Tuesday, February 09, 2016

Install Oinkmaster For Suricata IDS / IPS / Network Security Monitoring Software

I'm using Suricata IDS / IPS / Network security monitoring software and log alert into syslog. By logging into syslog its can be process later by Logstash and store into Elasticsearch and can be view by Kibana. I'm using Ubuntu Linux Server 14.04 LTS for this setup.

Simple guide :-

1) Install suricata and oinkmaster

apt-get update
apt-get install suricata oinkmaster

 * suricata disabled, please adjust the configuration to your needs
 * and then set RUN to 'yes' in /etc/default/suricata to enable it.

2) Download rules

2.1) Create directory

mkdir /etc/suricata/rules


edit /etc/oinkmaster.conf using vi or pico and add this line.

url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz


Save and run test

oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules


check directory /etc/suricata/rules should all rules download


3) Create a cron file into /etc/cron.d named oinkmaster

pico /etc/cron.d/oinkmaster

Add this content

0 2 * * * /usr/sbin/oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules


4) edit /etc/suricata/suricata-debian.yaml


# Configure the type of alert (and other) logging you would like.

  # a line based alerts log similar to fast.log into syslog
  - syslog:
      enabled: yes
      # reported identity to syslog. If ommited the program name (usually
      # suricata) will be used.
      #identity: "suricata"
      facility: local5
      #level: Info ## possible levels: Emergency, Alert, Critical,
                   ## Error, Warning, Notice, Info, Debug

logging:

  - syslog:
      enabled: yes
      facility: local5
      format: "[%i] <%d> -- "

# Set the default rule path here to search for the files.
# if not set, it will look at the current working dir
default-rule-path: /etc/suricata/rules
rule-files:

classification-file: /etc/suricata/rules/classification.config
reference-config-file: /etc/suricata/rules/reference.config


Further reading :-

https://web.nsrc.org/workshops/2015/pacnog17-ws/raw-attachment/wiki/Track2Agenda/ex-suricata-rules.htm

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster

No comments:

Today Notes Blog About Linux Open Source Computer Internet

comments powered by Disqus

Popular Posts