Managing Suricata Rules & Sources - cfloquetprojects/homelab GitHub Wiki
Introduction
Suricata is an open-source intrusion detection system (IDS) which is developed and maintained by the Open Information Security Foundation (OISF), with the first beta version being released in 2009.
Suricata is often preferred by network security engineers for it's ability to be multi-threaded, and leverages external rulesets (like those provided by Proofpoints' Emerging Threats platform) for improved alert accuracy and detection.
Additionally,
Suricatahas proven to be more effective in detection in a [white-paper released earlier this year], with the capability of scaling to 10GBps network flows, albeit with the important caveat that it is a slightly larger overhead thanSnort.
It's important to remember that Suricata is not by itself useless without these external rulesets, and can provide ample information (which can be found here under the
Outputsection on their docs page) which would be useful to anyone trying to understand more about their own network traffic.
Managing suricata-update as non-root user:
Before we get started with setting the proper permissions to allow Suricata to update and function, we should make sure that we have
suricata-updateinstalled on the system with the following:
$ suricata-update -h
Now that we are sure
suricata-updateis installed, we need to go about assigning our newsuricatagroup to the following folder directories to a newly createdsuricatagroup:
- /etc/suricata/
- /var/lib/suricata/rules
- /var/lib/suricata/update
$ sudo groupadd suricata
$ sudo chgrp -R suricata /etc/suricata
$ sudo chgrp -R suricata /var/lib/suricata/rules
$ sudo chgrp -R suricata /var/lib/suricata/update
Now that we have assigned the correct folders to our
suricatagroup we can applyread/writepermissions to that group usingchmod:
$ sudo chmod -R g+r /etc/suricata/
$ sudo chmod -R g+rw /var/lib/suricata/rules
$ sudo chmod -R g+rw /var/lib/suricata/update
While
Suricatarequires escalated privileges during initial installation, we can set permissions on our host to allow us to run suricata as a non-root user for automated rule-fetches which we will configure viacrontablater on down the road.