suricata (net/suricata) Updated: 15 hours ago Add to my watchlist
Open Source IDS / IPS / NSM engineSuricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF and its supporting vendors.
Version: 8.0.4 License: BSD
GitHub
| Maintainers | Schamschula |
| Categories | net security |
| Homepage | https://suricata.io |
| Platforms | darwin |
| Variants |
|
"suricata" depends on
lib (16)
run (1)
build (6)
Ports that depend on "suricata"
No ports
Port notes
To finish install
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Basic_Setup
1) Customize config in ${prefix}/etc/suricata like HOME_NET and host-os-policy
You need add extra rules, eventually using oinkmaster:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster
ex: $ sudo -u oinkmaster ${prefix}/bin/oinkmaster.pl -o ${prefix}/etc/suricata/rules -C ${prefix}/etc/oinkmaster-suricata.conf
The corresponding oinkmaster config is in the examples directory and
have been copied to ${prefix}/etc if not existing.
Note: ${prefix}/etc/suricata/rules is not writable by oinkmaster, see (4)
or suricata-update:
$ sudo ${prefix}/bin/suricata-update --suricata ${prefix}/bin/suricata --suricata-conf ${prefix}/etc/suricata/suricata.yaml --no-test --no-reload
2) Test your config with
# suricata -c ${prefix}/etc/suricata/suricata.yaml -T
3) Standard execution
# suricata -c ${prefix}/etc/suricata/suricata.yaml -i en1 -D
plist launchd file is configured by default with this configuration
Alternative, you can have an ipfw rule set for the engine to see the packets from ipfw. For example:
# ipfw add 100 divert 8000 ip from any to any
Rememember to delete this rule if you are not using it as it will redirect all traffic to this port
and locked you if nothing handles this.
The 8000 above should be the same number you pass on the command line of Suricata with the option -d:
# suricata -c ${prefix}/etc/suricata/suricata.yaml -i en1 -d 8000
Note: Dropping privileges options are for now not supported outside of libpcap-ng on Linux.
4) Scheduled task to update rules with oinkmaster: a default file has been created as
${prefix}/Library/LaunchDaemons/org.macports.oinkmaster-suricata.plist
Check if it fit you and start it like
# chown -R oinkmaster ${prefix}/etc/suricata/rules
# install -d -o oinkmaster -m 755 ${prefix}/etc/suricata/backup
# ln -s ${prefix}/Library/LaunchDaemons/org.macports.oinkmaster-suricata.plist /Library/LaunchDaemons/
# launchctl load -w /Library/LaunchDaemons/org.macports.oinkmaster-suricata.plist
Test command with
# sudo -u oinkmaster ${prefix}/bin/oinkmaster.pl -o ${prefix}/etc/suricata/rules/ -b ${prefix}/etc/suricata/backup/ -C ${prefix}/etc/oinkmaster-suricata.conf
5) Check alert types on usage. For example:
$ sed ...
And, if necessary, disable false-positive rules
(eg SURICATA STREAM ones)
6) To rotate logs, an example config with system newsyslog is included (1/week)
${prefix}/share/examples/suricata/mp-suricata.conf
You can install it with
# cp ${prefix}/share/examples/suricata/mp-suricata.conf /private/etc/newsyslog.d/
And restart newsyslog
# launchctl unload -w /System/Library/LaunchDaemons/com.apple.newsyslog.plist
# launchctl load -w /System/Library/LaunchDaemons/com.apple.newsyslog.plist
FIXME! recommendation to rotate/handle unified2 log files A startup item has been generated that will aid in starting suricata with launchd. It is disabled by default. Execute the following command to start it, and to cause it to launch at startup:
sudo port load suricata
Port Health:
Loading Port Health