Suricata Quick Start for Fedora 21 and 22

Fedora Linux 21 and 22 have Suricata 2.0.8 in their default repositories making it very easy to get started.  The following was done on Fedora 22, but should be applicable to Fedora 21 as well.

Install Suricata

yum install suricata

Configure Interface

By default, Suricata will be configured to run on eth0, if you need to change this, edit /etc/sysconfig/suricata and change eth0 to your desired interface.

Start Suricata

To start Suricata one time:

systemctl start suricata

To have it restarted on each boot:

systemctl enable suricata

But you’ll probably want to have it started after your network is ready. This can be done by including network-online.target in the unit file /usr/lib/systemd/system/suricata.service

[Unit]
Description=Suricata Intrusion Detection Service
After=syslog.target network-online.target

[Service]
ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml $OPTIONS
EnvironmentFile=-/etc/sysconfig/suricata

[Install]
WantedBy=multi-user.target

Verify That Suricata is Running

Even though we have not downloaded any rules yet, Suricata will still log HTTP requests, DNS requests, TLS certificates and SSH connection by default. These can be observed by monitoring /var/log/suricata/eve.log.

tail -f /var/log/suricata/eve.log

Download Some Rules

To get the most out of Suricata you will want to download some rules. The Emerging Threats Open rules are freely available and can be installed with the following commands:

cd /etc/suricata
curl http://rules.emergingthreats.net/open/suricata-2.0/emerging.rules.tar.gz | tar zxvf -
systemctl restart suricata