Differences between revisions 3 and 4
Revision 3 as of 2016-10-17 10:33:06
Size: 4133
Comment: typo
Revision 4 as of 2016-10-17 14:28:46
Size: 4133
Comment: typo
Deletions are marked like this. Additions are marked like this.
Line 91: Line 91:
Some files to take into account regarding suricata-oinkasmter: Some files to take into account regarding suricata-oinkmaster:

Introduction

Suricata is a free and open source, mature, fast and robust network threat detection engine. The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing. Suricata can act as a high-level content firewall.

Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats. With standard input and output formats like YAML and JSON integrations with tools like existing SIEMs, Splunk, Logstash/Elasticsearch, Kibana, and other database become effortless.

Debian & Suricata

The suricata software is well integrated into Debian.

Installing the deb package from the official Debian repository will give you a suricata ready for use.

Versions

Currently, suricata packages are updated very quickly after the upstream release.

You may check yourself the following links to obtain up-to-date information about the versions of suricata:

Due to the nature of the suricata software, which in some ways can be compared with an anti-virus software, regular updates are required in order to stay useful.

Installation

To use the most up-to-date version of suricata in Debian, you will require either:

  • run Debian Stable with backports enabled (currently jessie and jessie-backports)
  • run Debian Testing (currently stretch)

In the case of stable backports, run:

root@debian:~# aptitude install suricata -t jessie-backports

In the case of debian testing, run:

root@debian:~# aptitude install suricata -t testing

The aptitude software will take care of installing dependencies, and will install some additional recommended software, like suricata-oinkmaster and snort-rules-default

Some interesting paths related to suricata:

/etc/suricata/
/etc/suricata/suricata.yaml
/etc/suricata/rules/
/etc/logrotate.d/suricata
/etc/default/suricata
/etc/init.d/suricata
/var/log/suricata/
/lib/systemd/system/suricata.service

You should have now 2 manpages installed as well:

  • suricata(8)
  • suricatasc(1)

Configuration

By Debian default, suricata is configured to run this way:

  • AF_PACKET capturing mode
  • listening in eth0 interface
  • a very basic set of rules

If that configuration matches your environment and requirements, congrats, your suricata installation is already capturing packets and producing output to several files at /var/log/suricata.

In Debian, suricata can run out of the box with systemd and sysvinit.

These steps are recommended to follow in order to adapt suricata to your environment:

  • Edit the /etc/suricata/suricata.yaml file (main suricata config file).

  • If running systemd, change the service file with systemctl edit suricata.service.

  • If running sysvinit, tune /etc/default/suricata.

suricata & oinkmaster in Debian

One of the main benefits of running suricata with Debian is the integration with oinkmaster, which will ease the administrator life by updating daily the Emerging Threat ruleset.

To benefit from this integration, you require a package called suricata-oinkmaster. If this package is not installed already, install it with aptitude.

Some files to take into account regarding suricata-oinkmaster:

/etc/cron.daily/suricata-oinkmaster
/etc/suricata/suricata-oinkmaster.conf
/usr/sbin/suricata-oinkmaster-updater

The /etc/suricata/suricata-oinkmaster.conf file is an oinkmaster configuration file which simply instruct it to update the Emerging Threats ruleset. After the ruleset update, suricata will reload the ruleset.

All of this happens automagically by means of the suricata-oinkmaster-updater script, which of course you can run at any moment apart of the daily cron.


CategorySystemSecurity