The security/suricata port
suricata-7.0.7 – high performance network IDS, IPS and security monitoring (cvsweb github mirror)
Description
Suricata is a free and open source, mature, fast and robust network threat detection engine. The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing. Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats. With standard input and output formats like YAML and JSON integrations with tools like existing SIEMs, Splunk, Logstash/Elasticsearch, Kibana, and other database become effortless.WWW: https://suricata.io/
Readme
+-----------------------------------------------------------------------
| Running ${PKGSTEM} on OpenBSD
+-----------------------------------------------------------------------
Starting Suricata
=================
For normal use, you need to first set your interface and enable the
daemon:
# rcctl enable suricata
# rcctl set suricata flags -i em0
The default configuration uses a very basic set of rules bundled with
Suricata and installed in the ${SYSCONFDIR}/suricata/rules directory.
A standard installation uses additional rules as shown in the following
section.
Rule management
===============
It is possible to download and install rules manually, but it is easier
and quicker to use one of the available tools to do this.
suricata-update
---------------
suricata-update is the recommended way to install and update rules.
Run it with the -D flag to download the rules to the directory
suricata expects (${LOCALSTATEDIR}/suricata/rules):
# suricata-update -D ${LOCALSTATEDIR}/suricata
Oinkmaster
----------
The other common method is with Oinkmaster which can be installed with:
# pkg_add oinkmaster
There are several rulesets. There is for example Emerging Threats (ET)
Emerging Threats Pro and VRT. In this example we are using Emerging
Threats.
Oinkmaster has to know where the rules an be found. These rules can be
found at:
https://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
And you can download as follow:
# cd /etc && oinkmaster -C ${SYSCONFDIR}/oinkmaster.conf \
-o ${SYSCONFDIR}/suricata/rules
Edit ${SYSCONFDIR}/suricata/suricata.yaml, comment out the default
default-rule-path section and uncomment the commented out
default-rule-path section.
After updating rules
--------------------
After installing the new rulesets with one of the above methods, restart
Suricata to pick them up:
# rcctl restart suricata
Note that the installed rules have to be updated regularly by the program
used to fetch them initially. For example use cron to update the rules
every 24h.
Inline mode (IPS)
=================
The default configuration captures packets via pcap on a network interface
and runs detection methods.
Suricata can also run "inline" in Intrusion Prevention mode. To do this,
add the following to /etc/pf.conf:
pass out quick on egress inet proto tcp to port 80 divert-packet port 700
Adjust this to match what traffic Suricata will need to inspect as well as
the divert port use. Configure to enable inline mode on divert port 700
like this:
# rcctl set suricata flags -d 700
Outbound packets might not have a correct checksum yet due to checksum
offloading, therefore Suricata will log "SURICATA TCPv4 invalid checksum"
and ignore these packets. This can be worked around with the following
setting in suricata.yaml:
stream:
checksum-validation: yes
Also adjust the configuration to drop packets:
- drop:
enabled: yes
(Re)start Suricata for the changes to take effect. Note that IPS mode is
mutually exclusive with pcap live mode (-i).
Maintainer
Gonzalo L. R.
