Created
November 3, 2025 19:43
-
-
Save williamzujkowski/d370286436bb31c998340c63afe8e501 to your computer and use it in GitHub Desktop.
Suricata Maintenance and Incident Response - Performance monitoring, rule tuning, and incident response workflows
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Suricata Operational Maintenance and Incident Response Scripts | |
| # Purpose: Performance monitoring, rule tuning, maintenance, and incident response workflows | |
| # ============================================================================ | |
| # Rule Tuning | |
| # ============================================================================ | |
| # Disable noisy rules | |
| echo "1234567" | sudo tee -a /etc/suricata/disable.conf | |
| # Enable only specific rules | |
| echo "re:.*EXPLOIT.*" | sudo tee /etc/suricata/enable.conf | |
| # Update rules with modifications | |
| sudo suricata-update --disable-conf=/etc/suricata/disable.conf --enable-conf=/etc/suricata/enable.conf | |
| # ============================================================================ | |
| # Performance Monitoring | |
| # ============================================================================ | |
| # Check drops | |
| sudo suricatasc -c "iface-stat ens19f1" | |
| # View rule profiling | |
| sudo suricatasc -c "profiling rules dump" | |
| # Get memory stats | |
| sudo suricatasc -c "memcap-list" | |
| # ============================================================================ | |
| # Regular Maintenance Script - /usr/local/bin/suricata-maintenance.sh | |
| # ============================================================================ | |
| # Rotate logs | |
| sudo systemctl reload suricata | |
| # Update rules | |
| sudo suricata-update | |
| # Clean old logs (keep 30 days) | |
| find /var/log/suricata/ -name "*.json.*" -mtime +30 -delete | |
| # Restart if needed | |
| sudo systemctl status suricata | grep -q "running" || sudo systemctl restart suricata | |
| # ============================================================================ | |
| # Incident Response Workflow | |
| # ============================================================================ | |
| # Extract PCAP for specific flow | |
| sudo tshark -r /var/log/suricata/log.pcap -Y "ip.src==192.168.1.50 && ip.dst==203.0.113.42" -w incident-pcap.pcap | |
| # Analyze with tcpdump | |
| sudo tcpdump -r incident-pcap.pcap -A | |
| # Block malicious IP via firewall | |
| sudo iptables -A INPUT -s 203.0.113.42 -j DROP | |
| sudo iptables-save > /etc/iptables/rules.v4 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment