Suricata

Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/Suricata.

Description

From https://suricata-ids.org:

Suricata is a free and open source, mature, fast and robust network threat detection engine. Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats.

Performance

We compile Suricata with PF_RING to allow you to spin up multiple workers to handle more traffic.

Configuration

You can configure Suricata via suricata.yaml:
/etc/nsm/HOSTNAME-INTERFACE/suricata.yaml
(where HOSTNAME is your actual hostname and INTERFACE is your actual sniffing interface)

If you would like to configure/manage IDS rules, please see:

https://github.com/Security-Onion-Solutions/security-onion/wiki/Rules

https://github.com/Security-Onion-Solutions/security-onion/wiki/ManagingAlerts

Logging

If you need to troubleshoot Suricata, check the log file:
/var/log/nsm/HOSTNAME-INTERFACE/suricata.log
(where HOSTNAME is your actual hostname and INTERFACE is your actual sniffing interface)

More Information

For more information about Suricata, please see:
https://suricata-ids.org/

Getting Started

Update/Upgrade

Analyst Tools

Network Visibility

Host Visibility

Elastic Stack

Customizing for your network

Tuning

Tricks and Tips

Help

Issues

Issues

Other

Tools

Scripts

so-import-pcap

Provide feedback

Saved searches

Use saved searches to filter your results more quickly