Suricata Network IDS/IPs Cheat Sheet
Überblick
Suricata ist ein leistungsstarkes Netzwerk Intrusion Detection System (NIDS), Intrusion Prevention System (IPS) und Network Security Monitoring (NSM) Motor. Es bietet Echtzeit-Intrusionserkennung, Inline-Intrusionsvorbeugung, Netzwerksicherheitsüberwachung und Offline-Pcap-Verarbeitung. Suricata ist weit verbreitet in Unternehmensumgebungen zur Bedrohungserkennung, Netzwerküberwachung und Sicherheitsanalyse mit seiner vielseitigen Architektur und fortschrittlichen Erkennungsfunktionen.
ZEIT Note: Suricata erfordert eine korrekte Netzwerkpositionierung und Regelkonfiguration für eine effektive Bedrohungserkennung. Es sollte mit einem entsprechenden Netzzugang und regelmäßig aktualisierten Regelsätzen eingesetzt werden.
Installation
Installation des Paketmanagers
```bash
Ubuntu/Debian
sudo apt update sudo apt install suricata
CentOS/RHEL/Fedora
sudo dnf install epel-release sudo dnf install suricata
macOS with Homebrew
brew install suricata
Verify installation
suricata --version ```_
Quelle Installation
```bash
Install dependencies (Ubuntu/Debian)
sudo apt install libpcre3-dev libpcap-dev libnet1-dev libyaml-dev libjansson-dev libcap-ng-dev libmagic-dev libnetfilter-queue-dev libnetfilter-log-dev libnfnetlink-dev pkg-config
Install dependencies (CentOS/RHEL)
sudo dnf install pcre-devel libpcap-devel libnet-devel libyaml-devel jansson-devel libcap-ng-devel file-devel libnetfilter_queue-devel libnetfilter_log-devel libnfnetlink-devel
Download and compile Suricata
wget https://www.openinfosecfoundation.org/download/suricata-6.0.8.tar.gz tar -xzf suricata-6.0.8.tar.gz cd suricata-6.0.8
Configure with features
./configure --prefix=/usr/local --sysconfdir=/etc --localstatedir=/var \ --enable-nfqueue --enable-nflog --enable-unix-socket
Compile and install
make -j$(nproc) sudo make install
Create user and directories
sudo useradd -r -s /bin/false suricata sudo mkdir -p /var/log/suricata /var/lib/suricata /etc/suricata/rules sudo chown -R suricata:suricata /var/log/suricata /var/lib/suricata ```_
Docker Installation
```bash
Pull Suricata image
docker pull jasonish/suricata
Run Suricata in container
docker run --rm -it --net=host --cap-add=NET_ADMIN \ -v $(pwd)/suricata.yaml:/etc/suricata/suricata.yaml \ -v $(pwd)/logs:/var/log/suricata \ jasonish/suricata -i eth0
Create custom Dockerfile
cat > Dockerfile << 'EOF' FROM jasonish/suricata COPY custom-rules/ /etc/suricata/rules/ COPY suricata.yaml /etc/suricata/ ENTRYPOINT ["suricata"] EOF
docker build -t custom-suricata . ```_
Grundkonfiguration
Hauptkonfiguration (/etc/suricata/suricata.yaml)
```yaml
suricata.yaml - Main configuration file
Network interfaces
af-packet: - interface: eth0 cluster-id: 99 cluster-type: cluster_flow defrag: yes use-mmap: yes tpacket-v3: yes
Logging configuration
outputs: - fast: enabled: yes filename: fast.log append: yes
- eve-log: enabled: yes filetype: regular filename: eve.json types: - alert - http - dns - tls - files - smtp - ssh - flow
Rule configuration
default-rule-path: /etc/suricata/rules rule-files: - suricata.rules - emerging-threats.rules - local.rules
Detection engine
detect-engine: - profile: medium - custom-values: toclient-groups: 3 toserver-groups: 25
Threading
threading: set-cpu-affinity: no cpu-affinity: - management-cpu-set: cpu: [ 0 ] - receive-cpu-set: cpu: [ 0 ] - worker-cpu-set: cpu: [ "1-3" ] detect-thread-ratio: 1.0
Host OS policy
