[11732 - Suricata-Main] 2023-11-22 21:29:05 Config: af-packet: eth0: using defrag kernel functionality for AF_PACKET
[11732 - Suricata-Main] 2023-11-22 21:29:05 Perf: af-packet: eth0: cluster_flow: 1 cores, using 1 threads
[11732 - Suricata-Main] 2023-11-22 21:29:05 Error: af-packet: eth0: failed to find interface type: No such device
[11732 - Suricata-Main] 2023-11-22 21:29:05 Info: runmodes: eth0: creating 1 thread
[11732 - Suricata-Main] 2023-11-22 21:29:05 Config: flow-manager: using 1 flow manager threads
[11732 - Suricata-Main] 2023-11-22 21:29:05 Config: flow-manager: using 1 flow recycler threads
[11732 - Suricata-Main] 2023-11-22 21:29:05 Info: unix-manager: unix socket ‘/var/run/suricata/suricata-command.socket’
[11736 - W#01-eth0] 2023-11-22 21:29:05 Error: af-packet: eth0: failed to find interface: No such device
[11736 - W#01-eth0] 2023-11-22 21:29:05 Error: af-packet: eth0: failed to init socket for interface
[11732 - Suricata-Main] 2023-11-22 21:29:05 Error: threads: thread “W#01-eth0” failed to start: flags 0423
The device eth0 is not available. So you need to point Suricata to use the interface that you want to use. In general please post more details about your scenario, starting with the Suricata version, config and run command.
bugaga200@bugaga200-VirtualBox:~$ kill$$
kill8425: команда не найдена
bugaga200@bugaga200-VirtualBox:~$ sudo apt-get install software-properties-common
[sudo] пароль для bugaga200:
Чтение списков пакетов… Готово
Построение дерева зависимостей… Готово
Чтение информации о состоянии… Готово
Уже установлен пакет software-properties-common самой новой версии (0.99.22.7).
software-properties-common помечен как установленный вручную.
Обновлено 0 пакетов, установлено 0 новых пакетов, для удаления отмечено 0 пакетов, и 3 пакетов не обновлено.
bugaga200@bugaga200-VirtualBox:~$ sudo add-apt-repository ppa:oisf/suricata-stable
Репозиторий: ‘deb Index of /oisf/suricata-stable/ubuntu jammy main’
Описание:
Suricata IDS/IPS/NSM stable packages
https://suricata.io/
https://oisf.net/
Suricata IDS/IPS/NSM - Suricata is a high performance Intrusion Detection and Prevention System and Network Security Monitoring engine.
Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
This Engine supports:
- Multi-Threading - provides for extremely fast and flexible operation on multicore systems.
- Multi Tenancy - Per vlan/Per interface
- Uses Rust for most protocol detection/parsing
- TLS/SSL certificate matching/logging
- JA3 TLS client fingerprinting
- JA3S TLS server fingerprinting
- IEEE 802.1ad (QinQ) and IEEE 802.1Q (VLAN) support
- VXLAN support
- All JSON output/logging capability
- IDS runmode
- IPS runmode
- IDPS runmode
- NSM runmode
- eBPF/XDP
- Automatic Protocol Detection and logging - IPv4/6, TCP, UDP, ICMP, HTTP, SMTP, TLS, SSH, FTP, SMB, DNS, NFS, TFTP, KRB5, DHCP, IKEv2, SNMP, SIP, RDP
- SCADA automatic protocol detection - ENIP/DNP3/MODBUS
- File Extraction HTTP/SMTP/FTP/NFS/SMB - over 4000 file types recognized and extracted from live traffic.
- File MD5/SHA1/SHA256 matching
- Gzip Decompression
- Fast IP Matching
- Datasets matching
- Rustlang enabled protocol detection
- Lua scripting
and many more great features -
https://suricata.io/features/all-features/
Дополнительные сведения: suricata-stable : OISF
Добавление репозитория.
Нажмите [ENTER] для продолжения или Ctrl-C для отмены.Adding deb entry to /etc/apt/sources.list.d/oisf-ubuntu-suricata-stable-jammy.list
Adding disabled deb-src entry to /etc/apt/sources.list.d/oisf-ubuntu-suricata-stable-jammy.list
Adding key to /etc/apt/trusted.gpg.d/oisf-ubuntu-suricata-stable.gpg with fingerprint 9F6FC9DDB1324714B78062CBD7F87B2966EB736F
Сущ:1 http://ru.archive.ubuntu.com/ubuntu jammy InRelease
Пол:2 http://ru.archive.ubuntu.com/ubuntu jammy-updates InRelease [119 kB]
Сущ:3 Index of /ubuntu jammy-security InRelease
Пол:4 Index of /oisf/suricata-stable/ubuntu jammy InRelease [17,5 kB]
Пол:5 Index of /oisf/suricata-stable/ubuntu jammy/main amd64 Packages [1 372 B]
Пол:6 Index of /oisf/suricata-stable/ubuntu jammy/main Translation-en [1 204 B]
Сущ:7 http://ru.archive.ubuntu.com/ubuntu jammy-backports InRelease
Пол:8 http://ru.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [1 195 kB]
Пол:9 http://ru.archive.ubuntu.com/ubuntu jammy-updates/main i386 Packages [534 kB]
Пол:10 http://ru.archive.ubuntu.com/ubuntu jammy-updates/main Translation-en [251 kB]
Пол:11 http://ru.archive.ubuntu.com/ubuntu jammy-updates/universe i386 Packages [665 kB]
Пол:12 http://ru.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages [1 001 kB]
Пол:13 http://ru.archive.ubuntu.com/ubuntu jammy-updates/universe Translation-en [220 kB]
Получено 4 005 kB за 19с (208 kB/s)
Чтение списков пакетов… Готово
bugaga200@bugaga200-VirtualBox:~$ sudo apt update
Сущ:1 Index of /ubuntu jammy-security InRelease
Сущ:2 http://ru.archive.ubuntu.com/ubuntu jammy InRelease
Сущ:3 http://ru.archive.ubuntu.com/ubuntu jammy-updates InRelease
Сущ:4 http://ru.archive.ubuntu.com/ubuntu jammy-backports InRelease
Сущ:5 Index of /oisf/suricata-stable/ubuntu jammy InRelease
Чтение списков пакетов… Готово
Построение дерева зависимостей… Готово
Чтение информации о состоянии… Готово
Может быть обновлено 14 пакетов. Запустите «apt list --upgradable» для их показа.
bugaga200@bugaga200-VirtualBox:~$ sudo apt install suricata jq
Чтение списков пакетов… Готово
Построение дерева зависимостей… Готово
Чтение информации о состоянии… Готово
Следующие пакеты устанавливались автоматически и больше не требуются:
libnetfilter-log1 oinkmaster python3-simplejson snort-rules-default suricata-update
Для их удаления используйте «sudo apt autoremove».
Будут установлены следующие дополнительные пакеты:
libhtp2 libjq1 liblzma-dev libonig5
Предлагаемые пакеты:
liblzma-doc
Следующие НОВЫЕ пакеты будут установлены:
jq libjq1 liblzma-dev libonig5
Следующие пакеты будут обновлены:
libhtp2 suricata
Обновлено 2 пакетов, установлено 4 новых пакетов, для удаления отмечено 0 пакетов, и 12 пакетов не обновлено.
Необходимо скачать 4 118 kB архивов.
После данной операции объём занятого дискового пространства возрастёт на 6 761 kB.
Хотите продолжить? [Д/н] д
Пол:1 http://ru.archive.ubuntu.com/ubuntu jammy/main amd64 libonig5 amd64 6.9.7.1-2build1 [172 kB]
Пол:2 Index of /oisf/suricata-stable/ubuntu jammy/main amd64 libhtp2 amd64 1:0.5.45-0ubuntu0 [75,0 kB]
Пол:3 Index of /oisf/suricata-stable/ubuntu jammy/main amd64 suricata amd64 1:7.0.2-0ubuntu0 [3 527 kB]
Пол:4 http://ru.archive.ubuntu.com/ubuntu jammy/main amd64 libjq1 amd64 1.6-2.1ubuntu3 [133 kB]
Пол:5 http://ru.archive.ubuntu.com/ubuntu jammy/main amd64 jq amd64 1.6-2.1ubuntu3 [52,5 kB]
Пол:6 http://ru.archive.ubuntu.com/ubuntu jammy/main amd64 liblzma-dev amd64 5.2.5-2ubuntu1 [159 kB]
Получено 4 118 kB за 29с (143 kB/s)
Выбор ранее не выбранного пакета libonig5:amd64.
