Difference between revisions of "Suricata"

From ArchWiki
Jump to: navigation, search
(created article)
 
(Systemd service configuration)
(6 intermediate revisions by the same user not shown)
Line 9: Line 9:
  
 
[[pacman|Install]] {{AUR|suricata}} from the [[AUR]].
 
[[pacman|Install]] {{AUR|suricata}} from the [[AUR]].
 
  
 
== Configuration ==
 
== Configuration ==
Line 17: Line 16:
 
You should change the following parts of the config in order to make it run:
 
You should change the following parts of the config in order to make it run:
 
   default-log-dir: /var/log/suricata/    # where you want to store log files
 
   default-log-dir: /var/log/suricata/    # where you want to store log files
 +
  classification-file: /etc/suricata/classification.config
 +
  reference-config-file: /etc/suricata/reference.config
 
   HOME_NET: "[10.0.0.0/8]"                # your local network
 
   HOME_NET: "[10.0.0.0/8]"                # your local network
 
   host-os-policy:  ..                    # according to the OS running the ips
 
   host-os-policy:  ..                    # according to the OS running the ips
 +
  magic-file: /usr/share/file/misc/magic.mgc
 +
 +
== Web interface ==
 +
You may use snorby [https://snorby.org/] as web interface.
 +
== Starting Suricata  ==
 +
 +
=== Manuall startup ===
 +
 +
You can start it manually with:
 +
{{ic|# /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0}}
 +
 +
=== Systemd service configuration ===
 +
 +
To start suricata automatically at system boot, [[Daemon|enable]] {{ic|suricata@''<interface>''.service}}.
 +
 +
For example, if the network interface is {{ic|eth0}} , the service name is {{ic|suricata@eth0.service}}.
 +
 +
 +
{{Tip|If the service file is not yet included in AUR you can find it here: [http://pastebin.archlinux.fr/468715].
 +
Place this file under {{ic|/usr/lib/systemd/system/suricata@.service}}}}

Revision as of 02:16, 12 August 2013

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: please use the first argument of the template to provide a brief explanation. (Discuss in Talk:Suricata#)

From the project home page:

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF and its supporting vendors.


Installation

Install suricataAUR from the AUR.

Configuration

The main configuration file is /etc/suricata/suricata.yaml.

You should change the following parts of the config in order to make it run:

  default-log-dir: /var/log/suricata/     # where you want to store log files
  classification-file: /etc/suricata/classification.config
  reference-config-file: /etc/suricata/reference.config
  HOME_NET: "[10.0.0.0/8]"                # your local network
  host-os-policy:   ..                    # according to the OS running the ips
  magic-file: /usr/share/file/misc/magic.mgc

Web interface

You may use snorby [1] as web interface.

Starting Suricata

Manuall startup

You can start it manually with: # /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0

Systemd service configuration

To start suricata automatically at system boot, enable suricata@<interface>.service.

For example, if the network interface is eth0 , the service name is suricata@eth0.service.


Tip: If the service file is not yet included in AUR you can find it here: [2]. Place this file under /usr/lib/systemd/system/suricata@.service