OracleLinux10.0 : SURICATA インストール

Contents

Suricata

Suricata

SURICATA IDS/IPSはネットワーク上の通信を監視し、不審なトラフィックを検知するオープンソースのIDSです。基本的な仕組みはシグネチャ型であるため、あらかじめ設定した不正な通信を検知できます。また、Suricataは検知だけでなく防御も行えることが特徴です。

1.事前準備

# dnf install dnf-plugins-core
# dnf copr enable @oisf/suricata-7.0

1 2	# dnf install dnf-plugins-core # dnf copr enable @oisf/suricata-7.0

2.Suricata のインストールと設定

①Suricata のインストール

# dnf -y install suricata

バージョンの確認
# suricata -V
This is Suricata version 7.0.11 RELEASE

# dnf -y install suricata

バージョンの確認

# suricata -V

This is Suricata version 7.0.11 RELEASE

②Suricataがネットワークパケットを検査するインターフェースとIPアドレスを決定

# ip --brief add
lo               UNKNOWN        127.0.0.1/8 ::1/128
ens160           UP             192.168.11.83/24

# ip --brief add

lo UNKNOWN 127.0.0.1/8 ::1/128

ens160 UP 192.168.11.83/24

③設定ファイルを編集

# vi /etc/suricata/suricata.yaml

# 18行目 : varsセクションで、ネットワークを定義する
HOME_NET: "[192.168.11.0/24]"
EXTRNAL_NET: "!$HOME_NET"
 
136行目　community-id: falseこの行をcommunity-id:trueに変更する
      community-id: true
      # Seed value for the ID output. Valid values are 0-65535.
      community-id-seed: 0
 
622行目 af-packetセクションのインターフェース名を設定
af-packet:
    - interface: ens160
 
SURICATAのサービスを再起動することなく、ルールの追加、削除、編集ができるようにする。
最終行に次を追加
detect-engine:
           - rule-reload: true

# vi /etc/suricata/suricata.yaml

# 18行目 : varsセクションで、ネットワークを定義する

HOME_NET: "[192.168.11.0/24]"

EXTRNAL_NET: "!$HOME_NET"

136行目　community-id: falseこの行をcommunity-id:trueに変更する

community-id: true

# Seed value for the ID output. Valid values are 0-65535.

community-id-seed: 0

622行目 af-packetセクションのインターフェース名を設定

af-packet:

- interface: ens160

SURICATAのサービスを再起動することなく、ルールの追加、削除、編集ができるようにする。

最終行に次を追加

detect-engine:

- rule-reload: true

※プロセスを再起動することなく、SURICATAプロセスにルールセットの再ロードをするには次のコマンドを実行する

# kill -usr2 $(pidof suricata)

1	# kill -usr2 $(pidof suricata)

# vi /etc/sysconfig/suricata

# 8行目 :インターフェイスを指定
# Add options to be passed to the daemon
OPTIONS="-i ens160 --user suricata "

# vi /etc/sysconfig/suricata

# 8行目 :インターフェイスを指定

# Add options to be passed to the daemon

OPTIONS="-i ens160 --user suricata "

④Suricataのルール更新

# suricata-update

----------------------------------------------
29/7/2025 -- 17:39:48 - <Info> -- Loaded 60201 rules.
29/7/2025 -- 17:39:48 - <Info> -- Disabled 13 rules.
29/7/2025 -- 17:39:48 - <Info> -- Enabled 0 rules.
29/7/2025 -- 17:39:48 - <Info> -- Modified 0 rules.
29/7/2025 -- 17:39:48 - <Info> -- Dropped 0 rules.
29/7/2025 -- 17:39:48 - <Info> -- Enabled 136 rules for flowbit dependencies.
29/7/2025 -- 17:39:48 - <Info> -- Creating directory /var/lib/suricata/rules.
29/7/2025 -- 17:39:48 - <Info> -- Backing up current rules.
29/7/2025 -- 17:39:48 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 60201; enabled: 44599; added: 60201; removed 0; modified: 0
29/7/2025 -- 17:39:48 - <Info> -- Writing /var/lib/suricata/rules/classification.config
29/7/2025 -- 17:39:48 - <Info> -- Testing with suricata -T.
29/7/2025 -- 17:39:52 - <Info> -- Done.

