Using Suricata to monitor network traffic

Suricata is a network IDS similar to Seek or Snort. Suricata actually supports snort rules and some options from the snort project.

In order to install on Ubuntu, you would run the following commands:

sudo add-apt-repository ppa:oisf/suricata-stable

sudo apt-get update

sudo apt-get install suricata

Now you have Suricata installed on your instance using the default configuration file. It is pretty good by default, however you need rules in order for the software to actually do something. The recommended (and best) way to do this is:

suricata-update , running this one command detects what version you are on and downloads the appropriate rules from emerging threats.

How to get Suricata working on centos. After you install suricata using yum install suricata you must make sure it is running on the correct interface.

Need to update

/etc/sysconfig/suricata and replace -I eth0 with -I ens5

That can be done here:

sed -i ’s/eth0/ens5/g’ /etc/sysconfig/suricata

After this you must restart suricata

You should have a successful Suricata instance now running on your network!

1 Like

You need to make sure that you have some traffic to feed into Suricata. If you have a high bandwidth network, I recommend running Suricata on switch that can do port mirroring, and then forward all of the traffic destined to your network’s edge to the port where Suricata is plugged into.

You can also do mirroring with AWS

What size instance are you using and how much traffic are you capturing?

I would wonder what type of instance it would take to do this with AWS VPC flow logs.

Not using it now. I had it running in-line on a network that was 3 megabits, and eventually the network grew to 20 megs before it started to outrun the hardware. If you want it to actually block traffic and stuff, Suricata (or Snort, etc) can need a lot of resources.

This was in 2005 - 2007, the system I was running was 2cpu, and 8gb of ram. It kept up with ~20megs sustained bandwidth, but just barely. I pulled it out when we went up to 50 megs.