I call this one a basic install because that’s all it really is. I haven’t configured anything as of yet – an IDS comes with lots of learning!
1a. Clone my base CentOS image, give it a static IP, and set its hostname (sudo hostnamectl set-hostname ids)
su yum install epel-release yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel \ zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar make \ libnetfilter_queue-devel lua-devel wget http://www.openinfosecfoundation.org/download/suricata-3.1.tar.gz tar -xvzf suricata-3.1.tar.gz cd suricata-3.1 ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua make make install ldconfig # not sure if needed make install-full
- Now set it up:
vi /etc/suricata/suricata.yaml # set home network ip, save and exit.
4. Test it by running it on your NIC:
sudo suricata -c /etc/suricata/suricata.yaml -i enp0s3 --init-errors-fatal
- To see if it is working:
cd /var/log/suricata tail -f http.log tail -fn 50 stats.log
NOTE: Mine had some errors about “tls-events.rules” so I went back to the /etc/suricata/suricata.yaml and found that line and commented it out. Started seeing logs. That’s about as far as I got for now…
Next task: Find a GUI front end as this is the server piece. Also need to tweak for my network.