4133
Comment: typo
|
4133
typo
|
Deletions are marked like this. | Additions are marked like this. |
Line 91: | Line 91: |
Some files to take into account regarding suricata-oinkasmter: | Some files to take into account regarding suricata-oinkmaster: |
Contents
Introduction
Suricata is a free and open source, mature, fast and robust network threat detection engine. The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing. Suricata can act as a high-level content firewall.
Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats. With standard input and output formats like YAML and JSON integrations with tools like existing SIEMs, Splunk, Logstash/Elasticsearch, Kibana, and other database become effortless.
Debian & Suricata
The suricata software is well integrated into Debian.
Installing the deb package from the official Debian repository will give you a suricata ready for use.
Versions
Currently, suricata packages are updated very quickly after the upstream release.
You may check yourself the following links to obtain up-to-date information about the versions of suricata:
Upstream: https://suricata-ids.org/download/
Debian package tracker: https://tracker.debian.org/pkg/suricata
Due to the nature of the suricata software, which in some ways can be compared with an anti-virus software, regular updates are required in order to stay useful.
Installation
To use the most up-to-date version of suricata in Debian, you will require either:
- run Debian Stable with backports enabled (currently jessie and jessie-backports)
- run Debian Testing (currently stretch)
In the case of stable backports, run:
root@debian:~# aptitude install suricata -t jessie-backports
In the case of debian testing, run:
root@debian:~# aptitude install suricata -t testing
The aptitude software will take care of installing dependencies, and will install some additional recommended software, like suricata-oinkmaster and snort-rules-default
Some interesting paths related to suricata:
/etc/suricata/ /etc/suricata/suricata.yaml /etc/suricata/rules/ /etc/logrotate.d/suricata /etc/default/suricata /etc/init.d/suricata /var/log/suricata/ /lib/systemd/system/suricata.service
You should have now 2 manpages installed as well:
- suricata(8)
- suricatasc(1)
Configuration
By Debian default, suricata is configured to run this way:
- AF_PACKET capturing mode
- listening in eth0 interface
- a very basic set of rules
If that configuration matches your environment and requirements, congrats, your suricata installation is already capturing packets and producing output to several files at /var/log/suricata.
In Debian, suricata can run out of the box with systemd and sysvinit.
These steps are recommended to follow in order to adapt suricata to your environment:
Edit the /etc/suricata/suricata.yaml file (main suricata config file).
If running systemd, change the service file with systemctl edit suricata.service.
If running sysvinit, tune /etc/default/suricata.
suricata & oinkmaster in Debian
One of the main benefits of running suricata with Debian is the integration with oinkmaster, which will ease the administrator life by updating daily the Emerging Threat ruleset.
To benefit from this integration, you require a package called suricata-oinkmaster. If this package is not installed already, install it with aptitude.
Some files to take into account regarding suricata-oinkmaster:
/etc/cron.daily/suricata-oinkmaster /etc/suricata/suricata-oinkmaster.conf /usr/sbin/suricata-oinkmaster-updater
The /etc/suricata/suricata-oinkmaster.conf file is an oinkmaster configuration file which simply instruct it to update the Emerging Threats ruleset. After the ruleset update, suricata will reload the ruleset.
All of this happens automagically by means of the suricata-oinkmaster-updater script, which of course you can run at any moment apart of the daily cron.