{"id":22748005,"url":"https://github.com/githubfoam/suricata-sandbox","last_synced_at":"2026-01-07T08:48:39.169Z","repository":{"id":113756231,"uuid":"226318414","full_name":"githubfoam/suricata-sandbox","owner":"githubfoam","description":"network security monitoring NIDS HIDS CTI DFIR ","archived":false,"fork":false,"pushed_at":"2019-12-07T14:38:30.000Z","size":53,"stargazers_count":1,"open_issues_count":2,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-02-05T07:49:38.803Z","etag":null,"topics":["artificial-intelligence","cyber-threat-intelligence","digital-forensic-readiness","digital-forensics-incident-response","hids","host-based","network-based","network-security-monitoring","nids"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/githubfoam.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-12-06T11:48:18.000Z","updated_at":"2020-11-14T01:06:17.000Z","dependencies_parsed_at":null,"dependency_job_id":"0f88a992-7d4a-4dd2-b3ed-334af2a6bc6a","html_url":"https://github.com/githubfoam/suricata-sandbox","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/githubfoam%2Fsuricata-sandbox","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/githubfoam%2Fsuricata-sandbox/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/githubfoam%2Fsuricata-sandbox/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/githubfoam%2Fsuricata-sandbox/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/githubfoam","download_url":"https://codeload.github.com/githubfoam/suricata-sandbox/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246281216,"owners_count":20752207,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["artificial-intelligence","cyber-threat-intelligence","digital-forensic-readiness","digital-forensics-incident-response","hids","host-based","network-based","network-security-monitoring","nids"],"created_at":"2024-12-11T03:18:59.844Z","updated_at":"2026-01-07T08:48:39.139Z","avatar_url":"https://github.com/githubfoam.png","language":null,"readme":"# suricata-sandbox\nubuntu-19.04 / Debian GNU/Linux 10 (buster)\n~~~\ncd /tmp/suricata-5.0.0/\nsudo make install-full\n\nerror: rules not installed as suricata-update not available\nmake[1]: *** [Makefile:937: install-rules] Error 1\nmake[1]: Leaving directory '/tmp/suricata-5.0.0'\nmake: *** [Makefile:918: install-full] Error 2\n\n~~~\ncentos-7.7\n~~~\n[vagrant@vg-suricata-04 ~]$ sudo LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata-update\n[vagrant@vg-suricata-04 ~]$ sudo LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata-update update-sources\n7/12/2019 -- 12:23:13 - \u003cInfo\u003e -- Using data-directory /var/lib/suricata.\n7/12/2019 -- 12:23:13 - \u003cInfo\u003e -- Using Suricata configuration /etc/suricata/suricata.yaml\n7/12/2019 -- 12:23:13 - \u003cInfo\u003e -- Using /usr/share/suricata/rules for Suricata provided rules.\n7/12/2019 -- 12:23:13 - \u003cInfo\u003e -- Found Suricata version 5.0.0 at /usr/bin/suricata.\n7/12/2019 -- 12:23:13 - \u003cInfo\u003e -- Downloading https://www.openinfosecfoundation.org/rules/index.yaml\n7/12/2019 -- 12:23:15 - \u003cInfo\u003e -- Saved /var/lib/suricata/update/cache/index.yaml\n[vagrant@vg-suricata-04 ~]$ sudo ethtool -K eth1 tso off\n[vagrant@vg-suricata-04 ~]$ sudo ethtool -K eth1 tx off\n[vagrant@vg-suricata-04 ~]$ sudo ethtool -K eth1 gro off\n\n[vagrant@vg-suricata-04 ~]$ sudo LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -D -c /etc/suricata/suricata.yaml -i eth1\n7/12/2019 -- 12:24:20 - \u003cNotice\u003e - This is Suricata version 5.0.0 RELEASE running in SYSTEM mode\n[vagrant@vg-suricata-04 ~]$\n\n# smoketesting\nvagrant@vg-suricata-03:~$ sudo hping3 -S -p 80 --flood --rand-source vg-suricata-04\n\n\n# monitoring\nvagrant@vg-suricata-01:~$ sudo tail -f /var/log/suricata/fast.log\nvagrant@vg-suricata-01:/var/log/suricata$ cd /var/log/suricata \u0026\u0026 tail -f http.log stats.log\n\n\n~~~\nubuntu-16.04\n~~~\nvagrant@vg-suricata-01:~$ sudo suricata-update\nvagrant@vg-suricata-01:~$ sudo suricata-update update-sources\nvagrant@vg-suricata-01:~$ sudo ethtool -K eth1 tso off\nvagrant@vg-suricata-01:~$ sudo ethtool -K eth1 tx off\nvagrant@vg-suricata-01:~$ sudo ethtool -K eth1 gro off\n\nvagrant@vg-suricata-01:~$ sudo cp /vagrant/custom_rules/my.rules /var/lib/suricata/rules\nvagrant@vg-suricata-01:~$ sudo cp /vagrant/custom_rules/test-ddos.rules /var/lib/suricata/rules\nvagrant@vg-suricata-01:~$ sudo ls /var/lib/suricata/rules\nmy.rules  suricata.rules  test-ddos.rules\n\nvagrant@vg-suricata-01:~$ sudo suricata -D -c /etc/suricata/suricata.yaml -i eth1\n7/12/2019 -- 11:00:35 - \u003cNotice\u003e - This is Suricata version 5.0.0 RELEASE running in SYSTEM mode\n\n\n# smoketesting\nvagrant@vg-suricata-03:~$ sudo hping3 -S -p 80 --flood --rand-source vg-suricata-01\nHPING vg-suricata-01 (eth1 192.168.18.9): S set, 40 headers + 0 data bytes\nhping in flood mode, no replies will be shown\n\n# monitoring\nvagrant@vg-suricata-01:~$ sudo tail -f /var/log/suricata/fast.log\nvagrant@vg-suricata-01:/var/log/suricata$ cd /var/log/suricata \u0026\u0026 tail -f http.log stats.log\n\n~~~\n~~~\nThe configuration file\n/etc/suricata/suricata.yaml\n\n$ sudo cat /etc/suricata/suricata.yaml\n    HOME_NET: \"[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]\" # internal network to be proctected\n    EXTERNAL_NET: \"!