Installing Suricata
Add the repository to your system
sudo add-apt-repository ppa:oisf/suricata-stable sudo apt install suricata Configuring Suricata For The First Time
Enabling Community Flow ID
sudo nano /etc/suricata/suricata.yaml Set community-id to true
community-id: true Determining Which Network Interface(s) To Use
ip -p -j route show default You should receive output like the following:
"dst": "default",
"gateway": "203.0.113.254",
"dev": "eth0",
"protocol": "static",
"flags": [ ]
Take note of the device name
Edit Suricata’s configuration
sudo nano /etc/suricata/suricata.yaml Scroll through the file until you come to a line that reads af-packet: around line 580. If you are using nano, you can also go to the line directly by entering CTRL+_ and typing the line number. Below that line is the default interface that Suricata will use to inspect traffic. Edit the line to match your interface, like the highlighted example that follows:
af-packet: - interface: eth0 Configuring Live Rule Reloading
detect-engine:
- rule-reload: true Reload Suricata Rulesets
sudo kill -usr2 $(pidof suricata) Updating Suricata Rulesets
sudo suricata-update Adding Ruleset Providers
sudo suricata-update list-sources sudo suricata-update enable-source tgreen/hunting Validating Suricata’s Configuration
sudo suricata -T -c /etc/suricata/suricata.yaml -v Running Suricata
sudo systemctl start suricata.service sudo systemctl status suricata.service