host-os-policy: windows: [0.0.0.0/0] bsd: [] bsd-right: [] old-linux: [] linux: [] old-solaris: [] solaris: [] hpux10: [] hpux11: [] irix: [] macos: [] vista: [] windows2k3: [] ```_
Regelverwaltung
```bash
Download Emerging Threats rules
sudo suricata-update
Update rules with specific sources
sudo suricata-update --reload-command="sudo systemctl reload suricata"
List available rule sources
suricata-update list-sources
Enable specific rule sources
sudo suricata-update enable-source et/open sudo suricata-update enable-source oisf/trafficid
Disable rules
echo "drop tcp any any -> any any (msg:\"Disabled rule\"; sid:1000001; rev:1;)"|\ sudo tee -a /etc/suricata/rules/disable.conf ```_
Basisnutzung
Laufende Suricata
```bash
Run in IDS mode on interface
sudo suricata -i eth0
Run with specific configuration
sudo suricata -c /etc/suricata/suricata.yaml -i eth0
Run in daemon mode
sudo suricata -c /etc/suricata/suricata.yaml -i eth0 -D
Process pcap file
suricata -r capture.pcap -c /etc/suricata/suricata.yaml
Run with specific log directory
sudo suricata -i eth0 -l /var/log/suricata/
Verbose mode
sudo suricata -i eth0 -v ```_
Service Management
```bash
Start Suricata service
sudo systemctl start suricata
Enable auto-start
sudo systemctl enable suricata
Check status
sudo systemctl status suricata
Restart service
sudo systemctl restart suricata
Reload rules without restart
sudo systemctl reload suricata
View logs
sudo journalctl -u suricata -f ```_
Regelprüfung
```bash
Test rule syntax
suricata -T -c /etc/suricata/suricata.yaml
Test specific rule file
suricata -T -S /etc/suricata/rules/local.rules
Validate configuration
sudo suricata --dump-config
Check rule statistics
sudo suricata --engine-analysis ```_
Artikel Entwicklung
Grundregel Syntax
```bash
Basic alert rule
alert tcp any any -> any 80 (msg:"HTTP traffic detected"; sid:1000001; rev:1;)
Drop rule (IPS mode)
drop tcp any any -> any 22 (msg:"SSH brute force attempt"; threshold:type both,track by_src,count 5,seconds 60; sid:1000002; rev:1;)
HTTP-specific rule
alert http any any -> any any (msg:"Suspicious user agent"; http.user_agent; content:"sqlmap"; sid:1000003; rev:1;)
DNS rule
| alert dns any any -> any any (msg:"DNS tunneling attempt"; dns.query; content:" | 00 | "; sid:1000004; rev:1;) |
TLS/SSL rule
alert tls any any -> any any (msg:"Self-signed certificate"; tls.cert_subject; content:"CN=localhost"; sid:1000005; rev:1;) ```_
Erweiterte Regelbeispiele
```bash
/etc/suricata/rules/local.rules
SQL injection detection
| alert http any any -> any any (msg:"SQL injection attempt"; http.uri; pcre:"/(\%27) | (\') | (--) | (\%23) | (#)/i"; reference:url,www.owasp.org; classtype:web-application-attack; sid:1000010; rev:1;) |
XSS detection
alert http any any -> any any (msg:"Cross-site scripting attempt"; http.uri; pcre:"/
Command injection
| alert http any any -> any any (msg:"Command injection attempt"; http.uri; pcre:"/(\ | | ; | & | \$( | `)/"; classtype:web-application-attack; sid:1000012; rev:1;) |
File upload detection
| alert http any any -> any any (msg:"Suspicious file upload"; http.header; content:"Content-Type | 3a 20 | multipart/form-data"; http.uri; pcre:"/.(php | asp | aspx | jsp | exe | bat | cmd)$/i"; sid:1000013; rev:1;) |
Cryptocurrency mining detection
alert http any any -> any any (msg:"Cryptocurrency mining script"; http.response_body; content:"CoinHive"; nocase; sid:1000014; rev:1;)
DNS over HTTPS detection
