Security Onion Blog

Tuesday, November 29, 2011

Notes on Suricata 1.1 Update

A few quick notes on the Suricata 1.1 update and its default suricata.yaml configuration file:

decoder-events.rules and stream-events.rules
By default, suricata.yaml includes the following rules:
 - decoder-events.rules
 - stream-events.rules

This results in alerts like these:
Suricata stream events example
If you don't wish to see these alerts, simply comment out those two rules in /etc/nsm/NAME-OF-SENSOR/suricata.yaml and restart Suricata.

EXTERNAL_NET
By default, suricata.yaml sets EXTERNAL_NET to "!HOME_NET".  (The Snort default in snort.conf is "EXTERNAL_NET any".)  If you'd like to change this, simply make the change in /etc/nsm/NAME-OF-SENSOR/suricata.yaml and restart Suricata.

How do I edit suricata.yaml and restart Suricata?
If you have GUI access to your sensor, you can use the "IDS Config" menu entry as described here:
http://securityonion.blogspot.com/2011/09/security-onion-20110909-now-available.html

Otherwise, you can do the following:

  • Modify /etc/nsm/NAME-OF-SENSOR/suricata.yaml using your favorite text editor.
  • Restart Suricata using the following command:
    sudo nsm --sensor --restart --only-snort-alert

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Search This Blog

Featured Post

Security Onion 2.4.150 Hotfix 20250522 now available!

Last week, we released version 2.4.150: https://blog.securityonion.net/2025/05/security-onion-24150-celebrating.html This week, an upstream ...

Popular Posts

Blog Archive