Skip to content

Initial Setup Suricata IPS

Jump to bottom
Peter Manev edited this page Dec 12, 2017 · 16 revisions

An example for a Suricata IPS set up with SELKS.

Step 1

In /etc/suricata/selks4-addin.yaml :

af-packet:
 - interface: enp1s0f0
   threads:auto
   defrag: yes
   cluster-type: cluster_flow
   cluster-id: 98
   copy-mode: ips
   copy-iface: enp1s0f1
   buffer-size: 64535
   use-mmap: yes

 - interface: enp1s0f1
   threads: auto
   cluster-id: 97
   defrag: yes
   cluster-type: cluster_flow
   copy-mode: ips
   copy-iface: enp1s0f0
   buffer-size: 64535
   use-mmap: yes

also make sure in /etc/network/interfaces:

auto lo
iface lo inetloopback

allow-hotplug eno1
iface eno1 inet static  # Management interface
address 192.168.0.100
netmask 255.255.252.0
gateway 192.168.0.1
dns-nameservers 192.168.0.11 192.168.0.6

iface enp1s0f0 inet manual
     pre-up ifconfig $IFACE up
     post-down ifconfig $IFACE down
     post-up /etc/network/if-up.d/idps-interface-tuneup_stamus

iface enp1s0f1 inet manual
     pre-up ifconfig $IFACE up
     post-down ifconfig $IFACE down
     post-up /etc/network/if-up.d/idps-interface-tuneup_stamus

Step 2

From Scirius transform the rules you would like from alert to drop:

  1. Select a rule that you would like to transform into drop action
  2. Under Actions in the left hand side panel select Transform rule
  3. Select type Drop and a ruleset to be used.
  4. Click on Valid
  5. From the Suricata main tab in Scirius - select Ruleset actions on the left hand side panel
  6. Select Update, Build, Push and Apply
Clone this wiki locally