Only for arches
aarch64 alpha amd64 arm hppa i386 mips64 mips64el powerpc powerpc64 riscv64 sparc64
Not for arches
powerpc64 riscv64
Categories
lang/python lang/rust security
Library dependencies
Build dependencies
Run dependencies
Test dependencies
Files
- /etc/rc.d/suricata
- /etc/suricata/
- /etc/suricata/classification.config
- /etc/suricata/reference.config
- /etc/suricata/rules/
- /etc/suricata/rules/app-layer-events.rules
- /etc/suricata/rules/decoder-events.rules
- /etc/suricata/rules/dhcp-events.rules
- /etc/suricata/rules/dnp3-events.rules
- /etc/suricata/rules/dns-events.rules
- /etc/suricata/rules/files.rules
- /etc/suricata/rules/ftp-events.rules
- /etc/suricata/rules/http-events.rules
- /etc/suricata/rules/http2-events.rules
- /etc/suricata/rules/ipsec-events.rules
- /etc/suricata/rules/kerberos-events.rules
- /etc/suricata/rules/modbus-events.rules
- /etc/suricata/rules/mqtt-events.rules
- /etc/suricata/rules/nfs-events.rules
- /etc/suricata/rules/ntp-events.rules
- /etc/suricata/rules/quic-events.rules
- /etc/suricata/rules/rfb-events.rules
- /etc/suricata/rules/smb-events.rules
- /etc/suricata/rules/smtp-events.rules
- /etc/suricata/rules/ssh-events.rules
- /etc/suricata/rules/stream-events.rules
- /etc/suricata/rules/tls-events.rules
- /etc/suricata/suricata.yaml
- /etc/suricata/threshold.config
- /usr/local/bin/suricata
- /usr/local/bin/suricata-update
- /usr/local/bin/suricatactl
- /usr/local/bin/suricatasc
- /usr/local/include/htp/
- /usr/local/include/htp/bstr.h
- /usr/local/include/htp/bstr_builder.h
- /usr/local/include/htp/htp.h
- /usr/local/include/htp/htp_base64.h
- /usr/local/include/htp/htp_config.h
- /usr/local/include/htp/htp_connection_parser.h
- /usr/local/include/htp/htp_core.h
- /usr/local/include/htp/htp_decompressors.h
- /usr/local/include/htp/htp_hooks.h
- /usr/local/include/htp/htp_list.h
- /usr/local/include/htp/htp_multipart.h
- /usr/local/include/htp/htp_table.h
- /usr/local/include/htp/htp_transaction.h
- /usr/local/include/htp/htp_urlencoded.h
- /usr/local/include/htp/htp_utf8_decoder.h
- /usr/local/include/htp/htp_version.h
- /usr/local/include/htp/lzma/
- /usr/local/include/htp/lzma/7zTypes.h
- /usr/local/include/htp/lzma/LzmaDec.h
- /usr/local/lib/libhtp.a
- /usr/local/lib/libhtp.la
- /usr/local/lib/libhtp.so.0.1
- /usr/local/lib/pkgconfig/htp.pc
- /usr/local/lib/suricata/
- /usr/local/lib/suricata/python/
- /usr/local/lib/suricata/python/suricata/
- /usr/local/lib/suricata/python/suricata/__init__.py
- /usr/local/lib/suricata/python/suricata/__pycache__/
- /usr/local/lib/suricata/python/suricata/__pycache__/__init__.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/__pycache__/__init__.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/config/
- /usr/local/lib/suricata/python/suricata/config/__init__.py
- /usr/local/lib/suricata/python/suricata/config/__pycache__/
- /usr/local/lib/suricata/python/suricata/config/__pycache__/__init__.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/config/__pycache__/__init__.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/config/__pycache__/defaults.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/config/__pycache__/defaults.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/config/defaults.py
- /usr/local/lib/suricata/python/suricata/ctl/
- /usr/local/lib/suricata/python/suricata/ctl/__init__.py
- /usr/local/lib/suricata/python/suricata/ctl/__pycache__/
- /usr/local/lib/suricata/python/suricata/ctl/__pycache__/__init__.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/ctl/__pycache__/__init__.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/ctl/__pycache__/filestore.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/ctl/__pycache__/filestore.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/ctl/__pycache__/loghandler.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/ctl/__pycache__/loghandler.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/ctl/__pycache__/main.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/ctl/__pycache__/main.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/ctl/__pycache__/test_filestore.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/ctl/__pycache__/test_filestore.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/ctl/filestore.py
- /usr/local/lib/suricata/python/suricata/ctl/loghandler.py
- /usr/local/lib/suricata/python/suricata/ctl/main.py
- /usr/local/lib/suricata/python/suricata/ctl/test_filestore.py
- /usr/local/lib/suricata/python/suricata/sc/
- /usr/local/lib/suricata/python/suricata/sc/__init__.py
- /usr/local/lib/suricata/python/suricata/sc/__pycache__/
- /usr/local/lib/suricata/python/suricata/sc/__pycache__/__init__.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/sc/__pycache__/__init__.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/sc/__pycache__/specs.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/sc/__pycache__/specs.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/sc/__pycache__/suricatasc.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/sc/__pycache__/suricatasc.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/sc/specs.py
- /usr/local/lib/suricata/python/suricata/sc/suricatasc.py
- /usr/local/lib/suricata/python/suricata/update/
- /usr/local/lib/suricata/python/suricata/update/__init__.py
- /usr/local/lib/suricata/python/suricata/update/__pycache__/
- /usr/local/lib/suricata/python/suricata/update/__pycache__/__init__.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/__init__.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/config.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/config.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/engine.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/engine.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/exceptions.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/exceptions.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/extract.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/extract.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/loghandler.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/loghandler.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/main.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/main.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/maps.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/maps.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/matchers.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/matchers.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/net.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/net.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/notes.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/notes.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/osinfo.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/osinfo.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/parsers.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/parsers.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/rule.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/rule.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/sources.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/sources.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/util.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/util.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/version.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/__pycache__/version.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/commands/
- /usr/local/lib/suricata/python/suricata/update/commands/__init__.py
- /usr/local/lib/suricata/python/suricata/update/commands/__pycache__/
- /usr/local/lib/suricata/python/suricata/update/commands/__pycache__/__init__.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/commands/__pycache__/__init__.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/commands/__pycache__/addsource.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/commands/__pycache__/addsource.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/commands/__pycache__/checkversions.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/commands/__pycache__/checkversions.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/commands/__pycache__/disablesource.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/commands/__pycache__/disablesource.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/commands/__pycache__/enablesource.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/commands/__pycache__/enablesource.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/commands/__pycache__/listsources.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/commands/__pycache__/listsources.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/commands/__pycache__/removesource.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/commands/__pycache__/removesource.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/commands/__pycache__/updatesources.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/commands/__pycache__/updatesources.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/commands/addsource.py
- /usr/local/lib/suricata/python/suricata/update/commands/checkversions.py
- /usr/local/lib/suricata/python/suricata/update/commands/disablesource.py
- /usr/local/lib/suricata/python/suricata/update/commands/enablesource.py
- /usr/local/lib/suricata/python/suricata/update/commands/listsources.py
- /usr/local/lib/suricata/python/suricata/update/commands/removesource.py
- /usr/local/lib/suricata/python/suricata/update/commands/updatesources.py
- /usr/local/lib/suricata/python/suricata/update/compat/
- /usr/local/lib/suricata/python/suricata/update/compat/__init__.py
- /usr/local/lib/suricata/python/suricata/update/compat/__pycache__/
- /usr/local/lib/suricata/python/suricata/update/compat/__pycache__/__init__.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/compat/__pycache__/__init__.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/compat/__pycache__/ordereddict.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/compat/__pycache__/ordereddict.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/compat/argparse/
- /usr/local/lib/suricata/python/suricata/update/compat/argparse/__init__.py
- /usr/local/lib/suricata/python/suricata/update/compat/argparse/__pycache__/
