Suricata or bro as IDS?

jklaas · March 13, 2017, 6:24pm

# suricata -T
13/3/2017 – 14:17:50 - - Running suricata under test mode
13/3/2017 – 14:17:50 - - Including configuration file /tmp/suricata-rules/suricata-include.yaml.
13/3/2017 – 14:17:50 - - This is Suricata version 3.2 RELEASE
13/3/2017 – 14:18:07 - - Configuration provided was successfully loaded. Exiting.

You can see what options are available by just running “suricata -?”. I would recommend adding some verbosity flags, like “suricata -T -vv”. I got a long list of things when I did that.

That should tell you where things are failing. Since the init script is just a shell script, you can also try “sh -x /etc/init.d/suricata start”

There are some variables set in /etc/config/suricata, but I didn’t mess with any of them.

iddqd · March 13, 2017, 6:30pm

Running: “suricata -T -vv” prints:

13/3/2017 – 19:26:28 - - Running suricata under test mode
13/3/2017 – 19:26:28 - - Including configuration file /tmp/suricata-rules/suricata-include.yaml.
13/3/2017 – 19:26:28 - - This is Suricata version 3.2 RELEASE
13/3/2017 – 19:26:28 - - CPUs/cores online: 2
Aborted

Running: “sh -x /etc/init.d/suricata start” prints:

USE_PROCD=1

START=95

I also didn’t mess with anything so it is strange that it doesn’t work for me. I guess it’s time to reinstall suricata and try again.

Edit: removing, rebooting and reinstalling, also didn’t help. So I guess it’s something in my installation, sigh

Macgovery · March 13, 2017, 7:06pm

+1 for HOWTO + WEBINTERFACE (this one looks nice)

jklaas · March 13, 2017, 7:16pm

When you removed the package did you also go through and remove the configuration files in /etc? I suspect somehow that’s where your problems lie.

/etc/suricata/*
/etc/config/suricata

There might be more, but erasing those should help.

jklaas · March 13, 2017, 7:25pm

That might be good in a container. Scirius would need to be installed on the router directly to change the configuration files.

iddqd · March 13, 2017, 9:16pm

Tried that but still no dice. I guess I’ll wait for 3.6.1
Thanks for your help though. It is much appreciated!

czanik · April 5, 2017, 6:33pm

My blog post on how to deal with Suricata logs using syslog-ng is now on-line. It is available at https://www.balabit.com/blog/collecting-and-parsing-suricata-logs-using-syslog-ng/ If you find any information missing, let me know, and I’m happy to answer you here and / or write a follow-up blog post.

Comodore125 · July 18, 2017, 2:03pm

I am thinking about suricata intentisevely in recent days. But I do not see oinkmaster as package for Turris.

So I would probably try setting it up in its own LXC.