Difference between revisions of "HowTo Setup Suricata - A Simple Live Configuration"
From NST Wiki
Jump to navigationJump to search (→Configuration - Rule File) |
(→Configuration - Rule File) |
||
| Line 8: | Line 8: | ||
[root@probe tmp]# cat /opt/icmp.rules | [root@probe tmp]# cat /opt/icmp.rules | ||
alert ip any any <> any any (msg: "ICMP Ping"; ip_proto: icmp; sid: 1000001;) | alert ip any any <> any any (msg: "ICMP Ping"; ip_proto: icmp; sid: 1000001;) | ||
| + | |||
| + | == Configuration - Suricata == | ||
| + | One needs to add the location of the ICMP rules file to the suricata configuration file: "/etc/suricata.yaml". This is done in the "'''rule-files'''" section. | ||
| + | |||
| + | Before: | ||
| + | rule-files: | ||
| + | - suricata.rules | ||
| + | |||
| + | After: | ||
| + | rule-files: | ||
| + | - suricata.rules | ||
| + | - /opt/icmp.rules | ||
Revision as of 12:17, 24 April 2024
Overview
Suricata is a multi-threaded intrusion detection/prevention engine. This page shows one how to configure suricata to "run in pcap live mode" for creating alerts with an ICMP Ping rule.
Configuration - Rule File
We will create a simple rule file for ICMP detection in directory: "/opt" with a file name: "icmp.rules". Documentation for setting up suricata rules can be found: here.
[root@probe tmp]# cat /opt/icmp.rules alert ip any any <> any any (msg: "ICMP Ping"; ip_proto: icmp; sid: 1000001;)
Configuration - Suricata
One needs to add the location of the ICMP rules file to the suricata configuration file: "/etc/suricata.yaml". This is done in the "rule-files" section.
Before:
rule-files: - suricata.rules
After:
rule-files: - suricata.rules - /opt/icmp.rules
