Skip to content

Initial Setup Suricata IPS

Jump to bottom
Peter Manev edited this page Feb 17, 2024 · 16 revisions

This page is obsolete and referring to old SELKS installation.

For latest SELKS documentation please visit the page here - https://github.com/StamusNetworks/SELKS/wiki/Docker#ips

An example for AF-PACKET Suricata IPS set up with SELKS.

Step 1

NOTE: On big multi core set ups the total number of threads combined for both interfaces should not be more than the (total number of cores - 4). Ideally less than that as there is also Elasticsearch that needs CPUs.

In /etc/suricata/selks6-addin.yaml :

af-packet:
 - interface: enp1s0f0
   threads: 4 # or a number that is below half the number of cores available
   defrag: no
   cluster-type: cluster_flow
   cluster-id: 98
   copy-mode: ips
   copy-iface: enp1s0f1
   tpacket-v3: no
   ring-size: 2048
   use-mmap: yes

 - interface: enp1s0f1
   threads: 4 # or a number that is below half the number of cores available
   cluster-id: 97
   defrag: no
   cluster-type: cluster_flow
   copy-mode: ips
   copy-iface: enp1s0f0
   tpacket-v3: no
   ring-size: 2048
   use-mmap: yes

also make sure in /etc/network/interfaces:

auto lo
iface lo inet loopback

allow-hotplug eno1
iface eno1 inet static  # Management interface
address 192.168.0.100
netmask 255.255.252.0
gateway 192.168.0.1
dns-nameservers 192.168.0.11 192.168.0.6

iface enp1s0f0 inet manual
     pre-up ifconfig $IFACE up
     post-down ifconfig $IFACE down
     post-up /etc/network/if-up.d/selks-idps-interface-tuneup_stamus

iface enp1s0f1 inet manual
     pre-up ifconfig $IFACE up
     post-down ifconfig $IFACE down
     post-up /etc/network/if-up.d/selks-idps-interface-tuneup_stamus

Step 2

From Scirius transform the rules you would like from alert to drop:

  1. Select a rule that you would like to transform into drop action
  2. Under Actions in the left hand side panel select Transform rule
  3. Select type Drop and a ruleset to be used.
  4. Click on Valid
  5. From the Suricata main tab in Scirius - select Ruleset actions on the left hand side panel
  6. Select Update (optional), Build, Push and Apply
Clone this wiki locally