Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF).
Highly Scalable: Suricata is multi threaded, you can run one instance and it will balance the processing load of across all available processors on a sensor.
Protocol Identification: The most common protocols are automatically recognised by Suricata as the stream starts, this allows rule writers to write a rule to the protocol, not to the port expected.
File Identification: Suricata can identify file types, should you decide you want to investigate further you can tag files for extraction and the file will be written to disk.
[root]# yum install libpcap libpcap-devel libnet libnet-devel pcre pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml libyaml-devel zlib zlib-devel file-devel
Source: http://www.openinfosecfoundation.org/download/suricata-2.0.9.tar.gz
[root]# ./configure [root]# make [root]# make install-full
Default install into /usr/local/…
Config changes:
[root]# suricata.yaml:
- unified2-alert:
enabled: no
- stats:
enabled: no
- http-log:
enabled: no
- file:
enabled: yes
filename: /var/log/suricata.log
# - decoder-events.rulesTesting:
[root]# suricata -c /usr/local/etc/suricata/suricata.yaml -i eth0 --init-errors-fatal 5/11/2015 -- 15:31:55 - <Notice> - This is Suricata version 2.0.9 RELEASE
Production:
[root]# suricata -D -c /usr/local/etc/suricata/suricata.yaml -i eth0
Source: http://suricata-ids.org/
Source: https://danielmiessler.com/blog/building-ids-centos-using-suricata/