# suricata-update

----------------------------------------------

29/7/2025 -- 17:39:48 - <Info> -- Loaded 60201 rules.

29/7/2025 -- 17:39:48 - <Info> -- Disabled 13 rules.

29/7/2025 -- 17:39:48 - <Info> -- Enabled 0 rules.

29/7/2025 -- 17:39:48 - <Info> -- Modified 0 rules.

29/7/2025 -- 17:39:48 - <Info> -- Dropped 0 rules.

29/7/2025 -- 17:39:48 - <Info> -- Enabled 136 rules for flowbit dependencies.

29/7/2025 -- 17:39:48 - <Info> -- Creating directory /var/lib/suricata/rules.

29/7/2025 -- 17:39:48 - <Info> -- Backing up current rules.

29/7/2025 -- 17:39:48 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 60201; enabled: 44599; added: 60201; removed 0; modified: 0

29/7/2025 -- 17:39:48 - <Info> -- Writing /var/lib/suricata/rules/classification.config

29/7/2025 -- 17:39:48 - <Info> -- Testing with suricata -T.

29/7/2025 -- 17:39:52 - <Info> -- Done.

出力の最後に、読み込まれたルールの数が表示される
利用可能　enabled: 60201 追加　added: 44599;

⑤Suricataの起動

# systemctl enable --now suricata
Created symlink /etc/systemd/system/multiuser.target.wants/suricata.service → /usr/lib/systemd/system/suricata.service.

1 2	# systemctl enable --now suricata Created symlink /etc/systemd/system/multiuser.target.wants/suricata.service → /usr/lib/systemd/system/suricata.service.

⑥Suricataの起動確認

# systemctl status suricata
● suricata.service - Suricata Intrusion Detection Service
     Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; preset: disabled)
     Active: active (running) since Tue 2025-07-29 17:41:13 JST; 10s ago
 Invocation: b5a3b29014c449988bf6608895838296
       Docs: man:suricata(1)
    Process: 62505 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
   Main PID: 62506 (Suricata-Main)
      Tasks: 8 (limit: 21936)
     Memory: 920.8M (peak: 973.5M)
        CPU: 3.768s
     CGroup: /system.slice/suricata.service
             mq62506 /sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -i ens160 --user suricata

Jul 29 17:41:13 Lepard systemd[1]: Starting suricata.service - Suricata Intrusion Detection Service...
Jul 29 17:41:13 Lepard systemd[1]: Started suricata.service - Suricata Intrusion Detection Service.
Jul 29 17:41:13 Lepard suricata[62506]: i: suricata: This is Suricata version 7.0.11 RELEASE running in SYSTEM mode
Jul 29 17:41:17 Lepard suricata[62506]: W: af-packet: ens160: AF_PACKET tpacket-v3 is recommended for non-inline operation
Jul 29 17:41:17 Lepard suricata[62506]: i: threads: Threads created -> W: 2 FM: 1 FR: 1   Engine started.

# systemctl status suricata

● suricata.service - Suricata Intrusion Detection Service

Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; preset: disabled)

Active: active (running) since Tue 2025-07-29 17:41:13 JST; 10s ago

Invocation: b5a3b29014c449988bf6608895838296

Docs: man:suricata(1)

Process: 62505 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)

Main PID: 62506 (Suricata-Main)

Tasks: 8 (limit: 21936)

Memory: 920.8M (peak: 973.5M)

CPU: 3.768s

CGroup: /system.slice/suricata.service

mq62506 /sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -i ens160 --user suricata

Jul 29 17:41:13 Lepard systemd[1]: Starting suricata.service - Suricata Intrusion Detection Service...

