This Vagrant file will spin up an Ubuntu 16.04 box (Bento) and install and configure the following software:
- Suricata (3.2.8 - Latest stable build at time of writing)
- Bro (Latest)
- Splunk (6.6.2 - Latest at time of writing)
- Install a provider (Virtualbox/VMWare/etc)
- Install Vagrant
$ git clone https://github.com/Centurion89/vagrant-ids.git
$ cd vagrant-ids
$ vagrant up --provider=[vmware_fusion/virtualbox/etc]
The suricata.yaml file that will be installed includes a few small changes, primarily:
- JSON logging (eve.json) is enabled and configured fairly verbosely
- The config assumes HOME_NET = 192.168.0.0/16
- The only rule file being imported is pulledpork.rules
Suricata is configured to startup using the sole "ens32" interface. Rules are stored in
After installation, Suricata will perform two curl commands to ensure that the detection engine and logging are functioning properly. However, please note that the vagrant build will continue even if the tests fail.
PulledPork is used to configure rule management and updates in Suricata. It is installed in /opt/pulledpork and is configured to pull down EmergingThreats rules. You can manually run PulledPork via
/opt/pulledpork/pulledpork.pl -c etc/pulledpork.conf -S suricata-3.0. Also consider adding that command to cron if you would like updates to run on a schedule automatically
Bro is cloned and installed into
/opt/bro. Similar to Suricata, it assumes all RFC1918 is part of private networks and uses "ens32" as the interface it monitors. JSON logging is enabled and it is configured to run in standalone mode.
Splunk will be installed with two indexes:
Access Splunk at https://vagrant:8000. The default credentials are
admin:changeme and can be changed via CLI or web interface.
By default, Splunk is configured to ingest
/var/log/suricata/eve.json and all ".log" files in
/opt/bro/logs/current/. To modify what logs are collected, edit
If you encounter any issues or would like to request any features, please feel free to submit a PR or create an issue.