Autogenerated on 2012-01-11
from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Basic_Setup


Basic Setup

When using Debian or FreeBSD, make sure you enter all commands as root/super-
user because for these operating systems it is not possible to use 'sudo'.
Start with creating a directory for Suricata's log information.

  sudo mkdir /var/log/suricata


To prepare the system for using it, enter:

  cd /etc

Followed by:

  sudo mkdir suricata

In this example the directory created is named 'suricata'. It is possible to
choose the name you prefer.
Then enter:

  cd ~/suricata/oisf

The next step is to copy classification.config, reference.config and
suricata.yaml from the oisf directory to the /etc/suricata directory. Do so by
entering the following:

  sudo cp classification.config /etc/suricata
  sudo cp reference.config /etc/suricata
  sudo cp suricata.yaml /etc/suricata


Setting variables

Make sure every variable of the vars, address-groups and port-groups in the
yaml file is set correctly for your needs.
You need to set the ip-address(es) of your home network at HOME_NET.
It is recommended to set EXTERNAL_NET to !$HOMENET_NET. This way, every ip-
address but the
one set at HOME_NET will be treated as external.
It is also possible to set EXTERNAL_NET to 'any', only the recommended setting
is more precise and lowers the change that false positives will be generated.
HTTP_SERVERS, SMTP_SERVERS , SQL_SERVERS , DNS_SERVERS and TELNET_SERVERS are
by default set to HOME_NET. AIM_SERVERS is by default set at 'any'. These
variables have to be set for servers on your network.
All settings have to be set precise to let it have a more accurate effect.
Next, make sure the following ports are set to your needs: HTTP_PORTS,
SHELLCODE_PORTS, ORACLE_PORTS and SSH_PORTS.
In the near future you can set the host-os-policy to your needs.

    windows:[]
    bsd: []
    bsd_right: []
    old_linux: []
    linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:
  0000"]
    old_solaris: []
    solaris: ["::1"]
    hpux10: []
    hpux11: []
    irix: []
    macos: []
    vista: []
    windows2k3: []


Interface cards

To check the available interface cards, enter:

  ifconfig

Now you can see which one you would like Suricata to use.
To start the engine and include the interface card of your preference, enter:

  sudo suricata -c /etc/suricata/suricata.yaml -i wlan0

Instead of wlan0, you can enter the interface card of your preference.
To see if the engine is working correctly and registrates traffic, enter:

  cd /var/log/suricata

Followed by:

  tail http.log

And:

  tail -n 33 stats.log

To make sure the information displayed is up-dated, enter before http.log and
stats.log:

  tail -f http.log