Suricata

From ArchWiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements. See Help:Style for reference.Tango-edit-clear.png

Reason: Multiple style issues. See Help:Style (Discuss in Talk:Suricata#)

From the project home page:

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF and its supporting vendors.

Installation

Install suricataAUR from the AUR.

Configuration

The main configuration file is /etc/suricata/suricata.yaml.

You should change the following parts of the config in order to make it run:

  default-log-dir: /var/log/suricata/     # where you want to store log files
  classification-file: /etc/suricata/classification.config
  reference-config-file: /etc/suricata/reference.config
  HOME_NET: "[10.0.0.0/8]"                # your local network
  host-os-policy:   ..                    # according to the OS running the ips
  magic-file: /usr/share/file/misc/magic.mgc

Web interface

You may use snorby [1] as web interface.

Starting Suricata

Manual startup

You may start the suricata service manually with: # /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0

systemd service configuration

To start Suricata automatically at system boot, enable suricata.service.

Tip: If the service unit is not yet installed by the PKGBUILD in the AUR you can find it in the official repo. Place this file under /usr/lib/systemd/system/suricata.service