|
|
|
|
@ -1,4 +1,4 @@
|
|
|
|
|
Autogenerated on 2012-01-11
|
|
|
|
|
Autogenerated on 2012-11-29
|
|
|
|
|
from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Basic_Setup
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -13,52 +13,66 @@ Start with creating a directory for Suricata's log information.
|
|
|
|
|
|
|
|
|
|
To prepare the system for using it, enter:
|
|
|
|
|
|
|
|
|
|
cd /etc
|
|
|
|
|
|
|
|
|
|
Followed by:
|
|
|
|
|
|
|
|
|
|
sudo mkdir suricata
|
|
|
|
|
|
|
|
|
|
In this example the directory created is named 'suricata'. It is possible to
|
|
|
|
|
choose the name you prefer.
|
|
|
|
|
Then enter:
|
|
|
|
|
|
|
|
|
|
cd ~/suricata/oisf
|
|
|
|
|
sudo mkdir /etc/suricata
|
|
|
|
|
|
|
|
|
|
The next step is to copy classification.config, reference.config and
|
|
|
|
|
suricata.yaml from the oisf directory to the /etc/suricata directory. Do so by
|
|
|
|
|
entering the following:
|
|
|
|
|
suricata.yaml from the base build/installation directory (ex. from git it will
|
|
|
|
|
be the oisf directory) to the /etc/suricata directory. Do so by entering the
|
|
|
|
|
following:
|
|
|
|
|
|
|
|
|
|
sudo cp classification.config /etc/suricata
|
|
|
|
|
sudo cp reference.config /etc/suricata
|
|
|
|
|
sudo cp suricata.yaml /etc/suricata
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Auto setup
|
|
|
|
|
|
|
|
|
|
You can also use the available auto setup features of Suricata:
|
|
|
|
|
ex:
|
|
|
|
|
|
|
|
|
|
./configure && make && make install-conf
|
|
|
|
|
|
|
|
|
|
make install-conf
|
|
|
|
|
would do the regular "make install" and then it would automatically create/
|
|
|
|
|
setup all the necessary directories and suricata.yaml for you.
|
|
|
|
|
|
|
|
|
|
./configure && make && make install-rules
|
|
|
|
|
|
|
|
|
|
make install-rules
|
|
|
|
|
would do the regular "make install" and then it would automatically download
|
|
|
|
|
and set up the latest ruleset from Emerging Threats available for Suricata
|
|
|
|
|
|
|
|
|
|
./configure && make && make install-full
|
|
|
|
|
|
|
|
|
|
make install-full
|
|
|
|
|
would combine everything mentioned above (install-conf and install-rules) - and
|
|
|
|
|
will present you with a ready to run (configured and set up) Suricata
|
|
|
|
|
|
|
|
|
|
Setting variables
|
|
|
|
|
|
|
|
|
|
Make sure every variable of the vars, address-groups and port-groups in the
|
|
|
|
|
yaml file is set correctly for your needs.
|
|
|
|
|
You need to set the ip-address(es) of your home network at HOME_NET.
|
|
|
|
|
It is recommended to set EXTERNAL_NET to !$HOMENET_NET. This way, every ip-
|
|
|
|
|
address but the
|
|
|
|
|
one set at HOME_NET will be treated as external.
|
|
|
|
|
It is also possible to set EXTERNAL_NET to 'any', only the recommended setting
|
|
|
|
|
is more precise and lowers the change that false positives will be generated.
|
|
|
|
|
HTTP_SERVERS, SMTP_SERVERS , SQL_SERVERS , DNS_SERVERS and TELNET_SERVERS are
|
|
|
|
|
by default set to HOME_NET. AIM_SERVERS is by default set at 'any'. These
|
|
|
|
|
variables have to be set for servers on your network.
|
|
|
|
|
All settings have to be set precise to let it have a more accurate effect.
|
|
|
|
|
yaml file is set correctly for your needs. A full explanation is available in
|
|
|
|
|
the Rule_vars_section_of_the_yaml. You need to set the ip-address(es) of your
|
|
|
|
|
local network at HOME_NET. It is recommended to set EXTERNAL_NET to !$HOME_NET.
|
|
|
|
|
This way, every ip-address but the one set at HOME_NET will be treated as
|
|
|
|
|
external. It is also possible to set EXTERNAL_NET to 'any', only the
|
|
|
|
|
recommended setting is more precise and lowers the change that false positives
|
|
|
|
|
will be generated. HTTP_SERVERS, SMTP_SERVERS , SQL_SERVERS , DNS_SERVERS and
|
|
|
|
|
TELNET_SERVERS are by default set to HOME_NET. AIM_SERVERS is by default set at
|
|
|
|
|
'any'. These variables have to be set for servers on your network. All settings
|
|
|
|
|
have to be set to let it have a more accurate effect.
|
|
|
|
|
Next, make sure the following ports are set to your needs: HTTP_PORTS,
|
|
|
|
|
SHELLCODE_PORTS, ORACLE_PORTS and SSH_PORTS.
|
|
|
|
|
In the near future you can set the host-os-policy to your needs.
|
|
|
|
|
Finally, set the host-os-policy to your needs. See Host_OS_Policy_in_the_yaml
|
|
|
|
|
for a full explanation.
|
|
|
|
|
|
|
|
|
|
windows:[]
|
|
|
|
|
bsd: []
|
|
|
|
|
bsd_right: []
|
|
|
|
|
old_linux: []
|
|
|
|
|
bsd-right: []
|
|
|
|
|
old-linux: []
|
|
|
|
|
linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:
|
|
|
|
|
0000"]
|
|
|
|
|
old_solaris: []
|
|
|
|
|
old-solaris: []
|
|
|
|
|
solaris: ["::1"]
|
|
|
|
|
hpux10: []
|
|
|
|
|
hpux11: []
|
|
|
|
|
@ -67,6 +81,8 @@ In the near future you can set the host-os-policy to your needs.
|
|
|
|
|
vista: []
|
|
|
|
|
windows2k3: []
|
|
|
|
|
|
|
|
|
|
Note that bug #499 may prevent you from setting old-linux, bsd-right and old-
|
|
|
|
|
solaris right now.
|
|
|
|
|
|
|
|
|
|
Interface cards
|
|
|
|
|
|
|
|
|
|
@ -80,7 +96,8 @@ To start the engine and include the interface card of your preference, enter:
|
|
|
|
|
sudo suricata -c /etc/suricata/suricata.yaml -i wlan0
|
|
|
|
|
|
|
|
|
|
Instead of wlan0, you can enter the interface card of your preference.
|
|
|
|
|
To see if the engine is working correctly and registrates traffic, enter:
|
|
|
|
|
To see if the engine is working correctly and receives and inspects traffic,
|
|
|
|
|
enter:
|
|
|
|
|
|
|
|
|
|
cd /var/log/suricata
|
|
|
|
|
|
|
|
|
|
@ -90,10 +107,10 @@ Followed by:
|
|
|
|
|
|
|
|
|
|
And:
|
|
|
|
|
|
|
|
|
|
tail -n 33 stats.log
|
|
|
|
|
tail -n 50 stats.log
|
|
|
|
|
|
|
|
|
|
To make sure the information displayed is up-dated, enter before http.log and
|
|
|
|
|
stats.log:
|
|
|
|
|
To make sure the information displayed is up-dated in real time, use the -
|
|
|
|
|
f option before http.log and stats.log:
|
|
|
|
|
|
|
|
|
|
tail -f http.log
|
|
|
|
|
tail -f http.log stats.log
|
|
|
|
|
|
|
|
|
|
|
Victor Julien
12 years ago