業務用エアコン関連の技術情報、エラーコード、環境問題対策に関する別サイト「エアコンの安全な修理・適切なフロン回収」

OracleLinux10.0 : Suricata Install

 Suricata

SURICATA IDS/IPS is an open source IDS that monitors communications on the network and detects suspicious traffic.
The basic mechanism is signature-based, so it can detect predefined unauthorized communications. Suricata is also characterized by its ability to provide protection as well as detection.

1.advance preparation

2.Suricata Installation and Configuration

Suricata Install

Determine interface and IP address where Suricata will inspect network packets

Edit configuration file

※To reload the ruleset into the SURICATA process without restarting the process, run the following command

Suricata rules update

At the end of the output, the number of rules read is displayed
available enabled: 60201  added: 44599;

Activate Suricata

Confirm Suricata startup

Check Log

Check the stats.log file for statistics (updated every 8 seconds by default)

A more advanced output, EVE JSON, can be generated with the following command

3.Suricata Testing

Run ping test with curl utility

Check the alert log to see if it has been logged
To check the log entries in /var/log/suricata/fast.log corresponding to a curl request, use the grep command; using the 2100498 rule identifier, search for entries that match it using the following command

4.Setting Suricata Rules

Display of rule sets packaged in Suricata

Index list of sources providing rule sets

Enable sourcる(if tgreen/hunting is enabled)

Perform update

Restart Suricata service

5.Creating Suricata Custom Rules

Create files containing customer rules

Edit configuration file (define new rule paths)

 ③Testing the configuration file

Restart Suricata service

Testing the application of Custom Rules
Ping another device on the same local network to see if it was logged

To get logs in JSON format, install jq on your system

Execute the following command to ping another device on the same local network

6.Switched to IPS mode

SURICATA restart

Now that you have configured Suricata to handle traffic in IPS mode, direct incoming packets to Suricata。To add the necessary rules for Suricata to Firewalld, run the following command

Send all remaining non-SSH traffic to Suricata for processing.

7.Testing Invalid Traffic

In the /var/lib/suricata/rules/suricata.rules file, find and edit the rule that uses the drop action.
Fixed to drop packets matching signature sid:2100498。
Reload signatures.

Test this rule using curl

You should see an error that the request timed out, as shown above, indicating that Suricata blocked the HTTP response:

That Suricata dropped the HTTP response can be confirmed by examining the eve.log file using jq.

The following output is produced

Copied title and URL