https://github.com/githubfoam/suricata-sandbox

network security monitoring NIDS HIDS CTI DFIR
https://github.com/githubfoam/suricata-sandbox

artificial-intelligence cyber-threat-intelligence digital-forensic-readiness digital-forensics-incident-response hids host-based network-based network-security-monitoring nids

Last synced: 6 months ago
JSON representation

network security monitoring NIDS HIDS CTI DFIR

Host: GitHub
URL: https://github.com/githubfoam/suricata-sandbox
Owner: githubfoam
License: gpl-3.0
Created: 2019-12-06T11:48:18.000Z (almost 6 years ago)
Default Branch: master
Last Pushed: 2019-12-07T14:38:30.000Z (almost 6 years ago)
Last Synced: 2025-02-05T07:49:38.803Z (8 months ago)
Topics: artificial-intelligence, cyber-threat-intelligence, digital-forensic-readiness, digital-forensics-incident-response, hids, host-based, network-based, network-security-monitoring, nids
Homepage:
Size: 51.8 KB
Stars: 1
Watchers: 1
Forks: 0
Open Issues: 2
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# suricata-sandbox
ubuntu-19.04 / Debian GNU/Linux 10 (buster)
~~~
cd /tmp/suricata-5.0.0/
sudo make install-full

error: rules not installed as suricata-update not available
make[1]: *** [Makefile:937: install-rules] Error 1
make[1]: Leaving directory '/tmp/suricata-5.0.0'
make: *** [Makefile:918: install-full] Error 2

~~~
centos-7.7
~~~
[vagrant@vg-suricata-04 ~]$ sudo LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata-update
[vagrant@vg-suricata-04 ~]$ sudo LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata-update update-sources
7/12/2019 -- 12:23:13 - -- Using data-directory /var/lib/suricata.
7/12/2019 -- 12:23:13 - -- Using Suricata configuration /etc/suricata/suricata.yaml
7/12/2019 -- 12:23:13 - -- Using /usr/share/suricata/rules for Suricata provided rules.
7/12/2019 -- 12:23:13 - -- Found Suricata version 5.0.0 at /usr/bin/suricata.
7/12/2019 -- 12:23:13 - -- Downloading https://www.openinfosecfoundation.org/rules/index.yaml
7/12/2019 -- 12:23:15 - -- Saved /var/lib/suricata/update/cache/index.yaml
[vagrant@vg-suricata-04 ~]$ sudo ethtool -K eth1 tso off
[vagrant@vg-suricata-04 ~]$ sudo ethtool -K eth1 tx off
[vagrant@vg-suricata-04 ~]$ sudo ethtool -K eth1 gro off

[vagrant@vg-suricata-04 ~]$ sudo LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -D -c /etc/suricata/suricata.yaml -i eth1
7/12/2019 -- 12:24:20 - - This is Suricata version 5.0.0 RELEASE running in SYSTEM mode
[vagrant@vg-suricata-04 ~]$

# smoketesting
vagrant@vg-suricata-03:~$ sudo hping3 -S -p 80 --flood --rand-source vg-suricata-04

# monitoring
vagrant@vg-suricata-01:~$ sudo tail -f /var/log/suricata/fast.log
vagrant@vg-suricata-01:/var/log/suricata$ cd /var/log/suricata && tail -f http.log stats.log

~~~
ubuntu-16.04
~~~
vagrant@vg-suricata-01:~$ sudo suricata-update
vagrant@vg-suricata-01:~$ sudo suricata-update update-sources
vagrant@vg-suricata-01:~$ sudo ethtool -K eth1 tso off
vagrant@vg-suricata-01:~$ sudo ethtool -K eth1 tx off
vagrant@vg-suricata-01:~$ sudo ethtool -K eth1 gro off

vagrant@vg-suricata-01:~$ sudo cp /vagrant/custom_rules/my.rules /var/lib/suricata/rules
vagrant@vg-suricata-01:~$ sudo cp /vagrant/custom_rules/test-ddos.rules /var/lib/suricata/rules
vagrant@vg-suricata-01:~$ sudo ls /var/lib/suricata/rules
my.rules suricata.rules test-ddos.rules

vagrant@vg-suricata-01:~$ sudo suricata -D -c /etc/suricata/suricata.yaml -i eth1
7/12/2019 -- 11:00:35 - - This is Suricata version 5.0.0 RELEASE running in SYSTEM mode

# smoketesting
vagrant@vg-suricata-03:~$ sudo hping3 -S -p 80 --flood --rand-source vg-suricata-01
HPING vg-suricata-01 (eth1 192.168.18.9): S set, 40 headers + 0 data bytes
hping in flood mode, no replies will be shown

# monitoring
vagrant@vg-suricata-01:~$ sudo tail -f /var/log/suricata/fast.log
vagrant@vg-suricata-01:/var/log/suricata$ cd /var/log/suricata && tail -f http.log stats.log

