Security Onion Blog

Tuesday, November 29, 2011

Notes on Suricata 1.1 Update

A few quick notes on the Suricata 1.1 update and its default suricata.yaml configuration file:

decoder-events.rules and stream-events.rules
By default, suricata.yaml includes the following rules:
 - decoder-events.rules
 - stream-events.rules

This results in alerts like these:
Suricata stream events example
If you don't wish to see these alerts, simply comment out those two rules in /etc/nsm/NAME-OF-SENSOR/suricata.yaml and restart Suricata.

EXTERNAL_NET
By default, suricata.yaml sets EXTERNAL_NET to "!HOME_NET".  (The Snort default in snort.conf is "EXTERNAL_NET any".)  If you'd like to change this, simply make the change in /etc/nsm/NAME-OF-SENSOR/suricata.yaml and restart Suricata.

How do I edit suricata.yaml and restart Suricata?
If you have GUI access to your sensor, you can use the "IDS Config" menu entry as described here:
http://securityonion.blogspot.com/2011/09/security-onion-20110909-now-available.html

Otherwise, you can do the following:

  • Modify /etc/nsm/NAME-OF-SENSOR/suricata.yaml using your favorite text editor.
  • Restart Suricata using the following command:
    sudo nsm --sensor --restart --only-snort-alert

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Search This Blog

Featured Post

Registration Now Open for Augusta Cyber Week 2024!

Registration is now open for Augusta Cyber Week in beautiful Augusta GA from September 30, 2024 through October 5, 2024! This includes: 4-da...

Popular Posts

Blog Archive