Jul 29 17:41:13 Lepard systemd[1]: Started suricata.service - Suricata Intrusion Detection Service.

Jul 29 17:41:13 Lepard suricata[62506]: i: suricata: This is Suricata version 7.0.11 RELEASE running in SYSTEM mode

Jul 29 17:41:17 Lepard suricata[62506]: W: af-packet: ens160: AF_PACKET tpacket-v3 is recommended for non-inline operation

Jul 29 17:41:17 Lepard suricata[62506]: i: threads: Threads created -> W: 2 FM: 1 FR: 1 Engine started.

ログを確認

# tail /var/log/suricata/suricata.log
[62506 - Suricata-Main] 2025-07-29 17:41:13 Info: logopenfile: fast output device (regular) initialized: fast.log
[62506 - Suricata-Main] 2025-07-29 17:41:13 Info: logopenfile: eve-log output device (regular) initialized: eve.json
[62506 - Suricata-Main] 2025-07-29 17:41:13 Info: logopenfile: stats output device (regular) initialized: stats.log
[62506 - Suricata-Main] 2025-07-29 17:41:14 Info: detect: 1 rule files processed. 44599 rules successfully loaded, 0 rules failed, 0
[62506 - Suricata-Main] 2025-07-29 17:41:14 Info: threshold-config: Threshold config parsed: 0 rule(s) found
[62506 - Suricata-Main] 2025-07-29 17:41:14 Info: detect: 44602 signatures processed. 947 are IP-only rules, 4378 are inspecting packet payload, 39055 inspect application layer, 109 are decoder event only
[62506 - Suricata-Main] 2025-07-29 17:41:17 Warning: af-packet: ens160: AF_PACKET tpacket-v3 is recommended for non-inline operation
[62506 - Suricata-Main] 2025-07-29 17:41:17 Info: runmodes: ens160: creating 2 threads
[62506 - Suricata-Main] 2025-07-29 17:41:17 Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket'
[62506 - Suricata-Main] 2025-07-29 17:41:17 Notice: threads: Threads created -> W: 2 FM: 1 FR: 1   Engine started.

# tail /var/log/suricata/suricata.log

[62506 - Suricata-Main] 2025-07-29 17:41:13 Info: logopenfile: fast output device (regular) initialized: fast.log

[62506 - Suricata-Main] 2025-07-29 17:41:13 Info: logopenfile: eve-log output device (regular) initialized: eve.json

[62506 - Suricata-Main] 2025-07-29 17:41:13 Info: logopenfile: stats output device (regular) initialized: stats.log

[62506 - Suricata-Main] 2025-07-29 17:41:14 Info: detect: 1 rule files processed. 44599 rules successfully loaded, 0 rules failed, 0

[62506 - Suricata-Main] 2025-07-29 17:41:14 Info: threshold-config: Threshold config parsed: 0 rule(s) found

[62506 - Suricata-Main] 2025-07-29 17:41:14 Info: detect: 44602 signatures processed. 947 are IP-only rules, 4378 are inspecting packet payload, 39055 inspect application layer, 109 are decoder event only

[62506 - Suricata-Main] 2025-07-29 17:41:17 Warning: af-packet: ens160: AF_PACKET tpacket-v3 is recommended for non-inline operation

[62506 - Suricata-Main] 2025-07-29 17:41:17 Info: runmodes: ens160: creating 2 threads

[62506 - Suricata-Main] 2025-07-29 17:41:17 Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket'

[62506 - Suricata-Main] 2025-07-29 17:41:17 Notice: threads: Threads created -> W: 2 FM: 1 FR: 1 Engine started.