~~~
~~~
The configuration file
/etc/suricata/suricata.yaml

$ sudo cat /etc/suricata/suricata.yaml
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" # internal network to be proctected
EXTERNAL_NET: "!$HOME_NET"
~~~
~~~
You can now start suricata by running as root something like:
/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0

If a library like libhtp.so is not found, you can run suricata with:
LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0

The Emerging Threats Open rules are now installed. Rules can be
updated and managed with the suricata-update tool.

For more information please see:
https://suricata.readthedocs.io/en/latest/rule-management/index.html

make[1]: Leaving directory '/tmp/suricata-5.0.0'
~~~
~~~
vagrant@vg-suricata-01:~$ sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth1
6/12/2019 -- 23:49:49 - - This is Suricata version 5.0.0 RELEASE running in SYSTEM mode
6/12/2019 -- 23:49:49 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve-log dns version not found, forcing it to version 2
6/12/2019 -- 23:49:49 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve-log dns version not found, forcing it to version 2
6/12/2019 -- 23:50:04 - - all 2 packet processing threads, 4 management threads initialized, engine started.
~~~
~~~
download the Emerging Threats Open ruleset
sudo suricata-update
download the ruleset into
/var/lib/suricata/rules/

$ sudo suricata-update update-sources
6/12/2019 -- 23:56:24 - -- Using data-directory /var/lib/suricata.
6/12/2019 -- 23:56:24 - -- Using Suricata configuration /etc/suricata/suricata.yaml
6/12/2019 -- 23:56:24 - -- Using /usr/share/suricata/rules for Suricata provided rules.
6/12/2019 -- 23:56:24 - -- Found Suricata version 5.0.0 at /usr/bin/suricata.
6/12/2019 -- 23:56:24 - -- Downloading https://www.openinfosecfoundation.org/rules/index.yaml
6/12/2019 -- 23:56:25 - -- Saved /var/lib/suricata/update/cache/index.yaml

what is available
$ sudo suricata-update list-sources

enable rules that are disabled by default
/etc/suricata/enable.conf
disable rules
/etc/suricata/disable.conf

~~~
custom rulesets
~~~
default-rule-path: /var/lib/suricata/rules

rule-files:
- suricata.rules
# Custom Test rules
- test-ddos.rules
- my.rules

disable packet offload features on the network interface on which Suricata is listen
ethtool -K eth1 gro off lro off

$ sudo ethtool -K eth1 gro off lro off
Cannot change large-receive-offload

$ ethtool -k eth1 | grep large
large-receive-offload: off [fixed]

ethtool -K eth1 tso off
ethtool -K eth1 tx off
ethtool -K eth1 gro off

various modes in which Suricata can run
suricata --list-runmodes

run Suricata in PCAP live mode
suricata -D -c /etc/suricata/suricata.yaml -i eth1

Tests for errors rule Very recommended --init-errors-fatal
sudo suricata -c /etc/suricata/suricata.yaml -i eth1 --init-errors-fatal

Suricata logs on Suricata host
tail -f /var/log/suricata/fast.log

tail -f /var/log/suricata/http.log
tail -f /var/log/suricata/stats.log

cd /var/log/suricata && tail -f http.log stats.log
~~~
smoketesting suricata
~~~
remote client

perform SYN FLOOD attack against Suricata server
hping3 -S -p 80 --flood --rand-source vg-suricata-01

Nmap scan against Suricata server
nmap -sS -v -n -A vg-suricata-01 -T4

perform SSH connection attemt from the remote machine
ssh vg-suricata-01

perform test attack against Suricata server
nikto -h vg-suricata-01 -C all

~~~
roles
~~~
suricata
test_suricata
~~~
upgrade
~~~
suricata_version: 5.0.0
provisioning\roles\suricata\vars\main.yml

~~~

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

https://github.com/githubfoam/suricata-sandbox

Awesome Lists containing this project

README