Scribd
Upload
365 views5 pages

Suricata Documentation

Intro in suricata

Uploaded by

benoit.ponjee
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
365 views5 pages

Suricata Documentation

Intro in suricata

Uploaded by

benoit.ponjee
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Suricata documentation

1. Environment Setup
 Install Suricata on a virtual machine. -Ensure the system has all necessary
dependencies installed (e.g., libpcap, libnet, etc.).
o Sudo apt update
o Sudo apt install suricata:
 Necessary dependencies will be installed automatically:

2. Initial Configuration
 Configure the Suricata YAML file (/etc/suricata/suricata.yaml).
o sudo nano /etc/suricata/suricata.yaml
 Set up network interfaces for live traffic capture.
o Locate “af-packet” section and replace “interface” with correct one
(in this case “eth1”)
o Change setting like below:

 Configure logging to output to both JSON and EVE (for later analysis).
o Locate “ouput” section and configure accordingly for basic setup:
o Save and close when done
 Sudo suricata-update
o Restart Suricata to apply changes:
 Sudo systemctl restart suricata
Regular

3. Basic Testing
 Start Suricata in live mode and ensure it is capturing traffic.
 Generate some network traffic and verify it is being logged by Suricata.
 Use tools like curl, ping, and nmap to generate various types of traffic.

 Install evebox for getting dashboard view of json file:


o sudo apt-get install wget gnupg apt-transport-https
wget -qO - https://evebox.org/files/GPG-KEY-evebox | sudo apt-key add -
echo "deb http://evebox.org/files/debian unstable main" | sudo tee
/etc/apt/sources.list.d/evebox-unstable.list
sudo apt-get update
sudo apt-get install evebox
 run evebox, this will open a webbrowser with data:
o evebox oneshot /var/log/suricata/eve.json:
 Analyze/detect the generated traffic:
o Curl:

o Ping:
In evebox, this event is not visible (extra configuration might help).
However in the eve.json log, we can track the ping request

o Nmap:
o Ssh:

4. Creating Custom Rules


 Create at least 5 custom Suricata rules that detect specific types of network behavior
(e.g., detecting SSH login attempts, HTTP requests to a specific URI, suspicious DNS
queries).
 Test these rules by generating the appropriate network traffic and ensure they trigger
correctly.

5. Deliverables
 A screenshot of the Suricata configuration file.
 Zip file with Logs showing Suricata successfully capturing and logging traffic.
 A brief report (3 pages) on setup, initial findings, issues encountered.

You might also like