Suricata Quick Start for Fedora 21 and 22

Fedora Linux 21 and 22 have Suricata 2.0.8 in their default repositories making it very easy to get started.  The following was done on Fedora 22, but should be applicable to Fedora 21 as well.

Install Suricata

yum install suricata

Configure Interface

By default, Suricata will be configured to run on eth0, if you need to change this, edit /etc/sysconfig/suricata and change eth0 to your desired interface.

Start Suricata

To start Suricata one time:

systemctl start suricata

To have it restarted on each boot:

systemctl enable suricata

But you’ll probably want to have it started after your network is ready. This can be done by including network-online.target in the unit file /usr/lib/systemd/system/suricata.service

[Unit]
Description=Suricata Intrusion Detection Service
After=syslog.target network-online.target

[Service]
ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml $OPTIONS
EnvironmentFile=-/etc/sysconfig/suricata

[Install]
WantedBy=multi-user.target

Verify That Suricata is Running

Even though we have not downloaded any rules yet, Suricata will still log HTTP requests, DNS requests, TLS certificates and SSH connection by default. These can be observed by monitoring /var/log/suricata/eve.log.

tail -f /var/log/suricata/eve.log

Download Some Rules

To get the most out of Suricata you will want to download some rules. The Emerging Threats Open rules are freely available and can be installed with the following commands:

cd /etc/suricata
curl http://rules.emergingthreats.net/open/suricata-2.0/emerging.rules.tar.gz | tar zxvf -
systemctl restart suricata
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s