Professional Documents
Culture Documents
Suricata Documentation
Suricata Documentation
1. Environment Setup
Install Suricata on a virtual machine. -Ensure the system has all necessary
dependencies installed (e.g., libpcap, libnet, etc.).
o Sudo apt update
o Sudo apt install suricata:
Necessary dependencies will be installed automatically:
2. Initial Configuration
Configure the Suricata YAML file (/etc/suricata/suricata.yaml).
o sudo nano /etc/suricata/suricata.yaml
Set up network interfaces for live traffic capture.
o Locate “af-packet” section and replace “interface” with correct one
(in this case “eth1”)
o Change setting like below:
Configure logging to output to both JSON and EVE (for later analysis).
o Locate “ouput” section and configure accordingly for basic setup:
o Save and close when done
Sudo suricata-update
o Restart Suricata to apply changes:
Sudo systemctl restart suricata
Regular
3. Basic Testing
Start Suricata in live mode and ensure it is capturing traffic.
Generate some network traffic and verify it is being logged by Suricata.
Use tools like curl, ping, and nmap to generate various types of traffic.
o Ping:
In evebox, this event is not visible (extra configuration might help).
However in the eve.json log, we can track the ping request
o Nmap:
o Ssh:
5. Deliverables
A screenshot of the Suricata configuration file.
Zip file with Logs showing Suricata successfully capturing and logging traffic.
A brief report (3 pages) on setup, initial findings, issues encountered.