|
 |
4429907 |
In general, there are two steps that you need to take to get suricata
|
|
|
4429907 |
running on your system. This package ships with minimal rules. For it
|
|
|
4429907 |
to do its job, it must have better rules. Rules can be obtained from a
|
|
|
4429907 |
couple places. It knows how to use snort rules if you have those. But if
|
|
|
4429907 |
you don't, another place to get rules is the emerging threats web site.
|
|
|
4429907 |
To install, you might do something like:
|
|
|
a5bb759 |
|
|
|
a5bb759 |
wget http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
|
|
|
4429907 |
tar -xz -C /etc/suricata/rules/ --strip-components=1 -f emerging.rules.tar.gz
|
|
|
4429907 |
|
|
|
4429907 |
Then open /etc/suricata/suricata.yaml and scan down it for a setting named
|
|
|
4429907 |
'rule-files'. Enable or disable individual rules as you see fit.
|
|
|
4429907 |
|
|
|
4429907 |
The last general item to get started is to correct the network interface to
|
|
|
4429907 |
match your setup. Run the ifconfig command to see what interfaces are
|
|
|
4429907 |
available to your system. Then edit /etc/sysconfig/suricata file. The line
|
|
|
4429907 |
that says OPTIONS can be edited. It defaults to eth0, so replace that with
|
|
|
4429907 |
your choice for network interface.
|
|
|
a5bb759 |
|
|
|
a5bb759 |
|