Back to Blog
10 min readSecurity Tools & Labs

Getting Started with Suricata IDS

#Suricata#IDS#Blue Team

Suricata is a high-performance Network IDS, IPS, and Network Security Monitoring engine.

Installation (Ubuntu)

sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt update
sudo apt install suricata

Configuration

The main config file is /etc/suricata/suricata.yaml. Key things to configure:

  • HOME_NET: The IP ranges you want to protect (e.g., [192.168.1.0/24]).
  • EXTERNAL_NET: Usually !$HOME_NET.
  • Interface: The network interface to listen on (e.g., eth0).

Writing a Rule

Suricata rules look like this:

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan"; flow:established,to_server; content:"SSH-"; sid:1000001; rev:1;)
  • Action: alert (log it).
  • Protocol: tcp.
  • Source: External IPs, any port.
  • Direction: -> (to).
  • Destination: Home network, port 22.
  • Options: The part in parentheses. msg is the log message. content looks for specific bytes.

Testing

Use tcpreplay to replay a pcap file containing an attack against your interface, and watch fast.log for alerts.

Tip

Always test your rules with known bad traffic before deploying them to production to avoid false negatives.