Suricata is a high performance IDS network engine (Intrusion Detection System), IPS and network security, developed by the OISF, this is a cross-platform open source application and Is property of a non-profit foundation of the Open Information Security Foundation community (OISF).
It is based on a set of rules externally developed to monitor network traffic and provide alerts to the system administrator when suspicious events occur. Designed to be compatible with existing network security components, offers unified output functionality and pluggable library options to accept calls from other applications. As a multi-threaded engine, it offers increased speed and efficiency in network traffic analysis.
Today is in its version 4.0 with improvements in intrusion detection capabilities and also in the support of more protocols and options, improving the TCP flow engine and its IDS.
How to install Suricata on Ubuntu?
As I mentioned, it has support for different operating systems and Ubuntu is no exception, has an official repository which we can add and be able to install on our system, just type the following commands:
sudo add-apt-repository ppa:oisf/suricata-stable sudo apt-get update sudo apt-get install suricata
In case of having Ubuntu 16.04 or having problems with dependencies, with the following command it is solved:
sudo apt-get install libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev libnet1-dev libyaml-dev zlib1g-dev libcap-ng-dev libmagic-dev libjansson-dev libjansson4
Installation done, it is recommended to disable any offloead feature pack on the NIC that Suricata is listening to.
They can disable LRO / GRO on the eth0 network interface using the following command:
sudo ethtool -K eth0 gro off lro off
Meerkat supports a number of operating modes. We can see the list of all execution modes with the following command:
sudo /usr/bin/suricata --list-runmodes
The default run mode used is autofp stands for "automatic fixed flow load balancing". In this mode, packets from each different stream are assigned to a single detection thread. The flows are assigned to the threads with the lowest number of unprocessed packets.
Now we can proceed to start Suricata in pcap live mode , using the following command:
sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml -i ens160 --init-errors-fatal
If you want to know a little more about the options that Suricata offers us, I leave you this link where you can check out everything about this amazing software.
Elizabeth Aristizabal Gomez
I always wanted to go far in life. ?
and then how do I see what it detects?