Skip to content

Instantly share code, notes, and snippets.

@cyrex562
Created May 8, 2019 20:53
Show Gist options
  • Select an option

  • Save cyrex562/b2041508a5f483b294123786ee44c88e to your computer and use it in GitHub Desktop.

Select an option

Save cyrex562/b2041508a5f483b294123786ee44c88e to your computer and use it in GitHub Desktop.
Install and configure suricata with filebeats integration
# Install and Configure Suricata
```sh
apt -y install libpcre3 libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev libjansson-dev pkg-config libnetfilter-queue-dev geoip-bin geoip-database geoipupdate apt-transport-https
```
```sh
add-apt-repository ppa:oisf/suricata-stable
apt-get update
apt install suricata -y
```
Get list of interfaces
Edit suricata.yml
* set home net
* comment out af packet
* add interfaces to pcap
Create/edit `/etc/systemd/system/suricata.service`:
```systemd
[Unit]
Description=Suricata IDS
After=syslog.target network-online.target
[Service]
Environment=CFG=/etc/suricata/suricata.yaml PID=/var/run/suricata.pid
PIDFile=/var/run/suricata.pid
ExecStart=/usr/bin/suricata -D -i ens3 -i ens4 -i ens5 -i ens6 -i wg0 -i wg1 -i wg2 -c $CFG --pidfile $PID
ExecReload=/bin/kill -USR2 $MAINPID
ExecStop=/bin/kill $MAINPID
[Install]
WantedBy=multi-user.target
```
```sh
systemctl daemon-reload
systemctl enable suricata
systemctl start suricata
```
```sh
pip3 install suricata-update
suricata-update update-sources
suricata-update enable-source ptresearch/attackdetection
suricata-update enable-source oisf/trafficid
suricata-update enable-source sslbl/ssl-fp-blacklist
suricata-update
```
`filebeat modules enable suricata`
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment