Contents
Suricata
SURICATA IDS/IPS is an open source IDS that monitors communications on the network and detects suspicious traffic.
The basic mechanism is signature-based, so it can detect predefined unauthorized communications. Suricata is also characterized by its ability to provide protection as well as detection.
1.advance preparation
|
1 2 |
# dnf install dnf-plugins-core # dnf copr enable @oisf/suricata-7.0 |
2.Suricata Installation and Configuration
①Suricata Install
|
1 2 3 4 5 |
# dnf -y install suricata Check Version # suricata -V This is Suricata version 7.0.11 RELEASE |
②Determine interface and IP address where Suricata will inspect network packets
|
1 2 3 |
# ip --brief add lo UNKNOWN 127.0.0.1/8 ::1/128 ens160 UP 192.168.11.83/24 |
③Edit configuration file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# vi /etc/suricata/suricata.yaml # Line 18 : In the "vars" section, define the network HOME_NET: "[192.168.11.0/24]" EXTRNAL_NET: "!$HOME_NET" # Line 136 Change community-id: false to community-id:true community-id: true # Seed value for the ID output. Valid values are 0-65535. community-id-seed: 0 # Line 622 : Set interface name in "af-packet" section af-packet: - interface: ens160 Allow users to add, delete, and edit rules without having to restart the SURICATA service. Add the following to the last line detect-engine: - rule-reload: true |
※To reload the ruleset into the SURICATA process without restarting the process, run the following command
|
1 |
# kill -usr2 $(pidof suricata) |
|
1 2 3 4 5 |
# vi /etc/sysconfig/suricata # Line 8 :Specify interface # Add options to be passed to the daemon OPTIONS="-i ens160 --user suricata " |
④Suricata rules update
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# suricata-update ---------------------------------------------- 29/7/2025 -- 17:39:48 - <Info> -- Loaded 60201 rules. 29/7/2025 -- 17:39:48 - <Info> -- Disabled 13 rules. 29/7/2025 -- 17:39:48 - <Info> -- Enabled 0 rules. 29/7/2025 -- 17:39:48 - <Info> -- Modified 0 rules. 29/7/2025 -- 17:39:48 - <Info> -- Dropped 0 rules. 29/7/2025 -- 17:39:48 - <Info> -- Enabled 136 rules for flowbit dependencies. 29/7/2025 -- 17:39:48 - <Info> -- Creating directory /var/lib/suricata/rules. 29/7/2025 -- 17:39:48 - <Info> -- Backing up current rules. 29/7/2025 -- 17:39:48 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 60201; enabled: 44599; added: 60201; removed 0; modified: 0 29/7/2025 -- 17:39:48 - <Info> -- Writing /var/lib/suricata/rules/classification.config 29/7/2025 -- 17:39:48 - <Info> -- Testing with suricata -T. 29/7/2025 -- 17:39:52 - <Info> -- Done. |
At the end of the output, the number of rules read is displayed
available enabled: 60201 added: 44599;
⑤Activate Suricata
|
1 2 |
# systemctl enable --now suricata Created symlink /etc/systemd/system/multiuser.target.wants/suricata.service → /usr/lib/systemd/system/suricata.service. |
⑥Confirm Suricata startup
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# systemctl status suricata ● suricata.service - Suricata Intrusion Detection Service Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; preset: disabled) Active: active (running) since Tue 2025-07-29 17:41:13 JST; 10s ago Invocation: b5a3b29014c449988bf6608895838296 Docs: man:suricata(1) Process: 62505 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS) Main PID: 62506 (Suricata-Main) Tasks: 8 (limit: 21936) Memory: 920.8M (peak: 973.5M) CPU: 3.768s CGroup: /system.slice/suricata.service mq62506 /sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -i ens160 --user suricata Jul 29 17:41:13 Lepard systemd[1]: Starting suricata.service - Suricata Intrusion Detection Service... Jul 29 17:41:13 Lepard systemd[1]: Started suricata.service - Suricata Intrusion Detection Service. Jul 29 17:41:13 Lepard suricata[62506]: i: suricata: This is Suricata version 7.0.11 RELEASE running in SYSTEM mode Jul 29 17:41:17 Lepard suricata[62506]: W: af-packet: ens160: AF_PACKET tpacket-v3 is recommended for non-inline operation Jul 29 17:41:17 Lepard suricata[62506]: i: threads: Threads created -> W: 2 FM: 1 FR: 1 Engine started. |
Check Log
|
1 2 3 4 5 6 7 8 9 10 11 |
# tail /var/log/suricata/suricata.log [62506 - Suricata-Main] 2025-07-29 17:41:13 Info: logopenfile: fast output device (regular) initialized: fast.log [62506 - Suricata-Main] 2025-07-29 17:41:13 Info: logopenfile: eve-log output device (regular) initialized: eve.json [62506 - Suricata-Main] 2025-07-29 17:41:13 Info: logopenfile: stats output device (regular) initialized: stats.log [62506 - Suricata-Main] 2025-07-29 17:41:14 Info: detect: 1 rule files processed. 44599 rules successfully loaded, 0 rules failed, 0 [62506 - Suricata-Main] 2025-07-29 17:41:14 Info: threshold-config: Threshold config parsed: 0 rule(s) found [62506 - Suricata-Main] 2025-07-29 17:41:14 Info: detect: 44602 signatures processed. 947 are IP-only rules, 4378 are inspecting packet payload, 39055 inspect application layer, 109 are decoder event only [62506 - Suricata-Main] 2025-07-29 17:41:17 Warning: af-packet: ens160: AF_PACKET tpacket-v3 is recommended for non-inline operation [62506 - Suricata-Main] 2025-07-29 17:41:17 Info: runmodes: ens160: creating 2 threads [62506 - Suricata-Main] 2025-07-29 17:41:17 Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket' [62506 - Suricata-Main] 2025-07-29 17:41:17 Notice: threads: Threads created -> W: 2 FM: 1 FR: 1 Engine started. |
Check the stats.log file for statistics (updated every 8 seconds by default)
|
1 |
# tail -f /var/log/suricata/stats.log |
A more advanced output, EVE JSON, can be generated with the following command
|
1 |
# tail -f /var/log/suricata/eve.json |
3.Suricata Testing
①Run ping test with curl utility
|
1 2 |
# curl http://testmynids.org/uid/index.html uid=0(root) gid=0(root) groups=0(root) |
②Check the alert log to see if it has been logged
To check the log entries in /var/log/suricata/fast.log corresponding to a curl request, use the grep command; using the 2100498 rule identifier, search for entries that match it using the following command
|
1 2 |
# grep 2100498 /var/log/suricata/fast.log 07/29/2025-17:43:44.184625 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 143.204.80.46:80 -> 192.168.11.83:60118 |
4.Setting Suricata Rules
①Display of rule sets packaged in Suricata
|
1 2 3 4 5 6 |
# ls -al /var/lib/suricata/rules/ total 37344 drwxr-s--- 2 root suricata 57 Jul 29 17:39 . drwxrws--- 4 suricata suricata 33 Jul 29 17:39 .. -rw-r--r-- 1 root suricata 3228 Jul 29 17:39 classification.config -rw-r--r-- 1 root suricata 38232389 Jul 29 17:39 suricata.rules |
②Index list of sources providing rule sets
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 |
# suricata-update list-sources Name: abuse.ch/feodotracker Vendor: Abuse.ch Summary: Abuse.ch Feodo Tracker Botnet C2 IP ruleset License: CC0-1.0 Name: abuse.ch/sslbl-blacklist Vendor: Abuse.ch Summary: Abuse.ch SSL Blacklist License: CC0-1.0 Replaces: sslbl/ssl-fp-blacklist Name: abuse.ch/sslbl-c2 Vendor: Abuse.ch Summary: Abuse.ch Suricata Botnet C2 IP Ruleset License: CC0-1.0 Name: abuse.ch/sslbl-ja3 Vendor: Abuse.ch Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset License: CC0-1.0 Replaces: sslbl/ja3-fingerprints Name: abuse.ch/urlhaus Vendor: abuse.ch Summary: Abuse.ch URLhaus Suricata Rules License: CC0-1.0 Name: aleksibovellan/nmap Vendor: aleksibovellan Summary: Suricata IDS/IPS Detection Rules Against NMAP Scans License: MIT Name: et/open Vendor: Proofpoint Summary: Emerging Threats Open Ruleset License: MIT Name: et/pro Vendor: Proofpoint Summary: Emerging Threats Pro Ruleset License: Commercial Replaces: et/open Parameters: secret-code Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset Name: etnetera/aggressive Vendor: Etnetera a.s. Summary: Etnetera aggressive IP blacklist License: MIT Name: oisf/trafficid Vendor: OISF Summary: Suricata Traffic ID ruleset License: MIT Name: pawpatrules Vendor: pawpatrules Summary: PAW Patrules is a collection of rules for IDPS / NSM Suricata engine License: CC-BY-SA-4.0 Name: ptrules/open Vendor: Positive Technologies Summary: Positive Technologies Open Ruleset License: Custom Name: scwx/enhanced Vendor: Secureworks Summary: Secureworks suricata-enhanced ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/malware Vendor: Secureworks Summary: Secureworks suricata-malware ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/security Vendor: Secureworks Summary: Secureworks suricata-security ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: stamus/lateral Vendor: Stamus Networks Summary: Lateral movement rules License: GPL-3.0-only Name: stamus/nrd-14-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 14 day list, complete License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-30-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 30 day list, complete License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-entropy-14-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 14 day list, high entropy License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-entropy-30-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 30 day list, high entropy License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-phishing-14-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 14 day list, phishing License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-phishing-30-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 30 day list, phishing License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: tgreen/hunting Vendor: tgreen Summary: Threat hunting rules License: GPLv3 |
③Enable sourcる(if tgreen/hunting is enabled)
|
1 2 3 4 5 6 7 8 9 10 |
# suricata-update enable-source tgreen/hunting 29/7/2025 -- 17:46:32 - <Info> -- Using data-directory /var/lib/suricata. 29/7/2025 -- 17:46:32 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml 29/7/2025 -- 17:46:32 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules. 29/7/2025 -- 17:46:32 - <Info> -- Found Suricata version 7.0.11 at /usr/sbin/suricata. 29/7/2025 -- 17:46:32 - <Warning> -- Source index does not exist, will use bundled one. 29/7/2025 -- 17:46:32 - <Warning> -- Please run suricata-update update-sources. 29/7/2025 -- 17:46:32 - <Info> -- Creating directory /var/lib/suricata/update/sources 29/7/2025 -- 17:46:32 - <Info> -- Enabling default source et/open 29/7/2025 -- 17:46:32 - <Info> -- Source tgreen/hunting enabled |
Perform update
|
1 |
# suricata-update |
Restart Suricata service
|
1 |
# systemctl restart suricata |
5.Creating Suricata Custom Rules
①Create files containing customer rules
|
1 2 3 |
# vi /etc/suricata/rules/local.rules Include the following information alert icmp any any -> $HOME_NET any (msg:"ICMP Ping"; sid:1; rev:1;) |
②Edit configuration file (define new rule paths)
|
1 2 3 4 5 6 7 8 |
# vi /etc/suricata/suricata.yaml # Added around line 2200 default-rule-path: /var/lib/suricata/rules rule-files: - suricata.rules - local.rules |
③Testing the configuration file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# suricata -T -c /etc/suricata/suricata.yaml -v Notice: suricata: This is Suricata version 7.0.11 RELEASE running in SYSTEM mode Info: cpu: CPUs/cores online: 2 Info: suricata: Running suricata under test mode Info: suricata: Setting engine mode to IDS mode by default Info: exception-policy: master exception-policy set to: auto Info: logopenfile: fast output device (regular) initialized: fast.log Info: logopenfile: eve-log output device (regular) initialized: eve.json Info: logopenfile: stats output device (regular) initialized: stats.log Info: detect: 2 rule files processed. 44850 rules successfully loaded, 0 rules failed, 0 Info: threshold-config: Threshold config parsed: 0 rule(s) found Info: detect: 44853 signatures processed. 948 are IP-only rules, 4495 are inspecting packet payload, 39188 inspect application layer, 109 are decoder event only Notice: suricata: Configuration provided was successfully loaded. Exiting. |
Restart Suricata service
|
1 |
# systemctl restart suricata |
④Testing the application of Custom Rules
Ping another device on the same local network to see if it was logged
|
1 2 3 4 |
# cat /var/log/suricata/fast.log 07/29/2025-18:42:32.093592 [**] [1:1:1] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.11.8:8 -> 192.168.11.83:0 07/29/2025-18:42:32.093651 [**] [1:1:1] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.11.83:0 -> 192.168.11.8:0 |
To get logs in JSON format, install jq on your system
|
1 |
# dnf install jq |
|
1 |
# systemctl restart suricata |
Execute the following command to ping another device on the same local network
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
# tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")' When ping is executed, the following is displayed in the console { "timestamp": "2025-07-29T18:45:07.860584+0900", "flow_id": 881251630183831, "in_iface": "ens160", "event_type": "alert", "src_ip": "192.168.11.83", "dest_ip": "192.168.11.8", "proto": "ICMP", "icmp_type": 0, "icmp_code": 0, "pkt_src": "wire/pcap", "community_id": "1:mKJ/Lpl+6WAMs3qQEpwBo0q/ifU=", "alert": { "action": "allowed", "gid": 1, "signature_id": 1, "rev": 1, "signature": "ICMP Ping", "category": "", "severity": 3 }, "direction": "to_client", "flow": { "pkts_toserver": 2, "pkts_toclient": 1, "bytes_toserver": 148, "bytes_toclient": 74, "start": "2025-07-29T18:45:07.860542+0900", "src_ip": "192.168.11.8", "dest_ip": "192.168.11.83" } } |
6.Switched to IPS mode
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# vi /etc/sysconfig/suricata # The following parameters are the most commonly needed to configure # suricata. A full list can be seen by running /sbin/suricata --help # -i <network interface device> # --user <acct name> # --group <group name> # Add options to be passed to the daemon #OPTIONS="-i ens160 --user suricata" ←comment OPTIONS="-q 0 -vvv --user suricata" ←Add ~ |
SURICATA restart
|
1 |
# systemctl restart suricata.service |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
# systemctl status suricata.service ● suricata.service - Suricata Intrusion Detection Service Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; preset:> Active: active (running) since Wed 2025-07-30 09:05:30 JST; 8s ago Invocation: cee2df696fae47de9d743097d9573530 Docs: man:suricata(1) Process: 8064 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, s> Main PID: 8066 (Suricata-Main) Tasks: 10 (limit: 21936) Memory: 966.8M (peak: 1010.9M) CPU: 3.419s CGroup: /system.slice/suricata.service mq8066 /sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /va> Jul 30 09:05:32 Lepard suricata[8066]: [8066] Perf: detect: Pkt MPM "icmpv6.hdr> Jul 30 09:05:32 Lepard suricata[8066]: [8066] Perf: detect: Pkt MPM "ipv6.hdr":> Jul 30 09:05:34 Lepard suricata[8066]: [8066] Config: tmqh-flow: AutoFP mode us> Jul 30 09:05:34 Lepard suricata[8066]: [8067] Info: nfq: binding this thread 0 > Jul 30 09:05:34 Lepard suricata[8066]: [8067] Info: nfq: setting queue length t> Jul 30 09:05:34 Lepard suricata[8066]: [8067] Info: nfq: setting nfnl bufsize t> Jul 30 09:05:34 Lepard suricata[8066]: [8066] Config: flow-manager: using 1 flo> Jul 30 09:05:34 Lepard suricata[8066]: [8066] Config: flow-manager: using 1 flo> Jul 30 09:05:34 Lepard suricata[8066]: [8066] Info: unix-manager: unix socket '> Jul 30 09:05:34 Lepard suricata[8066]: [8066] Notice: threads: Threads created > |
Now that you have configured Suricata to handle traffic in IPS mode, direct incoming packets to Suricata。To add the necessary rules for Suricata to Firewalld, run the following command
|
1 2 |
# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 2244 -j NFQUEUE --queue-bypass # firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp --sport 2244 -j NFQUEUE --queue-bypass |
|
1 |
# firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -j NFQUEUE |
Send all remaining non-SSH traffic to Suricata for processing.
|
1 2 |
# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -j NFQUEUE # firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -j NFQUEUE |
|
1 |
# firewall-cmd --reload |
7.Testing Invalid Traffic
In the /var/lib/suricata/rules/suricata.rules file, find and edit the rule that uses the drop action.
Fixed to drop packets matching signature sid:2100498。
Reload signatures.
|
1 |
# kill -usr2 $(pidof suricata) |
Test this rule using curl
|
1 2 |
# curl --max-time 5 http://testmynids.org/uid/index.html curl: (28) Operation timed out after 5001 milliseconds with 0 bytes received |
You should see an error that the request timed out, as shown above, indicating that Suricata blocked the HTTP response:
That Suricata dropped the HTTP response can be confirmed by examining the eve.log file using jq.
|
1 |
# jq 'select(.alert .signature_id==2100498)' /var/log/suricata/eve.json |
The following output is produced
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 |
{ "timestamp": "2025-07-30T09:32:51.070150+0900", "flow_id": 1011662309961915, "event_type": "alert", "src_ip": "143.204.80.46", "src_port": 80, "dest_ip": "192.168.11.83", "dest_port": 56058, "proto": "TCP", "pkt_src": "wire/pcap", "community_id": "1:wNp5AX/HD4HtWv4+Cy4WJRWJcC0=", "tx_id": 0, "tx_guessed": true, "alert": { "action": "blocked", "gid": 1, "signature_id": 2100498, "rev": 7, "signature": "GPL ATTACK_RESPONSE id check returned root", "category": "Potentially Bad Traffic", "severity": 2, "metadata": { "confidence": [ "Medium" ], "created_at": [ "2010_09_23" ], "signature_severity": [ "Informational" ], "updated_at": [ "2019_07_26" ] } }, "http": { "hostname": "testmynids.org", "url": "/uid/index.html", "http_user_agent": "curl/8.9.1", "http_content_type": "text/html", "http_method": "GET", "protocol": "HTTP/1.1", "status": 200, "length": 39 }, "files": [ { "filename": "/uid/index.html", "gaps": false, "state": "CLOSED", "stored": false, "size": 39, "tx_id": 0 } ], "app_proto": "http", "direction": "to_client", "flow": { "pkts_toserver": 3, "pkts_toclient": 3, "bytes_toserver": 255, "bytes_toclient": 702, "start": "2025-07-30T09:32:51.038937+0900", "src_ip": "192.168.11.83", "dest_ip": "143.204.80.46", "src_port": 56058, "dest_port": 80 } } |