Scribd Logo
Upload

Welcome to Scribd!

  • Suricata Documentation

    Uploaded by

    benoit.ponjee
    2 views5 pages
    Intro in suricata

    Original Title

    Suricata documentation

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Intro in suricata

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    2 views5 pages

    Suricata Documentation

    Uploaded by

    benoit.ponjee
    Intro in suricata

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    of 5

    Suricata documentation

    1. Environment Setup
     Install Suricata on a virtual machine. -Ensure the system has all necessary
    dependencies installed (e.g., libpcap, libnet, etc.).
    o Sudo apt update
    o Sudo apt install suricata:
     Necessary dependencies will be installed automatically:

    2. Initial Configuration
     Configure the Suricata YAML file (/etc/suricata/suricata.yaml).
    o sudo nano /etc/suricata/suricata.yaml
     Set up network interfaces for live traffic capture.
    o Locate “af-packet” section and replace “interface” with correct one
    (in this case “eth1”)
    o Change setting like below:

     Configure logging to output to both JSON and EVE (for later analysis).
    o Locate “ouput” section and configure accordingly for basic setup:
    o Save and close when done
     Sudo suricata-update
    o Restart Suricata to apply changes:
     Sudo systemctl restart suricata
    Regular

    3. Basic Testing
     Start Suricata in live mode and ensure it is capturing traffic.
     Generate some network traffic and verify it is being logged by Suricata.
     Use tools like curl, ping, and nmap to generate various types of traffic.

     Install evebox for getting dashboard view of json file:


    o sudo apt-get install wget gnupg apt-transport-https
    wget -qO - https://evebox.org/files/GPG-KEY-evebox | sudo apt-key add -
    echo "deb http://evebox.org/files/debian unstable main" | sudo tee
    /etc/apt/sources.list.d/evebox-unstable.list
    sudo apt-get update
    sudo apt-get install evebox
     run evebox, this will open a webbrowser with data:
    o evebox oneshot /var/log/suricata/eve.json:
     Analyze/detect the generated traffic:
    o Curl:

    o Ping:
    In evebox, this event is not visible (extra configuration might help).
    However in the eve.json log, we can track the ping request

    o Nmap:
    o Ssh:

    4. Creating Custom Rules


     Create at least 5 custom Suricata rules that detect specific types of network behavior
    (e.g., detecting SSH login attempts, HTTP requests to a specific URI, suspicious DNS
    queries).
     Test these rules by generating the appropriate network traffic and ensure they trigger
    correctly.

    5. Deliverables
     A screenshot of the Suricata configuration file.
     Zip file with Logs showing Suricata successfully capturing and logging traffic.
     A brief report (3 pages) on setup, initial findings, issues encountered.

    You might also like