$HOME_NET\"\n~~~\n~~~\nYou can now start suricata by running as root something like:\n  /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0\n\nIf a library like libhtp.so is not found, you can run suricata with:\n  LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0\n\nThe Emerging Threats Open rules are now installed. Rules can be\nupdated and managed with the suricata-update tool.\n\nFor more information please see:\n  https://suricata.readthedocs.io/en/latest/rule-management/index.html\n\nmake[1]: Leaving directory '/tmp/suricata-5.0.0'\n~~~\n~~~\nvagrant@vg-suricata-01:~$ sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth1\n6/12/2019 -- 23:49:49 - \u003cNotice\u003e - This is Suricata version 5.0.0 RELEASE running in SYSTEM mode\n6/12/2019 -- 23:49:49 - \u003cWarning\u003e - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve-log dns version not found, forcing it to version 2\n6/12/2019 -- 23:49:49 - \u003cWarning\u003e - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve-log dns version not found, forcing it to version 2\n6/12/2019 -- 23:50:04 - \u003cNotice\u003e - all 2 packet processing threads, 4 management threads initialized, engine started.\n~~~\n~~~\n download the Emerging Threats Open ruleset\n sudo suricata-update\n download the ruleset into\n /var/lib/suricata/rules/\n\n $ sudo suricata-update update-sources\n 6/12/2019 -- 23:56:24 - \u003cInfo\u003e -- Using data-directory /var/lib/suricata.\n 6/12/2019 -- 23:56:24 - \u003cInfo\u003e -- Using Suricata configuration /etc/suricata/suricata.yaml\n 6/12/2019 -- 23:56:24 - \u003cInfo\u003e -- Using /usr/share/suricata/rules for Suricata provided rules.\n 6/12/2019 -- 23:56:24 - \u003cInfo\u003e -- Found Suricata version 5.0.0 at /usr/bin/suricata.\n 6/12/2019 -- 23:56:24 - \u003cInfo\u003e -- Downloading https://www.openinfosecfoundation.org/rules/index.yaml\n 6/12/2019 -- 23:56:25 - \u003cInfo\u003e -- Saved /var/lib/suricata/update/cache/index.yaml\n\nwhat is available\n$ sudo suricata-update list-sources\n\nenable rules that are disabled by default\n/etc/suricata/enable.conf\ndisable rules\n/etc/suricata/disable.conf\n\n~~~\ncustom rulesets\n~~~\ndefault-rule-path: /var/lib/suricata/rules\n\nrule-files:\n  - suricata.rules\n# Custom Test rules\n  - test-ddos.rules  \n  - my.rules\n\ndisable packet offload features on the network interface on which Suricata is listen\nethtool -K eth1 gro off lro off\n\n$ sudo ethtool -K eth1 gro off lro off\nCannot change large-receive-offload\n\n$ ethtool -k eth1 | grep large\nlarge-receive-offload: off [fixed]\n\nethtool -K eth1 tso off\nethtool -K eth1 tx off\nethtool -K eth1 gro off\n\nvarious modes in which Suricata can run\nsuricata --list-runmodes\n\nrun Suricata in PCAP live mode\n  suricata -D -c /etc/suricata/suricata.yaml -i eth1\n\nTests for errors rule Very recommended --init-errors-fatal\nsudo suricata -c /etc/suricata/suricata.yaml -i eth1 --init-errors-fatal\n\nSuricata logs on Suricata host\ntail -f /var/log/suricata/fast.log\n\ntail -f /var/log/suricata/http.log\ntail -f /var/log/suricata/stats.log\n\ncd /var/log/suricata \u0026\u0026 tail -f http.log stats.log\n~~~\nsmoketesting suricata\n~~~\nremote client\n\nperform SYN FLOOD attack against Suricata server\nhping3 -S -p 80 --flood --rand-source vg-suricata-01\n\nNmap scan against Suricata server\nnmap -sS -v -n -A vg-suricata-01 -T4\n\nperform SSH connection attemt from the remote machine\nssh vg-suricata-01\n\nperform test attack against Suricata server\nnikto -h vg-suricata-01 -C all\n\n\n~~~\nroles\n~~~\nsuricata\ntest_suricata\n~~~\nupgrade\n~~~\nsuricata_version: 5.0.0\nprovisioning\\roles\\suricata\\vars\\main.yml\n\u003chttps://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Installation\u003e\n~~~\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgithubfoam%2Fsuricata-sandbox","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgithubfoam%2Fsuricata-sandbox","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgithubfoam%2Fsuricata-sandbox/lists"}