− | == Configuration == | + | == Configuration - Rule File == |
+ | We will create a simple rule file for ICMP detection in directory: "/opt" with a file name: "icmp.rules". This alert rule should be triggered when an IPv4 ICMP packet is received or transmitted (bi-directional with direction indicator: <>) on the suricata host. Documentation for setting up suricata rules can be found: [https://docs.suricata.io/en/latest/rules/index.html here]. | ||
+ | |||
+ | [root@probe tmp]# cat /opt/icmp.rules | ||
+ | alert ip any any <> any any (msg: "ICMP Ping"; ip_proto: icmp; sid: 1000001;) | ||
+ | |||
+ | == Configuration - Suricata == | ||
+ | One needs to add the location of the ICMP rules file to the suricata configuration file: "/etc/suricata.yaml". This is done in the "'''rule-files'''" section. | ||
+ | |||
+ | Before: | ||
+ | rule-files: | ||
+ | - suricata.rules | ||
+ | |||
+ | After: | ||
+ | rule-files: | ||
+ | - suricata.rules | ||
+ | - /opt/icmp.rules | ||
+ | |||
+ | == Start Suricata == | ||
+ | Start suricata in "run in pcap live mode". Example interface and hosts: Suricata Interface: '''ens34''', Suricata Host: '''10.222.222.252''', Ping Host: '''10.222.222.251'''. | ||
+ | |||
+ | Suricata host command line (Start up suricata): | ||
+ | [root@probe tmp]# suricata -i ens34 | ||
+ | i: suricata: This is Suricata version 7.0.4 RELEASE running in SYSTEM mode | ||
+ | i: threads: Threads created -> W: 4 FM: 1 FR: 1 Engine started. | ||
+ | |||
+ | == Ping Suricata Host == | ||
+ | |||
+ | Ping the suricata host: (Done from command line on host: '''10.222.222.252''') | ||
+ | [nst@dev40 dev40]$ ping -c 3 10.222.222.252 | ||
+ | PING 10.222.222.252 (10.222.222.252) 56(84) bytes of data. | ||
+ | 64 bytes from 10.222.222.252: icmp_seq=1 ttl=64 time=0.303 ms | ||
+ | 64 bytes from 10.222.222.252: icmp_seq=2 ttl=64 time=0.376 ms | ||
+ | 64 bytes from 10.222.222.252: icmp_seq=3 ttl=64 time=0.383 ms | ||
+ | |||
+ | --- 10.222.222.252 ping statistics --- | ||
+ | 3 packets transmitted, 3 received, 0% packet loss, time 2081ms | ||
+ | rtt min/avg/max/mdev = 0.303/0.354/0.383/0.036 ms | ||
+ | |||
+ | == Stop Suricata == | ||
+ | Use "Ctrl-C" to stop the suricata process: | ||
+ | ^Ci: suricata: Signal Received. Stopping engine. | ||
+ | i: device: ens34: packets: 441, drops: 0 (0.00%), invalid chksum: 0 | ||
+ | [root@probe tmp]# | ||
+ | |||
+ | == Review the Suricata Alert Log == | ||
+ | By default the alerts generated by suricata can be found in file: "/var/log/suricata/fast.log". Note that two (2) ICMP alerts were detected for this ping flow because our rules file was configured to detect bi-directional ICMP packets. | ||
+ | [root@probe tmp]# cat /var/log/suricata/fast.log | ||
+ | 04/24/2024-11:56:22.857567 [**] [1:1000001:0] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 10.222.222.251:8 -> 10.222.222.252:0 | ||
+ | 04/24/2024-11:56:22.857625 [**] [1:1000001:0] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 10.222.222.252:0 -> 10.222.222.251:0 |
Latest revision as of 12:54, 24 April 2024
Contents
Overview
Suricata is a multi-threaded intrusion detection/prevention engine. This page shows one how to configure suricata to "run in pcap live mode" for detecting ICMP packets and generating alerts with a simple ICMP Ping rule. It shows how quickly one can set up suricata using the command-line for protocol packet flow detection.
Configuration - Rule File
We will create a simple rule file for ICMP detection in directory: "/opt" with a file name: "icmp.rules". This alert rule should be triggered when an IPv4 ICMP packet is received or transmitted (bi-directional with direction indicator: <>) on the suricata host. Documentation for setting up suricata rules can be found: here.
[root@probe tmp]# cat /opt/icmp.rules alert ip any any <> any any (msg: "ICMP Ping"; ip_proto: icmp; sid: 1000001;)
Configuration - Suricata
One needs to add the location of the ICMP rules file to the suricata configuration file: "/etc/suricata.yaml". This is done in the "rule-files" section.
Before:
rule-files: - suricata.rules
After:
rule-files: - suricata.rules - /opt/icmp.rules
Start Suricata
Start suricata in "run in pcap live mode". Example interface and hosts: Suricata Interface: ens34, Suricata Host: 10.222.222.252, Ping Host: 10.222.222.251.
Suricata host command line (Start up suricata):
[root@probe tmp]# suricata -i ens34 i: suricata: This is Suricata version 7.0.4 RELEASE running in SYSTEM mode i: threads: Threads created -> W: 4 FM: 1 FR: 1 Engine started.
Ping Suricata Host
Ping the suricata host: (Done from command line on host: 10.222.222.252)
[nst@dev40 dev40]$ ping -c 3 10.222.222.252 PING 10.222.222.252 (10.222.222.252) 56(84) bytes of data. 64 bytes from 10.222.222.252: icmp_seq=1 ttl=64 time=0.303 ms 64 bytes from 10.222.222.252: icmp_seq=2 ttl=64 time=0.376 ms 64 bytes from 10.222.222.252: icmp_seq=3 ttl=64 time=0.383 ms --- 10.222.222.252 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2081ms rtt min/avg/max/mdev = 0.303/0.354/0.383/0.036 ms
Stop Suricata
Use "Ctrl-C" to stop the suricata process:
^Ci: suricata: Signal Received. Stopping engine. i: device: ens34: packets: 441, drops: 0 (0.00%), invalid chksum: 0 [root@probe tmp]#
Review the Suricata Alert Log
By default the alerts generated by suricata can be found in file: "/var/log/suricata/fast.log". Note that two (2) ICMP alerts were detected for this ping flow because our rules file was configured to detect bi-directional ICMP packets.
[root@probe tmp]# cat /var/log/suricata/fast.log 04/24/2024-11:56:22.857567 [**] [1:1000001:0] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 10.222.222.251:8 -> 10.222.222.252:0 04/24/2024-11:56:22.857625 [**] [1:1000001:0] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 10.222.222.252:0 -> 10.222.222.251:0