Nov 052015

suricataSuricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF).

Highly Scalable: Suricata is multi threaded, you can run one instance and it will balance the processing load of across all available processors on a sensor.

Protocol Identification: The most common protocols are automatically recognised by Suricata as the stream starts, this allows rule writers to write a rule to the protocol, not to the port expected.

File Identification: Suricata can identify file types, should you decide you want to investigate further you can tag files for extraction and the file will be written to disk.

[root]# yum install libpcap libpcap-devel libnet libnet-devel pcre pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml libyaml-devel zlib zlib-devel file-devel


[root]# ./configure
[root]# make
[root]# make install-full

Default install into /usr/local/…

Config changes:

[root]# suricata.yaml:

 - unified2-alert:
     enabled: no

 - stats:
     enabled: no

 - http-log:
     enabled: no

 - file:
     enabled: yes
     filename: /var/log/suricata.log

 # - decoder-events.rules


[root]# suricata -c /usr/local/etc/suricata/suricata.yaml -i eth0 --init-errors-fatal
5/11/2015 -- 15:31:55 - <Notice> - This is Suricata version 2.0.9 RELEASE


[root]# suricata -D -c /usr/local/etc/suricata/suricata.yaml -i eth0


© 2011 Indimon Internet Services

Site last updated April 23, 2022 @ 10:45 am

Return to Top ▲Return to Top ▲