🦝Installing and Configuring Network Based IDS In Ubuntu: Suricata

Install Suricata In Ubuntu

$ sudo apt install suricata

sudo gedit /etc/suricata/suricata.yaml

In the Line no 15 Change the HOME_NET IP address subnet to your machines IP subnet
In the Line no 580 change the Interface from eth0 to your local interface name (In my case it is enp0s3)
In the Line no 661 change the Interface from eth0 to your local interface name (In my case it is enp0s3)
In the Line no 129 change the community-id from false to true
You can add custom rules after Line no 1875

$ sudo suricata-update

$ sudo ls -al /var/lib/suricata/rules/

$ sudo suricata-update list-sources

$ sudo suricata-update enable-source malsilo/win-malware

malsilo/win-malware is the name of the source. You can choose any name after running sudo suricata-update list-sources

Update suricata after enabling a new source.

$ sudo suricata -T -c /etc/suricata/suricata.yaml -v

$ sudo systemctl start suricata.service

$ ls -al /var/log/suricata

$ surl http://testmynids.org/uid/index.html

$ sudo cat /var/log/suricata/fast.log

$ sudo gedit /etc/suricata/rules/local.rules

alert icmp any any -> $HOME_NET (msg:"icmp ping"; sid:1; rev:1;)

 - /etc/suricata/rules/local.rules

sudo apt-get install jq

$ sudo tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")'

Last updated 1 year ago

Was this helpful?