Created
May 8, 2019 20:53
-
-
Save cyrex562/b2041508a5f483b294123786ee44c88e to your computer and use it in GitHub Desktop.
Install and configure suricata with filebeats integration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Install and Configure Suricata | |
| ```sh | |
| apt -y install libpcre3 libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev libjansson-dev pkg-config libnetfilter-queue-dev geoip-bin geoip-database geoipupdate apt-transport-https | |
| ``` | |
| ```sh | |
| add-apt-repository ppa:oisf/suricata-stable | |
| apt-get update | |
| apt install suricata -y | |
| ``` | |
| Get list of interfaces | |
| Edit suricata.yml | |
| * set home net | |
| * comment out af packet | |
| * add interfaces to pcap | |
| Create/edit `/etc/systemd/system/suricata.service`: | |
| ```systemd | |
| [Unit] | |
| Description=Suricata IDS | |
| After=syslog.target network-online.target | |
| [Service] | |
| Environment=CFG=/etc/suricata/suricata.yaml PID=/var/run/suricata.pid | |
| PIDFile=/var/run/suricata.pid | |
| ExecStart=/usr/bin/suricata -D -i ens3 -i ens4 -i ens5 -i ens6 -i wg0 -i wg1 -i wg2 -c $CFG --pidfile $PID | |
| ExecReload=/bin/kill -USR2 $MAINPID | |
| ExecStop=/bin/kill $MAINPID | |
| [Install] | |
| WantedBy=multi-user.target | |
| ``` | |
| ```sh | |
| systemctl daemon-reload | |
| systemctl enable suricata | |
| systemctl start suricata | |
| ``` | |
| ```sh | |
| pip3 install suricata-update | |
| suricata-update update-sources | |
| suricata-update enable-source ptresearch/attackdetection | |
| suricata-update enable-source oisf/trafficid | |
| suricata-update enable-source sslbl/ssl-fp-blacklist | |
| suricata-update | |
| ``` | |
| `filebeat modules enable suricata` |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment