Suricata Basic Install

less than 1 minute read

Description:

I call this one a basic install because that’s all it really is. I haven’t configured anything as of yet – an IDS comes with lots of learning!

To Resolve:

1a. Clone my base CentOS image, give it a static IP, and set its hostname (sudo hostnamectl set-hostname ids)

  1. Type:
su

yum install epel-release

yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel \

zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar make \

libnetfilter_queue-devel lua-devel

wget http://www.openinfosecfoundation.org/download/suricata-3.1.tar.gz

tar -xvzf suricata-3.1.tar.gz

cd suricata-3.1

./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua

make

make install

ldconfig # not sure if needed

make install-full
  1. Now set it up:
vi /etc/suricata/suricata.yaml

# set home network ip, save and exit.

4. Test it by running it on your NIC:

sudo suricata -c /etc/suricata/suricata.yaml -i enp0s3 --init-errors-fatal
  1. To see if it is working:
cd /var/log/suricata

tail -f http.log

tail -fn 50 stats.log

NOTE: Mine had some errors about “tls-events.rules” so I went back to the /etc/suricata/suricata.yaml and found that line and commented it out. Started seeing logs. That’s about as far as I got for now…

Next task: Find a GUI front end as this is the server piece. Also need to tweak for my network.

Categories:

Updated: