Suricata is a free, open source, mature, fast and robust network threat detection engine. In this publication, we will show one of the many things you can do.
We will need our virtual machine of any operative system of which we are going to make a ping. On the other hand, we need our virtual Linux machine Ubuntu in which we will install and configure Suricata.
We update our Linux virtual machine with the following command.
$ sudo apt-get update
With the following command we will install Suricata
$ sudo apt-get install suricata -y
We will create an empty rules file with the following command.
$ sudo touch /etc/suricata/rules/local.rules
Now we will edit the file suricata.yaml with the following command, you can use vim or nano in our case we will use gedit.
$ sudo gedit /etc/suricata/suricata.yaml
We will comment on all the rules files available, in this way our rules file will have priority, the comment is made by adding the sign # at the beginning of the line.
local.rules was a file that we created in the past.
Now we will add our local network, which we have configured in our virtual machine, in this case we have the 192.168.100.0/24
The next step is to edit our local file.rules
$ sudo gedit /etc/suricata/rules/local.rules
This is what we have to write in our file local.rules
$ alert icmp any any -> 192.168.100.3 any (msg: "ICMP detected"; sid:100000001;)
If you do not have ethtool installed yet, you can do it with the following command.
$ sudo -s # apt-get install ethtool
Now execute following command to make GRO (Generic receive offload) disable on specific interfaces with help of Ethtool.
$ sudo ethtool -K enp0s3 gro off
Then again turn On NIDS mode of surictata using given below command.
$ sudo suricata -c /etc/suricata/suricata.yaml -i enp0s3
Now we ping from another virtual machine that is in the same network.
And as a result, we have the record that made the virtual machine infosecaddicts@hacker to the machine that has meerkat installed infosecaddicts@infosecaddicts, to see that information in detail we will review the file fast.log with the following command.
$ sudo tall -f /var/log/suricata/fast.log
Suricata has other much better functionality we invite you to install and perform much more tests with this tool.