Difference between revisions of "HowTo Setup Suricata - A Simple Live Configuration"

Overview

Suricata is a multi-threaded intrusion detection/prevention engine. This page shows one how to configure suricata to "run in pcap live mode" for detecting ICMP packets and generating alerts with a simple ICMP Ping rule. It shows how quickly one can set up suricata using the command-line for protocol packet flow detection.

Configuration - Rule File

We will create a simple rule file for ICMP detection in directory: "/opt" with a file name: "icmp.rules". This alert rule should be triggered when an IPv4 ICMP packet is received or transmitted (bi-directional with direction indicator: <>) on the suricata host. Documentation for setting up suricata rules can be found: here.

[root@probe tmp]# cat /opt/icmp.rules 
alert ip any any <> any any (msg: "ICMP Ping"; ip_proto: icmp; sid: 1000001;)

Configuration - Suricata

One needs to add the location of the ICMP rules file to the suricata configuration file: "/etc/suricata.yaml". This is done in the "rule-files" section.

Before:

rule-files:
  - suricata.rules

After:

rule-files:
  - suricata.rules
  - /opt/icmp.rules

Start Suricata

Start suricata in "run in pcap live mode". Example interface and hosts: Suricata Interface: ens34, Suricata Host: 10.222.222.252, Ping Host: 10.222.222.251.

Suricata host command line (Start up suricata):

[root@probe tmp]# suricata -i ens34
i: suricata: This is Suricata version 7.0.4 RELEASE running in SYSTEM mode
i: threads: Threads created -> W: 4 FM: 1 FR: 1   Engine started.

Ping Suricata Host

Ping the suricata host: (Done from command line on host: 10.222.222.252)

[nst@dev40 dev40]$ ping -c 3 10.222.222.252
PING 10.222.222.252 (10.222.222.252) 56(84) bytes of data.
64 bytes from 10.222.222.252: icmp_seq=1 ttl=64 time=0.303 ms
64 bytes from 10.222.222.252: icmp_seq=2 ttl=64 time=0.376 ms
64 bytes from 10.222.222.252: icmp_seq=3 ttl=64 time=0.383 ms

--- 10.222.222.252 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2081ms
rtt min/avg/max/mdev = 0.303/0.354/0.383/0.036 ms

Stop Suricata

Use "Ctrl-C" to stop the suricata process:

^Ci: suricata: Signal Received.  Stopping engine.
i: device: ens34: packets: 441, drops: 0 (0.00%), invalid chksum: 0
[root@probe tmp]#

Review the Suricata Alert Log

By default the alerts generated by suricata can be found in file: "/var/log/suricata/fast.log". Note that two (2) ICMP alerts were detected for this ping flow because our rules file was configured to detect bi-directional ICMP packets.

[root@probe tmp]# cat /var/log/suricata/fast.log
04/24/2024-11:56:22.857567  [**] [1:1000001:0] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 10.222.222.251:8 -> 10.222.222.252:0
04/24/2024-11:56:22.857625  [**] [1:1000001:0] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 10.222.222.252:0 -> 10.222.222.251:0