Difference between revisions of "Suricata: Konfigurasi Dasar"

Buat directory log Suricata

sudo mkdir /var/log/suricata

Untuk menyiapkan sistem sebelum menggunakannya, tulis

sudo mkdir /etc/suricata

Selanjutnya copy classification.config, reference.config dan suricata.yaml dari directory build/installation ke directory /etc/suricata . Lakukan hal berikut ini.

sudo cp classification.config /etc/suricata
sudo cp reference.config /etc/suricata
sudo cp suricata.yaml /etc/suricata

Catatan: jika anda mempunyai pengalaman dengan Snort dan mempunyai setup Snort, bandingkan Snort.conf ke Suricata.yaml .

Auto setup

You can also use the available auto setup features of Suricata:

./configure && make && make install-conf

The make install-conf option will do the regular "make install" and then automatically create/setup all the necessary directories and suricata.yaml.

./configure && make && make install-rules

The make install-rules option will do the regular "make install" and it automatically downloads and sets up the latest ruleset from Emerging Threats available for Suricata.

./configure && make && make install-full

The make install-full option combines everything mentioned above (install-conf and install-rules) - and will present you with a ready to run (configured and set up) Suricata

Setting variables

Make sure every variable of the vars, address-groups and port-groups in the yaml file is set correctly for your needs. A full explanation is available in the Rule vars section of the yaml. You need to set the ip-address(es) of your local network at HOME_NET. It is recommended to set EXTERNAL_NET to !$HOME_NET. This way, every ip-address but the one set at HOME_NET will be treated as external. It is also possible to set EXTERNAL_NET to 'any', only the recommended setting is more precise and lowers the chance that false positives will be generated. HTTP_SERVERS, SMTP_SERVERS, SQL_SERVERS, DNS_SERVERS and TELNET_SERVERS are by default set to HOME_NET. AIM_SERVERS is by default set at 'any'. These variables have to be set for servers on your network. All settings have to be set to let it have a more accurate effect.

Next, make sure the following ports are set to your needs: HTTP_PORTS, SHELLCODE_PORTS, ORACLE_PORTS and SSH_PORTS.

Finally, set the host-os-policy to your needs. See Host OS Policy in the yaml for a full explanation.

windows:[]
bsd: [] 
bsd-right: [] 
old-linux: [] 
linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"] 
old-solaris: [] 
solaris: ["::1"] 
hpux10: [] 
hpux11: [] 
irix: [] 
macos: [] 
vista: [] 
windows2k3: []

Note that bug #499 may prevent you from setting old-linux, bsd-right and old-solaris right now. Rule set management and download.

Rule Management with Oinkmaster

or just download and untar the ruleset in a directory of your choosing (or yaml config setting) from here: http://rules.emergingthreats.net/open/suricata/

or if you prefer you can download and use a VRT ruleset.

It is recommended to update your rules frequently. Emerging Threats is modified daily, VRT is updated weekly or multiple times a week.

Interface cards

To check the available interface cards, enter:

ifconfig

Now you can see which one you would like Suricata to use.

To start the engine and include the interface card of your preference, enter: Tests for errors rule Very recommended --init-errors-fatal

sudo suricata -c /etc/suricata/suricata.yaml -i wlan0 --init-errors-fatal

Instead of wlan0, you can enter the interface card of your preference.

To see if the engine is working correctly and receives and inspects traffic, enter:

cd /var/log/suricata

Followed by:

tail http.log

And:

tail -n 50 stats.log

To make sure the information displayed is up-dated in real time, use the -f option before http.log and stats.log:

tail -f http.log stats.log

Referensi

• https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Basic_Setup