- /usr/local/lib/suricata/python/suricata/update/compat/argparse/__pycache__/__init__.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/compat/argparse/__pycache__/__init__.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/compat/argparse/__pycache__/argparse.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/compat/argparse/__pycache__/argparse.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/compat/argparse/argparse.py
- /usr/local/lib/suricata/python/suricata/update/compat/ordereddict.py
- /usr/local/lib/suricata/python/suricata/update/config.py
- /usr/local/lib/suricata/python/suricata/update/configs/
- /usr/local/lib/suricata/python/suricata/update/configs/__init__.py
- /usr/local/lib/suricata/python/suricata/update/configs/__pycache__/
- /usr/local/lib/suricata/python/suricata/update/configs/__pycache__/__init__.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/configs/__pycache__/__init__.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/configs/disable.conf
- /usr/local/lib/suricata/python/suricata/update/configs/drop.conf
- /usr/local/lib/suricata/python/suricata/update/configs/enable.conf
- /usr/local/lib/suricata/python/suricata/update/configs/modify.conf
- /usr/local/lib/suricata/python/suricata/update/configs/threshold.in
- /usr/local/lib/suricata/python/suricata/update/configs/update.yaml
- /usr/local/lib/suricata/python/suricata/update/data/
- /usr/local/lib/suricata/python/suricata/update/data/__init__.py
- /usr/local/lib/suricata/python/suricata/update/data/__pycache__/
- /usr/local/lib/suricata/python/suricata/update/data/__pycache__/__init__.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/data/__pycache__/__init__.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/data/__pycache__/index.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/data/__pycache__/index.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/data/__pycache__/update.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricata/update/data/__pycache__/update.cpython-311.pyc
- /usr/local/lib/suricata/python/suricata/update/data/index.py
- /usr/local/lib/suricata/python/suricata/update/data/update.py
- /usr/local/lib/suricata/python/suricata/update/engine.py
- /usr/local/lib/suricata/python/suricata/update/exceptions.py
- /usr/local/lib/suricata/python/suricata/update/extract.py
- /usr/local/lib/suricata/python/suricata/update/loghandler.py
- /usr/local/lib/suricata/python/suricata/update/main.py
- /usr/local/lib/suricata/python/suricata/update/maps.py
- /usr/local/lib/suricata/python/suricata/update/matchers.py
- /usr/local/lib/suricata/python/suricata/update/net.py
- /usr/local/lib/suricata/python/suricata/update/notes.py
- /usr/local/lib/suricata/python/suricata/update/osinfo.py
- /usr/local/lib/suricata/python/suricata/update/parsers.py
- /usr/local/lib/suricata/python/suricata/update/rule.py
- /usr/local/lib/suricata/python/suricata/update/sources.py
- /usr/local/lib/suricata/python/suricata/update/util.py
- /usr/local/lib/suricata/python/suricata/update/version.py
- /usr/local/lib/suricata/python/suricatasc/
- /usr/local/lib/suricata/python/suricatasc/__init__.py
- /usr/local/lib/suricata/python/suricatasc/__pycache__/
- /usr/local/lib/suricata/python/suricatasc/__pycache__/__init__.cpython-311.opt-1.pyc
- /usr/local/lib/suricata/python/suricatasc/__pycache__/__init__.cpython-311.pyc
- /usr/local/man/man1/suricata.1
- /usr/local/man/man1/suricatactl-filestore.1
- /usr/local/man/man1/suricatactl.1
- /usr/local/man/man1/suricatasc.1
- /usr/local/share/doc/pkg-readmes/suricata
- /usr/local/share/examples/suricata/
- /usr/local/share/examples/suricata/suricata.yaml
- /usr/local/share/examples/suricata/threshold.config
- /usr/local/share/suricata/
- /usr/local/share/suricata/classification.config
- /usr/local/share/suricata/reference.config
- /usr/local/share/suricata/rules/
- /usr/local/share/suricata/rules/app-layer-events.rules
- /usr/local/share/suricata/rules/decoder-events.rules
- /usr/local/share/suricata/rules/dhcp-events.rules
- /usr/local/share/suricata/rules/dnp3-events.rules
- /usr/local/share/suricata/rules/dns-events.rules
- /usr/local/share/suricata/rules/files.rules
- /usr/local/share/suricata/rules/ftp-events.rules
- /usr/local/share/suricata/rules/http-events.rules
- /usr/local/share/suricata/rules/http2-events.rules
- /usr/local/share/suricata/rules/ipsec-events.rules
- /usr/local/share/suricata/rules/kerberos-events.rules
- /usr/local/share/suricata/rules/modbus-events.rules
- /usr/local/share/suricata/rules/mqtt-events.rules
- /usr/local/share/suricata/rules/nfs-events.rules
- /usr/local/share/suricata/rules/ntp-events.rules
- /usr/local/share/suricata/rules/quic-events.rules
- /usr/local/share/suricata/rules/rfb-events.rules
- /usr/local/share/suricata/rules/smb-events.rules
- /usr/local/share/suricata/rules/smtp-events.rules
- /usr/local/share/suricata/rules/ssh-events.rules
- /usr/local/share/suricata/rules/stream-events.rules
- /usr/local/share/suricata/rules/tls-events.rules
- /var/log/suricata/
- /var/run/suricata/
- /var/suricata/
- @conflict suricata-update-*
- @newgroup _suricata:800
- @newuser _suricata:800:_suricata::Suricata Account:/nonexistent:/sbin/nologin