HowTo Setup Suricata - A Simple Live Configuration

From MediaWiki
Jump to navigationJump to search

Overview

Suricata is a multi-threaded intrusion detection/prevention engine. This page shows one how to configure suricata to "run in pcap live mode" for creating alerts with an ICMP Ping rule.

Configuration - Rule File

We will create a simple rule file for ICMP detection in directory: "/opt" with a file name: "icmp.rules". Documentation for setting up suricata rules can be found: here.

[root@probe tmp]# cat /opt/icmp.rules 
alert ip any any <> any any (msg: "ICMP Ping"; ip_proto: icmp; sid: 1000001;)