Difference between revisions of "HowTo Setup Suricata - A Simple Live Configuration"
From NST Wiki
Jump to navigationJump to search (→Configuration) |
(→Configuration - Rule File) |
||
Line 4: | Line 4: | ||
== Configuration - Rule File == | == Configuration - Rule File == | ||
− | We will create a simple rule file for ICMP detection in directory: "/opt" with a file name: "icmp.rules". | + | We will create a simple rule file for ICMP detection in directory: "/opt" with a file name: "icmp.rules". Documentation for setting up suricata rules can be found: [https://docs.suricata.io/en/latest/rules/index.html here]. |
[root@probe tmp]# cat /opt/icmp.rules | [root@probe tmp]# cat /opt/icmp.rules | ||
alert ip any any <> any any (msg: "ICMP Ping"; ip_proto: icmp; sid: 1000001;) | alert ip any any <> any any (msg: "ICMP Ping"; ip_proto: icmp; sid: 1000001;) |
Revision as of 12:11, 24 April 2024
Contents
Overview
Suricata is a multi-threaded intrusion detection/prevention engine. This page shows one how to configure suricata to "run in pcap live mode" for creating alerts with an ICMP Ping rule.
Configuration - Rule File
We will create a simple rule file for ICMP detection in directory: "/opt" with a file name: "icmp.rules". Documentation for setting up suricata rules can be found: here.
[root@probe tmp]# cat /opt/icmp.rules alert ip any any <> any any (msg: "ICMP Ping"; ip_proto: icmp; sid: 1000001;)