Security Onion: Notes on Suricata 1.1 Update

Tuesday, November 29, 2011

Notes on Suricata 1.1 Update

A few quick notes on the Suricata 1.1 update and its default suricata.yaml configuration file:

decoder-events.rules and stream-events.rules
By default, suricata.yaml includes the following rules:
- decoder-events.rules
- stream-events.rules

This results in alerts like these:

Suricata stream events example

If you don't wish to see these alerts, simply comment out those two rules in /etc/nsm/NAME-OF-SENSOR/suricata.yaml and restart Suricata.

EXTERNAL_NET
By default, suricata.yaml sets EXTERNAL_NET to "!HOME_NET". (The Snort default in snort.conf is "EXTERNAL_NET any".) If you'd like to change this, simply make the change in /etc/nsm/NAME-OF-SENSOR/suricata.yaml and restart Suricata.

How do I edit suricata.yaml and restart Suricata?
If you have GUI access to your sensor, you can use the "IDS Config" menu entry as described here:
http://securityonion.blogspot.com/2011/09/security-onion-20110909-now-available.html

Otherwise, you can do the following:

Modify /etc/nsm/NAME-OF-SENSOR/suricata.yaml using your favorite text editor.
Restart Suricata using the following command:
sudo nsm --sensor --restart --only-snort-alert

Security Onion

Tuesday, November 29, 2011

Notes on Suricata 1.1 Update

No comments:

Search This Blog

Featured Post

Security Onion 2.4.111 now available!

Popular Posts

Blog Archive