Configuration Steps
1. Rules Configuration
Suricata comes with default rules, but you can add custom rules by specifying their locations. For instance:
Default rule path (sudo ls -al /var/lib/suricata/rules).
Default rules are already configured in Configuration file example
Lets suppose you created custom rules with name local.rules and you stored in /var/lib/suricata/rules in that case you can just write in configuration file like below.
But if created custom rule and store in some other directory that you have mentioned complete path here for example
2. Update rules if needed:
sudo suricata-update
3. Adding Custom Sources(rules)
sudo suricata-update list-sources
Few will require subscription but where license is mentioned as Open or Non- commercial or MIT you can enable those with below command
sudo suricata-update enable-source <name_of_source>
sudo surikata-update
4. Testing Configuration file to make sure everything is working fine:
sudo suricata -T -c /etc/suricata/suricata.yaml -v
5. Running Suricata:
sudo systemctl start suricata.service
Now to check if Suricata or detection working fine:
1. Initiating a Test
For testing, use:
2. Checking Logs
Review intrusion logs:
sudo cat /var/log/suricata/fast.log
There you go configuration of Suricata has been done.
Suricata generates logs in JSON format, providing rich and detailed information about network events and intrusions. Viewing these logs directly using standard commands might not offer the best readability due to their JSON structure. To address this, we can use the 'jq' command-line tool to process and filter the logs, making them more understandable.
Viewing Suricata's 'eve.json' Log File:
Installing 'jq' Utility
Ensure 'jq' is installed for processing JSON logs:
sudo apt-get install jq
2. Displaying Latest Alerts
Using 'tail' to view the latest 'eve.json' logs and filter for specific event types (e.g., 'alert') using 'jq':
sudo tail -f /var/log/suricata/eve.json | jq '.event | select(.event_type == "alert")'
JSON logs provide crucial details such as timestamps, source/destination IPs, ports, protocols, and the action taken.
There you go Suricata configuration and Suricata setup is done. If you want you can Integrate Suricata with Wazuh which allow you for comprehensive event correlation and enhanced security monitoring.
Akash Patel
Comments