統計情報を確認するには、stats.log ファイルを確認します(デフォルトで8秒ごとに更新)

# tail -f /var/log/suricata/stats.log

1	# tail -f /var/log/suricata/stats.log

より高度な出力であるEVE JSONは、以下のコマンドで生成することができる

# tail -f /var/log/suricata/eve.json

1	# tail -f /var/log/suricata/eve.json

3.Suricata のテスト

①curl ユーティリティで ping テストを実行

# curl http://testmynids.org/uid/index.html
uid=0(root) gid=0(root) groups=0(root)

1 2	# curl http://testmynids.org/uid/index.html uid=0(root) gid=0(root) groups=0(root)

②ログに記録されたかどうかを調べるため、アラートログを確認
curlリクエストに対応する/var/log/suricata/fast.logのログエントリを確認するには、grepコマンドを使用します。2100498ルール識別子を使用して、以下のコマンドを使用してそれに一致するエントリを検索します：

# grep 2100498 /var/log/suricata/fast.log
07/29/2025-17:43:44.184625  [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 143.204.80.46:80 -> 192.168.11.83:60118

1 2	# grep 2100498 /var/log/suricata/fast.log 07/29/2025-17:43:44.184625 [] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 143.204.80.46:80 -> 192.168.11.83:60118

4.Suricata Rulesの設定

①Suricataにパッケージされているルールセットの表示

# ls -al /var/lib/suricata/rules/
total 37344
drwxr-s--- 2 root     suricata       57 Jul 29 17:39 .
drwxrws--- 4 suricata suricata       33 Jul 29 17:39 ..
-rw-r--r-- 1 root     suricata     3228 Jul 29 17:39 classification.config
-rw-r--r-- 1 root     suricata 38232389 Jul 29 17:39 suricata.rules

# ls -al /var/lib/suricata/rules/

total 37344

drwxr-s--- 2 root suricata 57 Jul 29 17:39 .

drwxrws--- 4 suricata suricata 33 Jul 29 17:39 ..

-rw-r--r-- 1 root suricata 3228 Jul 29 17:39 classification.config

-rw-r--r-- 1 root suricata 38232389 Jul 29 17:39 suricata.rules

②ルールセットを提供するソースのインデックス一覧

# suricata-update list-sources

Name: abuse.ch/feodotracker
  Vendor: Abuse.ch
  Summary: Abuse.ch Feodo Tracker Botnet C2 IP ruleset
  License: CC0-1.0
Name: abuse.ch/sslbl-blacklist
  Vendor: Abuse.ch
  Summary: Abuse.ch SSL Blacklist
  License: CC0-1.0
  Replaces: sslbl/ssl-fp-blacklist
Name: abuse.ch/sslbl-c2
  Vendor: Abuse.ch
  Summary: Abuse.ch Suricata Botnet C2 IP Ruleset
  License: CC0-1.0
Name: abuse.ch/sslbl-ja3
  Vendor: Abuse.ch
  Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset
  License: CC0-1.0
  Replaces: sslbl/ja3-fingerprints
Name: abuse.ch/urlhaus
  Vendor: abuse.ch
  Summary: Abuse.ch URLhaus Suricata Rules
  License: CC0-1.0
Name: aleksibovellan/nmap
  Vendor: aleksibovellan
  Summary: Suricata IDS/IPS Detection Rules Against NMAP Scans
  License: MIT
Name: et/open
  Vendor: Proofpoint
  Summary: Emerging Threats Open Ruleset
  License: MIT
Name: et/pro
  Vendor: Proofpoint
  Summary: Emerging Threats Pro Ruleset
  License: Commercial
  Replaces: et/open
  Parameters: secret-code
  Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset
Name: etnetera/aggressive
  Vendor: Etnetera a.s.
  Summary: Etnetera aggressive IP blacklist
  License: MIT
Name: oisf/trafficid
  Vendor: OISF
  Summary: Suricata Traffic ID ruleset
  License: MIT
Name: pawpatrules
  Vendor: pawpatrules
  Summary: PAW Patrules is a collection of rules for IDPS / NSM Suricata engine
  License: CC-BY-SA-4.0
Name: ptrules/open
  Vendor: Positive Technologies
  Summary: Positive Technologies Open Ruleset
  License: Custom
Name: scwx/enhanced
  Vendor: Secureworks
  Summary: Secureworks suricata-enhanced ruleset
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: scwx/malware
  Vendor: Secureworks
  Summary: Secureworks suricata-malware ruleset
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: scwx/security
  Vendor: Secureworks
  Summary: Secureworks suricata-security ruleset
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: stamus/lateral
  Vendor: Stamus Networks
  Summary: Lateral movement rules
  License: GPL-3.0-only
Name: stamus/nrd-14-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 14 day list, complete
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-30-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 30 day list, complete
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-entropy-14-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 14 day list, high entropy
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-entropy-30-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 30 day list, high entropy
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-phishing-14-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 14 day list, phishing
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: stamus/nrd-phishing-30-open
  Vendor: Stamus Networks
  Summary: Newly Registered Domains Open only - 30 day list, phishing
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Name: tgreen/hunting
  Vendor: tgreen
  Summary: Threat hunting rules
  License: GPLv3

