OpenSUSE15.6 ; Suricata , SNORT2 Install


SURICATA IDS/IPS is an open source IDS that monitors communications on the network and detects suspicious traffic.
The basic mechanism is signature-based, so it can detect predefined unauthorized communications. Suricata is also characterized by its ability to provide protection as well as detection.

1.advance preparation

Add and enable repositories

2.Suricata Installation and Configuration

①Suricata Install

Determine interface and IP address where Suricata will inspect network packets

Edit configuration file

Suricata rules update

Activate Suricata

Confirm Suricata startup

Check Log

Check the stats.log file for statistics (updated every 8 seconds by default)

A more advanced output, EVE JSON, can be generated with the following command

3.Suricata Testing

Run ping test with curl utility

Check the alert log to see if it has been logged

4.Setting Suricata Rules

Display of rule sets packaged in Suricata

Index list of sources providing rule sets

Enable source (if et/open is enabled)

Perform update

Restart Suricata service

5.Creating Suricata Custom Rules

Create files containing customer rules

Edit configuration file (define new rule paths)

 ③Testing the configuration file

Restart Suricat service

Testing the application of Custom Rules
Ping another device on the same local network to see if it was logged

To get logs in JSON format, install jq on your system

Execute the following command to ping another device on the same local network


Snort is a network-based IDS (Intrusion Detection System). It captures packets flowing over a network and detects suspicious packets.
The source file is used directly from

1.1Advance preparation

Install required libraries

1.2 SNORT & daq Download,Install

①daq Download,Install
Create a working directory and download in that directory

➁Lua Install

Create fake release files

④SNORT Install
If you do not use the Lua programming interface, add the option "-disable-open-appid"

Create a soft link between "/usr/sbin/snort" and the binary file "/usr/local/bin/snort"

1.3 User and Group Creation

1.4 Directory, file creation, permissions

creating white_list.rules, black_list.rules ,local.rules

Copy all "*.conf" and "*.map" files from the Snort source to Snort's system folder

1.5 Download Rules

①Download Community Rules.
Go to the root/ folder, unzip and copy the rules to the correct system directory with "cp" as already done elsewhere

Use the "sed" command to comment out unnecessary lines in "snort.conf".
If you do not want to install anything other than the community rules, you can use this command to comment out the rest

②Retrieve registered user rules
Once registered on the Snort website, you can download registered user rules using an Oink code; the Oink code is located in your Snort user account details.
Replace oinkcode in the following command with your personal code

Once download is complete, extract rules to the configuration directory

1.6 Edit Snort configuration file

1.7 Check settings

①Check configuration files

If all is well, you will see something like this

ERROR: /etc/snort/rules/classification.config(0) Unable to open rules file "/etc/snort/rules/classification.config": No such file or directory.
If you get an error like the above, copy the file in question as follows

iIf an nvalid error occurs, do the following

②Preparation for Operational Tests

Open "local.rules" and add the line "alert icmp any any -> $HOME_NET any (msg: "ICMP test"; sid:10000001; rev:001;)" for testing

③Test Snort in a terminal

Check the network interface first with the "ip addr" command and start Snort in a console or terminal

When pinging this server from a PC in the same network, the following is displayed in the server's console

1.8 Check log files

1.9 Creation of "snort.service"

The network interface "eth0" should be customized for each environment and should have the following contents

Finally, start, stop, and status of Snort services

Copied title and URL