Suricata
Intrusion Detection and Prevention System (IDS/IPS)
Introduction
Suricata is a high-performance open-source tool for intrusion detection (IDS), intrusion prevention (IPS), and network security monitoring (NSM). It uses rule-based detection and protocol analysis to identify threats in real time.
Features
- Multi-Threaded Architecture: Optimized for high-speed networks.
- Protocol Analysis: Deep inspection of HTTP, TLS, DNS, and other protocols.
- Signature-Based Detection: Customizable rules for threat identification.
- File Extraction: Extract files from network traffic for analysis.
- Integration: Works with SIEM tools like Elasticsearch and Splunk.
- IPv6 and TLS Support: Monitors modern network protocols.
Installation
- Open a terminal.
- Install Suricata using:
sudo pacman -S suricata
Install Verification
Test the configuration file syntax:
suricata -T -c /etc/suricata/suricata.yaml
Uninstall
sudo pacman -R suricata
Usage
Run Suricata in IDS Mode
sudo suricata -c /etc/suricata/suricata.yaml -i eth0
Analyze a PCAP File Offline
suricata -c /etc/suricata/suricata.yaml -r capture.pcap
Monitor Real-Time Alerts
tail -f /var/log/suricata/fast.log
Update Detection Rules
sudo suricata-update
Configuration
Main Configuration File
/etc/suricata/suricata.yaml
Rule Directories
- Default rules:
/var/lib/suricata/rules/ - Custom rules: Add
.rulesfiles to this directory and reload Suricata.
Example: Enable Community Rules
- Edit
suricata.yaml:nano /etc/suricata/suricata.yaml - Uncomment or add rule sources (e.g.,
community.rules).
Official Documentation & More Info
Contributing
- Report issues or contribute code via GitHub.
- Follow the contribution guidelines.
Support
- Join the Suricata Community Forum.
- Ask questions on GitHub Discussions.
License
Suricata is released under the GPLv2 License.