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

# suricata-update list-sources

Name: abuse.ch/feodotracker

Vendor: Abuse.ch

Summary: Abuse.ch Feodo Tracker Botnet C2 IP ruleset

License: CC0-1.0

Name: abuse.ch/sslbl-blacklist

Vendor: Abuse.ch

Summary: Abuse.ch SSL Blacklist

License: CC0-1.0

Replaces: sslbl/ssl-fp-blacklist

Name: abuse.ch/sslbl-c2

Vendor: Abuse.ch

Summary: Abuse.ch Suricata Botnet C2 IP Ruleset

License: CC0-1.0

Name: abuse.ch/sslbl-ja3

Vendor: Abuse.ch

Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset

License: CC0-1.0

Replaces: sslbl/ja3-fingerprints

Name: abuse.ch/urlhaus

Vendor: abuse.ch

Summary: Abuse.ch URLhaus Suricata Rules

License: CC0-1.0

Name: aleksibovellan/nmap

Vendor: aleksibovellan

Summary: Suricata IDS/IPS Detection Rules Against NMAP Scans

License: MIT

Name: et/open

Vendor: Proofpoint

Summary: Emerging Threats Open Ruleset

License: MIT

Name: et/pro

Vendor: Proofpoint

Summary: Emerging Threats Pro Ruleset

License: Commercial

Replaces: et/open

Parameters: secret-code

Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset

Name: etnetera/aggressive

Vendor: Etnetera a.s.

Summary: Etnetera aggressive IP blacklist

License: MIT

Name: oisf/trafficid

Vendor: OISF

Summary: Suricata Traffic ID ruleset

License: MIT

Name: pawpatrules

Vendor: pawpatrules

Summary: PAW Patrules is a collection of rules for IDPS / NSM Suricata engine

License: CC-BY-SA-4.0

Name: ptrules/open

Vendor: Positive Technologies

Summary: Positive Technologies Open Ruleset

License: Custom

Name: scwx/enhanced

Vendor: Secureworks

Summary: Secureworks suricata-enhanced ruleset

License: Commercial

Parameters: secret-code

Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)

Name: scwx/malware

Vendor: Secureworks

Summary: Secureworks suricata-malware ruleset

License: Commercial

Parameters: secret-code

Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)

Name: scwx/security

Vendor: Secureworks

Summary: Secureworks suricata-security ruleset

License: Commercial

Parameters: secret-code

Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)

Name: stamus/lateral

Vendor: Stamus Networks

Summary: Lateral movement rules

License: GPL-3.0-only

Name: stamus/nrd-14-open

Vendor: Stamus Networks

Summary: Newly Registered Domains Open only - 14 day list, complete

License: Commercial

Parameters: secret-code