alert tls any any -> any 443 (msg:"DNS over HTTPS detected"; tls.sni; content:"cloudflare-dns.com"; sid:1000015; rev:1;)
Tor traffic detection
| alert tcp any any -> any any (msg:"Tor traffic detected"; flow:established; content:" | 16 03 | "; offset:0; depth:2; content:" | 01 | "; offset:5; depth:1; sid:1000016; rev:1;) |
Lateral movement detection
alert smb any any -> any any (msg:"SMB lateral movement"; smb.command; content:"SMB_COM_SESSION_SETUP_ANDX"; sid:1000017; rev:1;)
Data exfiltration detection
alert tcp any any -> any any (msg:"Large data transfer"; threshold:type both,track by_src,count 1,seconds 60; byte_test:4,>,1000000,0; sid:1000018; rev:1;)
Suspicious PowerShell activity
alert http any any -> any any (msg:"PowerShell download cradle"; http.uri; content:"powershell"; nocase; content:"downloadstring"; nocase; distance:0; sid:1000019; rev:1;) ```_
Kundenspezifische Regelsätze
```bash
/etc/suricata/rules/malware.rules
Malware communication patterns
alert tcp any any -> any any (msg:"Malware beacon pattern"; threshold:type both,track by_src,count 10,seconds 300; sid:2000001; rev:1;)
Known malware domains
alert dns any any -> any any (msg:"Malware domain query"; dns.query; content:"evil-domain.com"; nocase; sid:2000002; rev:1;)
Suspicious file downloads
| alert http any any -> any any (msg:"Suspicious executable download"; http.uri; pcre:"/.(exe | scr | bat | com | pif)$/i"; http.response_body; content:"MZ"; offset:0; depth:2; sid:2000003; rev:1;) |
C2 communication
| alert tcp any any -> any any (msg:"Potential C2 communication"; flow:established; content:" | 00 00 00 | "; offset:0; depth:3; sid:2000004; rev:1;) | ```_
IPS Mode Konfiguration
Netzfilter/IPTables Integration
```bash
Configure iptables for IPS mode
sudo iptables -I FORWARD -j NFQUEUE --queue-num 0
Configure for specific traffic
sudo iptables -I FORWARD -p tcp --dport 80 -j NFQUEUE --queue-num 0 sudo iptables -I FORWARD -p tcp --dport 443 -j NFQUEUE --queue-num 0
Save iptables rules
sudo iptables-save > /etc/iptables/rules.v4
Configure Suricata for IPS mode
cat >> /etc/suricata/suricata.yaml << 'EOF' nfq: mode: accept repeat-mark: 1 repeat-mask: 1 bypass-mark: 1 bypass-mask: 1 route-queue: 2 batchcount: 20 fail-open: yes EOF ```_
IPS-Regelkonfiguration
```bash
/etc/suricata/rules/ips.rules
Block known malicious IPs
drop tcp [192.168.1.100,10.0.0.50] any -> any any (msg:"Blocked malicious IP"; sid:3000001; rev:1;)
Block suspicious user agents
drop http any any -> any any (msg:"Blocked malicious user agent"; http.user_agent; content:"sqlmap"; nocase; sid:3000002; rev:1;)
Block file downloads
| drop http any any -> any any (msg:"Blocked executable download"; http.uri; pcre:"/.(exe | scr | bat)$/i"; sid:3000003; rev:1;) |
Rate limiting
drop tcp any any -> any 22 (msg:"SSH brute force blocked"; threshold:type both,track by_src,count 5,seconds 60; sid:3000004; rev:1;)
Block DNS tunneling
| drop dns any any -> any any (msg:"DNS tunneling blocked"; dns.query; content:" | 00 | "; sid:3000005; rev:1;) | ```_
Analyse der Ergebnisse
EVE JSON Analyse der Ergebnisse
```bash
View real-time alerts
tail -f /var/log/suricata/eve.json|jq 'select(.event_type=="alert")'
Extract HTTP events
cat /var/log/suricata/eve.json|jq 'select(.event_type=="http")'
Find high-severity alerts
cat /var/log/suricata/eve.json|jq 'select(.event_type=="alert" and .alert.severity``<=2)'
Analyze DNS queries
| cat /var/log/suricata/eve.json | jq 'select(.event_type=="dns") | .dns.rrname' | sort | uniq -c | sort -nr |
Extract TLS information
| cat /var/log/suricata/eve.json | jq 'select(.event_type=="tls") | \{timestamp: .timestamp, src_ip: .src_ip, dest_ip: .dest_ip, sni: .tls.sni\}' |
File transfer analysis
| cat /var/log/suricata/eve.json | jq 'select(.event_type=="fileinfo") | \{filename: .fileinfo.filename, size: .fileinfo.size, md5: .fileinfo.md5\}' | ```_
Schnelle Log-Analyse
```bash
View recent alerts
tail -f /var/log/suricata/fast.log
Count alerts by signature
| cat /var/log/suricata/fast.log | awk -F'\[' '\{print $2\}' | awk -F'\]' '\{print $1\}' | sort | uniq -c | sort -nr |
Find top source IPs
| cat /var/log/suricata/fast.log | awk '\{print $5\}' | awk -F':' '\{print $1\}' | sort | uniq -c | sort -nr | head -10 |
Find top destination IPs
| cat /var/log/suricata/fast.log | awk '\{print $7\}' | awk -F':' '\{print $1\}' | sort | uniq -c | sort -nr | head -10 |
Analyze by time
| cat /var/log/suricata/fast.log | awk '\{print $1, $2\}' | sort | uniq -c | ```_
Statistik und Performance
```bash
View Suricata statistics
sudo suricata-sc -c stats
Dump statistics to file
sudo suricata-sc -c dump-counters
Monitor performance
| watch -n 5 'sudo suricata-sc -c stats | grep -E "(packets | dropped | invalid)"' |
Check rule performance
sudo suricata --engine-analysis|grep -A 10 "Rule performance" ```_
Integration und Automatisierung
ELK Stack Integration
```bash
!/bin/bash
suricata-to-elasticsearch.sh
SURICATA_LOG="/var/log/suricata/eve.json" ELASTICSEARCH_URL="http://localhost:9200" INDEX_NAME="suricata-$(date +%Y.%m.%d)"
Send Suricata logs to Elasticsearch
tail -F "$SURICATA_LOG"|while read line; do # Add index metadata echo "\{\"index\":\{\"index\":\"$INDEX_NAME\",\"_type\":\"_doc\"\}\}" echo "$line" done|curl -s -H "Content-Type: application/x-ndjson" \ -X POST "$ELASTICSEARCH_URL/_bulk" \ --data-binary @- ```
Integration von Splunk
```bash
/opt/splunk/etc/apps/suricata/local/inputs.conf
[monitor:///var/log/suricata/eve.json] disabled = false sourcetype = suricata:json index = security
[monitor:///var/log/suricata/fast.log] disabled = false sourcetype = suricata:fast index = security ```_
SIEM Integrationsskript
```python
!/usr/bin/env python3
suricata-siem-integration.py
import json import time import requests from watchdog.observers import Observer from watchdog.events import FileSystemEventHandler
class SuricataLogHandler(FileSystemEventHandler): def init(self, siem_endpoint, api_key): self.siem_endpoint = siem_endpoint self.api_key = api_key self.last_position = 0
def on_modified(self, event):
if event.src_path.endswith('eve.json'):
self.process_eve_log(event.src_path)
def process_eve_log(self, log_path):
"""Process Suricata EVE JSON log"""
try:
with open(log_path, 'r') as f:
f.seek(self.last_position)
for line in f:
if line.strip():
try:
log_entry = json.loads(line.strip())
self.send_to_siem(log_entry)
except json.JSONDecodeError:
continue
self.last_position = f.tell()
except Exception as e:
print(f"Error processing log: \\\{e\\\}")
def send_to_siem(self, log_entry):
"""Send log entry to SIEM"""
# Enrich log entry
enriched_entry = \\\{
'source': 'suricata',
'timestamp': log_entry.get('timestamp'),
'event_type': log_entry.get('event_type'),
'severity': self.calculate_severity(log_entry),
'raw_log': log_entry
\\\}
try:
response = requests.post(
self.siem_endpoint,
json=enriched_entry,
headers=\\\{
'Content-Type': 'application/json',
'Authorization': f'Bearer \\\{self.api_key\\\}'
\\\},
timeout=5
)
response.raise_for_status()
except requests.RequestException as e:
print(f"Error sending to SIEM: \\\{e\\\}")
def calculate_severity(self, log_entry):
"""Calculate severity based on event type and content"""
if log_entry.get('event_type') == 'alert':
alert_severity = log_entry.get('alert', \\\{\\\}).get('severity', 3)
if alert_severity <= 1:
return 'HIGH'
elif alert_severity <= 2:
return 'MEDIUM'
else:
return 'LOW'
return 'INFO'
def main(): log_directory = "/var/log/suricata" siem_endpoint = "https://your-siem.com/api/events" api_key = "your-api-key"
event_handler = SuricataLogHandler(siem_endpoint, api_key)
observer = Observer()
observer.schedule(event_handler, log_directory, recursive=False)
observer.start()
print(f"Monitoring Suricata logs in \\\{log_directory\\\}")
try:
while True:
time.sleep(1)
except KeyboardInterrupt:
observer.stop()
observer.join()
if name == "main": main() ```_
Automatisiertes Antwortsystem
```bash
!/bin/bash
suricata-auto-response.sh
SURICATA_LOG="/var/log/suricata/eve.json" BLOCKED_IPS_FILE="/tmp/suricata_blocked_ips.txt" ALERT_THRESHOLD=5
Function to block IP address
block_ip() \{ local ip="$1" local reason="$2"
echo "$(date): Blocking IP $ip - $reason" >``> /var/log/suricata-response.log
# Add to iptables
sudo iptables -I INPUT -s "$ip" -j DROP
# Add to blocked IPs file
echo "$ip" >> "$BLOCKED_IPS_FILE"
# Send notification
echo "ALERT: Blocked IP $ip due to $reason"|\
mail -s "Suricata Auto-Response" admin@example.com
\}
Function to analyze alerts
analyze_alerts() \{ local src_ip="$1" local alert_count=$(grep "\"src_ip\":\"$src_ip\"" "$SURICATA_LOG"|\ grep "\"event_type\":\"alert\""|\ tail -n 100|wc -l)
if [ "$alert_count" -ge "$ALERT_THRESHOLD" ]; then
if ! grep -q "$src_ip" "$BLOCKED_IPS_FILE" 2>/dev/null; then
block_ip "$src_ip" "Multiple alerts ($alert_count)"
fi
fi
\}
Monitor Suricata logs
tail -F "$SURICATA_LOG"|while read line; do # Extract alert events if echo "$line"|jq -e '.event_type == "alert"' >/dev/null 2>&1; then src_ip=$(echo "$line"|jq -r '.src_ip') severity=$(echo "$line"|jq -r '.alert.severity')
# Immediate block for high severity
if [ "$severity" -eq 1 ]; then
if ! grep -q "$src_ip" "$BLOCKED_IPS_FILE" 2>/dev/null; then
block_ip "$src_ip" "High severity alert"
fi
else
# Analyze for repeated alerts
analyze_alerts "$src_ip"
fi
fi
done ```_
Leistung Tuning
Multi-Threading Konfiguration
```yaml
suricata.yaml - Threading optimization
threading: set-cpu-affinity: yes cpu-affinity: - management-cpu-set: cpu: [ 0 ] - receive-cpu-set: cpu: [ 1, 2 ] - worker-cpu-set: cpu: [ 3, 4, 5, 6 ] - verdict-cpu-set: cpu: [ 7 ] detect-thread-ratio: 1.5
Worker threads
runmode: workers ```_
Speicheroptimierung
```yaml
Memory settings
stream: memcap: 64mb checksum-validation: yes inline: auto reassembly: memcap: 256mb depth: 1mb toserver-chunk-size: 2560 toclient-chunk-size: 2560
Flow settings
flow: memcap: 128mb hash-size: 65536 prealloc: 10000 emergency-recovery: 30 ```_
Netzwerkschnittstellenoptimierung
```bash
Optimize network interface
sudo ethtool -G eth0 rx 4096 tx 4096 sudo ethtool -K eth0 gro off lro off tso off gso off sudo ethtool -A eth0 rx off tx off
Set interrupt affinity
echo 2|sudo tee /proc/irq/24/smp_affinity echo 4|sudo tee /proc/irq/25/smp_affinity
Increase buffer sizes
echo 'net.core.rmem_max = 134217728' >> /etc/sysctl.conf echo 'net.core.wmem_max = 134217728' >> /etc/sysctl.conf echo 'net.core.netdev_max_backlog = 5000' >> /etc/sysctl.conf sysctl -p ```_
Überwachung und Wartung
Gesundheitsüberwachung Script
```python
!/usr/bin/env python3
suricata-health-monitor.py
import subprocess import json import time from datetime import datetime, timedelta
class SuricataHealthMonitor: def init(self): self.log_file = "/var/log/suricata/eve.json" self.stats_file = "/var/log/suricata/stats.log"
def check_process_status(self):
"""Check if Suricata process is running"""
try:
result = subprocess.run(['pgrep', 'suricata'],
capture_output=True, text=True)
return len(result.stdout.strip()) > 0
except Exception:
return False
def check_log_freshness(self):
"""Check if logs are being generated"""
try:
import os
if not os.path.exists(self.log_file):
return False, "Log file not found"
mtime = datetime.fromtimestamp(os.path.getmtime(self.log_file))
if datetime.now() - mtime > timedelta(minutes=5):
return False, "Logs appear stale"
return True, "Logs are fresh"
except Exception as e:
return False, f"Error checking logs: \\{e\\}"
def check_packet_drops(self):
"""Check for packet drops"""
try:
result = subprocess.run(['suricata-sc', '-c', 'dump-counters'],
capture_output=True, text=True)
# Parse counters (simplified)
if 'decoder.pkts' in result.stdout and 'capture.kernel_drops' in result.stdout:
return True, "Packet statistics available"
return False, "Unable to get packet statistics"
except Exception as e:
return False, f"Error checking packet drops: \\{e\\}"
def get_alert_rate(self):
"""Calculate recent alert rate"""
try:
# Count alerts in last hour
one_hour_ago = datetime.now() - timedelta(hours=1)
alert_count = 0
with open(self.log_file, 'r') as f:
for line in f:
try:
log_entry = json.loads(line.strip())
if log_entry.get('event_type') == 'alert':
log_time = datetime.fromisoformat(
log_entry['timestamp'].replace('Z', '+00:00')
)
if log_time > one_hour_ago:
alert_count += 1
except (json.JSONDecodeError, KeyError, ValueError):
continue
return alert_count
except Exception:
return 0
def run_health_check(self):
"""Run comprehensive health check"""
print(f"Suricata Health Check - \\{datetime.now()\\}")
print("=" * 50)
# Process status
if self.check_process_status():
print("✓ Suricata process is running")
else:
print("✗ Suricata process is not running")
# Log freshness
log_status, log_message = self.check_log_freshness()
if log_status:
print(f"✓ \\{log_message\\}")
else:
print(f"✗ \\{log_message\\}")
# Packet drops
drop_status, drop_message = self.check_packet_drops()
if drop_status:
print(f"✓ \\{drop_message\\}")
else:
print(f"✗ \\{drop_message\\}")
# Alert rate
alert_rate = self.get_alert_rate()
print(f"ℹ Alert rate: \\{alert_rate\\} alerts/hour")
print()
def main(): monitor = SuricataHealthMonitor()
while True:
try:
monitor.run_health_check()
time.sleep(300) # Check every 5 minutes
except KeyboardInterrupt:
print("Monitoring stopped")
break
except Exception as e:
print(f"Monitoring error: \\{e\\}")
time.sleep(60)
if name == "main": main() ```_
Regel Management Skript
```bash
!/bin/bash
suricata-rule-management.sh
RULE_DIR="/etc/suricata/rules" BACKUP_DIR="/var/backups/suricata-rules" CONFIG_FILE="/etc/suricata/suricata.yaml"
Function to backup current rules
backup_rules() \{ local backup_name="rules-backup-$(date +%Y%m%d_%H%M%S)" mkdir -p "$BACKUP_DIR" tar -czf "$BACKUP_DIR/$backup_name.tar.gz" -C "$RULE_DIR" . echo "Rules backed up to $BACKUP_DIR/$backup_name.tar.gz" \}
Function to update rules
update_rules() \{ echo "Updating Suricata rules..."
# Backup current rules
backup_rules
# Update rules
sudo suricata-update --reload-command="sudo systemctl reload suricata"
# Test configuration
if suricata -T -c "$CONFIG_FILE"; then
echo "Rule update successful"
sudo systemctl reload suricata
else
echo "Rule update failed - configuration test failed"
return 1
fi
\}
Function to add custom rule
add_custom_rule() \{ local rule="$1" local rule_file="$RULE_DIR/local.rules"
echo "Adding custom rule: $rule"
echo "$rule" >> "$rule_file"
# Test configuration
if suricata -T -c "$CONFIG_FILE"; then
echo "Custom rule added successfully"
sudo systemctl reload suricata
else
echo "Custom rule failed - removing"
sed -i '$d' "$rule_file"
return 1
fi
\}
Function to disable rule
disable_rule() \{ local sid="$1" local disable_file="$RULE_DIR/disable.conf"
echo "$sid" >> "$disable_file"
echo "Rule $sid disabled"
sudo systemctl reload suricata
\}
Main script
case "$1" in update) update_rules ;; backup) backup_rules ;; add) if [ -z "$2" ]; then echo "Usage: $0 add \"rule_text\"" exit 1 fi add_custom_rule "$2" ;; disable) if [ -z "$2" ]; then echo "Usage: $0 disable SID" exit 1 fi disable_rule "$2" ;; *) | echo "Usage: $0 \{update | backup | add | disable\}" | echo " update - Update rules from sources" echo " backup - Backup current rules" echo " add \"rule\" - Add custom rule" echo " disable SID - Disable rule by SID" exit 1 ;; esac ```_
Best Practices
Sicherheitskonfiguration
```yaml
Security hardening
app-layer: protocols: tls: detection-ports: dp: 443 ja3-fingerprints: yes http: libhtp: default-config: personality: IDS request-body-limit: 100kb response-body-limit: 100kb request-body-minimal-inspect-size: 32kb request-body-inspect-window: 4kb response-body-minimal-inspect-size: 40kb response-body-inspect-window: 16kb http-body-inline: auto swf-decompression: enabled: yes type: both compress-depth: 0 decompress-depth: 0 ```_
Rotation
```bash
/etc/logrotate.d/suricata
/var/log/suricata/.log /var/log/suricata/.json \{
daily
missingok
rotate 30
compress
delaycompress
sharedscripts
postrotate
| /bin/kill -HUP cat /var/run/suricata.pid 2> /dev/null 2> /dev/null | | true |
endscript
\}
```_
Leistungsüberwachung
```bash
!/bin/bash
suricata-performance-monitor.sh
Monitor key performance metrics
watch -n 5 ' echo "=== Suricata Performance Monitor ===" echo "Process Status:" | ps aux | grep suricata | grep -v grep |
echo -e "\nMemory Usage:" | cat /proc/$(pgrep suricata)/status | grep -E "VmRSS | VmSize" |
echo -e "\nPacket Statistics:" | sudo suricata-sc -c dump-counters | grep -E "decoder.pkts | capture.kernel_drops | detect.alert" |
echo -e "\nCPU Usage:" top -p $(pgrep suricata) -n 1 -b|tail -n 1 ' ```_
Fehlerbehebung
Gemeinsame Themen
```bash
Issue: High packet drops
Check interface buffer sizes
cat /proc/net/dev ethtool -S eth0|grep drop
Increase buffer sizes
sudo ethtool -G eth0 rx 4096
Issue: High memory usage
Check memory configuration
grep -E "memcap|prealloc" /etc/suricata/suricata.yaml
Monitor memory usage
cat /proc/$(pgrep suricata)/status|grep Vm
Issue: Rules not loading
Test rule syntax
suricata -T -c /etc/suricata/suricata.yaml
Check rule file permissions
ls -la /etc/suricata/rules/
Issue: No alerts generated
Check rule configuration
grep -E "rule-files|default-rule-path" /etc/suricata/suricata.yaml
Test with known bad traffic
curl -A "sqlmap" http://example.com ```_
Debug Mode
```bash
Enable debug logging
sudo suricata -c /etc/suricata/suricata.yaml -i eth0 -vvv
Check specific component
sudo suricata -c /etc/suricata/suricata.yaml -i eth0 --set logging.outputs.1.console.level=debug
Analyze engine performance
sudo suricata --engine-analysis
Dump configuration
sudo suricata --dump-config ```_
Ressourcen
- Amtsdokumentation Suricata
- [Suricata GitHub Repository](__LINK_5___
- [Emerging Threats Rules](_LINK_5__
- [Suricata Community](_LINK_5___
- [OISF Training](_LINK_5___
--
*Dieses Betrugsblatt bietet umfassende Anleitung für die Bereitstellung und Verwaltung von Suricata zur Netzwerkintrusionserkennung und -prävention. Regelaktualisierungen und richtige Abstimmung sind für eine effektive Bedrohungserkennung unerlässlich. *