(Чтение базы данных … на данный момент установлено 203807 файлов и каталогов.)
Подготовка к распаковке …/0-libonig5_6.9.7.1-2build1_amd64.deb …
Распаковывается libonig5:amd64 (6.9.7.1-2build1) …
Выбор ранее не выбранного пакета libjq1:amd64.
Подготовка к распаковке …/1-libjq1_1.6-2.1ubuntu3_amd64.deb …
Распаковывается libjq1:amd64 (1.6-2.1ubuntu3) …
Выбор ранее не выбранного пакета jq.
Подготовка к распаковке …/2-jq_1.6-2.1ubuntu3_amd64.deb …
Распаковывается jq (1.6-2.1ubuntu3) …
Подготовка к распаковке …/3-libhtp2_1%3a0.5.45-0ubuntu0_amd64.deb …
Распаковывается libhtp2 (1:0.5.45-0ubuntu0) на замену (1:0.5.39-1) …
Выбор ранее не выбранного пакета liblzma-dev:amd64.
Подготовка к распаковке …/4-liblzma-dev_5.2.5-2ubuntu1_amd64.deb …
Распаковывается liblzma-dev:amd64 (5.2.5-2ubuntu1) …
Подготовка к распаковке …/5-suricata_1%3a7.0.2-0ubuntu0_amd64.deb …
Распаковывается suricata (1:7.0.2-0ubuntu0) на замену (1:6.0.4-3) …
Замена файлов в старом пакете suricata-update (1.2.3-1) …
dpkg: предупреждение: не удалось удалить старый каталог «/etc/suricata/rules»: Каталог не пуст
Настраивается пакет libhtp2 (1:0.5.45-0ubuntu0) …
Настраивается пакет liblzma-dev:amd64 (5.2.5-2ubuntu1) …
Настраивается пакет suricata (1:7.0.2-0ubuntu0) …
Устанавливается новая версия файла настройки /etc/default/suricata …
Устанавливается новая версия файла настройки /etc/init.d/suricata …
Устанавливается новая версия файла настройки /etc/suricata/suricata.yaml …
Устанавливается новая версия файла настройки /etc/suricata/threshold.config …
Настраивается пакет libonig5:amd64 (6.9.7.1-2build1) …
Настраивается пакет libjq1:amd64 (1.6-2.1ubuntu3) …
Настраивается пакет jq (1.6-2.1ubuntu3) …
Обрабатываются триггеры для man-db (2.10.2-1) …
Обрабатываются триггеры для libc-bin (2.35-0ubuntu3.4) …
bugaga200@bugaga200-VirtualBox:~$ sudo suricata --build-info
This is Suricata version 7.0.2 RELEASE
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST
SIMD support: none
Atomic intrinsics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 11.4.0, C version 201112
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.45, linked against LibHTP v0.5.45
Suricata Configuration:
AF_PACKET support: yes
AF_XDP support: no
DPDK support: no
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: yes
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libjansson support: yes
hiredis support: yes
hiredis async with libevent: yes
PCRE jit: yes
LUA support: yes, through luajit
libluajit: yes
GeoIP2 support: yes
Non-bundled htp: yes
Hyperscan support: yes
Libnet support: yes
liblz4 support: yes
Landlock support: yes
Rust support: yes
Rust strict mode: no
Rust compiler path: /usr/bin/rustc
Rust compiler version: rustc 1.66.1 (90743e729 2023-01-10) (built from a source tarball)
Cargo path: /usr/bin/cargo
Cargo version: cargo 1.66.1
Python support: yes
Python path: /usr/bin/python3
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: yes
Profiling enabled: no
Profiling locks enabled: no
Profiling rules enabled: no
Plugin support (experimental): yes
DPDK Bond PMD: no
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Fuzz targets enabled: no
Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/
–prefix /usr
–sysconfdir /etc
–localstatedir /var
–datarootdir /usr/share
Host: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / g++ (real)
GCC Protect enabled: yes
GCC march native enabled: no
GCC Profile enabled: no
Position Independent Executable enabled: yes
CFLAGS -g -O2 -ffile-prefix-map=/build/suricata-7OpYy4/suricata-7.0.2=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fPIC -std=c11 -I${srcdir}/…/rust/gen -I${srcdir}/…/rust/dist
PCAP_CFLAGS -I/usr/include
SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
bugaga200@bugaga200-VirtualBox:~$ sudo systemctl status suricata
● suricata.service - LSB: Next Generation IDS/IPS
Loaded: loaded (/etc/init.d/suricata; generated)
Active: active (exited) since Wed 2023-11-22 13:32:01 +05; 7min ago
Docs: man:systemd-sysv-generator(8)
Process: 9551 ExecStart=/etc/init.d/suricata start (code=exited, status=0/SUCCESS)
CPU: 58ms
ноя 22 13:32:01 bugaga200-VirtualBox systemd[1]: Starting LSB: Next Generation IDS/IPS…
ноя 22 13:32:01 bugaga200-VirtualBox suricata[9551]: Starting suricata in IDS (af-packet) mode… done.
ноя 22 13:32:01 bugaga200-VirtualBox systemd[1]: Started LSB: Next Generation IDS/IPS.
bugaga200@bugaga200-VirtualBox:~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:e1:c1:d9 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic noprefixroute enp0s3
valid_lft 82318sec preferred_lft 82318sec
inet6 fe80::ff95:8a84:8f0:bc21/64 scope link noprefixroute
valid_lft forever preferred_lft forever
bugaga200@bugaga200-VirtualBox:~$ sudo vim /etc/suricata/suricata.yaml
[sudo] пароль для bugaga200:
sudo: vim: команда не найдена
bugaga200@bugaga200-VirtualBox:~$ sudo suricata-update
22/11/2023 – 21:24:20 - – Using data-directory /var/lib/suricata.
22/11/2023 – 21:24:20 - – Using Suricata configuration /etc/suricata/suricata.yaml
22/11/2023 – 21:24:20 - – Using /usr/share/suricata/rules for Suricata provided rules.
22/11/2023 – 21:24:20 - – Found Suricata version 7.0.2 at /usr/bin/suricata.
22/11/2023 – 21:24:20 - – Loading /etc/suricata/suricata.yaml
22/11/2023 – 21:24:20 - – Disabling rules for protocol pgsql
22/11/2023 – 21:24:20 - – Disabling rules for protocol modbus
22/11/2023 – 21:24:20 - – Disabling rules for protocol dnp3
22/11/2023 – 21:24:20 - – Disabling rules for protocol enip
22/11/2023 – 21:24:20 - – No sources configured, will use Emerging Threats Open
22/11/2023 – 21:24:20 - – Fetching https://rules.emergingthreats.net/open/suricata-7.0.2/emerging.rules.tar.gz.
100% - 4131015/4131015
22/11/2023 – 21:27:32 - – Done.
22/11/2023 – 21:27:32 - – Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules
22/11/2023 – 21:27:32 - – Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules
22/11/2023 – 21:27:32 - – Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules
22/11/2023 – 21:27:32 - – Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules
22/11/2023 – 21:27:32 - – Loading distribution rule file /usr/share/suricata/rules/dns-events.rules
22/11/2023 – 21:27:32 - – Loading distribution rule file /usr/share/suricata/rules/files.rules
22/11/2023 – 21:27:32 - – Loading distribution rule file /usr/share/suricata/rules/http-events.rules
22/11/2023 – 21:27:32 - – Loading distribution rule file /usr/share/suricata/rules/ipsec-events.rules
22/11/2023 – 21:27:32 - – Loading distribution rule file /usr/share/suricata/rules/kerberos-events.rules
22/11/2023 – 21:27:32 - – Loading distribution rule file /usr/share/suricata/rules/modbus-events.rules
22/11/2023 – 21:27:32 - – Loading distribution rule file /usr/share/suricata/rules/nfs-events.rules
22/11/2023 – 21:27:32 - – Loading distribution rule file /usr/share/suricata/rules/ntp-events.rules
22/11/2023 – 21:27:32 - – Loading distribution rule file /usr/share/suricata/rules/smb-events.rules
22/11/2023 – 21:27:32 - – Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules
22/11/2023 – 21:27:32 - – Loading distribution rule file /usr/share/suricata/rules/stream-events.rules
22/11/2023 – 21:27:32 - – Loading distribution rule file /usr/share/suricata/rules/tls-events.rules
22/11/2023 – 21:27:32 - – Ignoring file rules/emerging-deleted.rules
22/11/2023 – 21:27:34 - – Loaded 45867 rules.
22/11/2023 – 21:27:34 - – Disabled 14 rules.
22/11/2023 – 21:27:34 - – Enabled 0 rules.
22/11/2023 – 21:27:34 - – Modified 0 rules.
22/11/2023 – 21:27:34 - – Dropped 0 rules.
22/11/2023 – 21:27:34 - – Enabled 131 rules for flowbit dependencies.
22/11/2023 – 21:27:34 - – Backing up current rules.
22/11/2023 – 21:27:34 - – Writing rules to /var/lib/suricata/rules/suricata.rules: total: 45867; enabled: 35623; added: 45867; removed 0; modified: 0
22/11/2023 – 21:27:34 - – Writing /var/lib/suricata/rules/classification.config
22/11/2023 – 21:27:34 - – Testing with suricata -T.
22/11/2023 – 21:27:47 - – Done.
bugaga200@bugaga200-VirtualBox:~$ sudo systemctl restart suricata
bugaga200@bugaga200-VirtualBox:~$ sudo systemctl restart suricata
bugaga200@bugaga200-VirtualBox:~$ sudo tail /var/log/suricata/suricata.log
[11732 - Suricata-Main] 2023-11-22 21:29:05 Config: af-packet: eth0: using defrag kernel functionality for AF_PACKET
[11732 - Suricata-Main] 2023-11-22 21:29:05 Perf: af-packet: eth0: cluster_flow: 1 cores, using 1 threads
[11732 - Suricata-Main] 2023-11-22 21:29:05 Error: af-packet: eth0: failed to find interface type: No such device
[11732 - Suricata-Main] 2023-11-22 21:29:05 Info: runmodes: eth0: creating 1 thread
[11732 - Suricata-Main] 2023-11-22 21:29:05 Config: flow-manager: using 1 flow manager threads
[11732 - Suricata-Main] 2023-11-22 21:29:05 Config: flow-manager: using 1 flow recycler threads
[11732 - Suricata-Main] 2023-11-22 21:29:05 Info: unix-manager: unix socket ‘/var/run/suricata/suricata-command.socket’
[11736 - W#01-eth0] 2023-11-22 21:29:05 Error: af-packet: eth0: failed to find interface: No such device
[11736 - W#01-eth0] 2023-11-22 21:29:05 Error: af-packet: eth0: failed to init socket for interface
[11732 - Suricata-Main] 2023-11-22 21:29:05 Error: threads: thread “W#01-eth0” failed to start: flags 0423
bugaga200@bugaga200-VirtualBox:~$
The configuration file is still missing and please use quote and code tags to make the post easier to read.
As I said it uses eth0 by default but you need to set the config to the interface you want to listen on and this depends on your setup. Please read through our documentation at Suricata User Guide — Suricata 8.0.0-dev documentation
Thank you for everything
First I prescribed these commands
- sudo su
- sudo apt install suricata
- sudo systemctl status suricata
After that, I entered ( kill$$ ) I thought that I had thrown off the previously entered data.
Then I followed the instructions.
2.1
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt update
sudo apt install suricata jq
sudo suricata --build-info
sudo systemctl status suricata
2.2. Basic setup
$ ip addr
after entering the last line
sudo vim /etc/suricata/suricata.yaml
an error came out
We still don’t know how your suricata.yaml looks like, we also don’t know what interface you have configured and want to use. Please upload your config file and tell us what you want to achieve and which interface you want to use.
Suricata 7.0.2
USAGE: suricata [OPTIONS] [BPF FILTER]
-c <path> : path to configuration file
-T : test configuration file (use with -c)
-i <dev or ip> : run in pcap live mode
-F <bpf filter file> : bpf filter file
-r <path> : run in pcap file/offline mode
-q <qid[:qid]> : run in inline nfqueue mode (use colon to specify a range of queues)
-s <path> : path to signature file loaded in addition to suricata.yaml settings (optional)
-S <path> : path to signature file loaded exclusively (optional)
-l <dir> : default log directory
-D : run as daemon
-k [all|none] : force checksum check (all) or disabled it (none)
-V : display Suricata version
-v : be more verbose (use multiple times to increase verbosity)
--list-app-layer-protos : list supported app layer protocols
--list-keywords[=all|csv|<kword>] : list keywords implemented by the engine
--list-runmodes : list supported runmodes
--runmode <runmode_id> : specific runmode modification the engine should run. The argument
supplied should be the id for the runmode obtained by running
--list-runmodes
--engine-analysis : print reports on analysis of different sections in the engine and exit.
Please have a look at the conf parameter engine-analysis on what reports
can be printed
--pidfile <file> : write pid to this file
--init-errors-fatal : enable fatal failure on signature init error
--disable-detection : disable detection engine
--dump-config : show the running configuration
--dump-features : display provided features
--build-info : display build information
--pcap[=<dev>] : run in pcap mode, no value select interfaces from suricata.yaml
--pcap-file-continuous : when running in pcap mode with a directory, continue checking directory for pcaps until interrupted
--pcap-file-delete : when running in replay mode (-r with directory or file), will delete pcap files that have been processed when done
--pcap-file-recursive : will descend into subdirectories when running in replay mode (-r)
--pcap-buffer-size : size of the pcap buffer value from 0 - 2147483647
--af-packet[=<dev>] : run in af-packet mode, no value select interfaces from suricata.yaml
--simulate-ips : force engine into IPS mode. Useful for QA
--user <user> : run suricata as this user after init
--group <group> : run suricata as this group after init
--erf-in <path> : process an ERF file
--unix-socket[=<file>] : use unix socket to control suricata work
--reject-dev <dev> : send reject packets from this interface
--include <path> : additional configuration file
--set name=value : set a configuration value
To run the engine with default configuration on interface eth0 with signature file “signatures.rules”, run the command as:
suricata -c suricata.yaml -s signatures.rules -i eth0
what should be done next?
As I said before, please upload your suricata.yaml file and what interface you want to use for monitoring.
do I need to download it?
No I’m talking about the `/etc/suricata/suricata.yaml’ that you want to use as well as information on the network interface.
What command do I need to enter so that I can show you this information?
You could use either an editor like vim or use cat but that’s basic Linux knowledge. Or you can use scp to download the file. Please upload the file and NOT a screenshot.
And for the interfaces you could run ip a but YOU need to know which interface is receiving the traffic you want to investigate.
Keep in mind Suricata is an advanced tool that requires basic networking and Linux knowledge (if run on a Linux machine).
First question
Hi! which operating system should I boot into first in Suricata?
Second question
And then I transfer it using SCP?
You already installed Ubuntu which is fine. Please read my questions:
-
Provide the content of the file
/etc/suricata/suricata.yamlyou did open this file before withvimas you did mention before. So you changed the config, but we need to know how it looks like. -
Why did you install Suricata in the first place and what do you want to achieve?
-
Again, what network interface do you want to use for the packet capture?
I don 't understand where to look ( /etc/suricata/suricata.yaml)
you: Why did you install Suricata in the first place and what do you want to achieve?
me:I do not know in what order to install Suricat.
you:Again, what network interface do you want to use for the packet capture?
me: what do you mean?
I have working programs on windows, I’m going to trade on the BYBIT exchange through the CScalp terminal, and in order to avoid losing my own money, I want to install Suricata. this is my first acquaintance with this kind of difficulty!
Can you explain to me in what order to install Suricata ?
Suricata is not going to help you with that. I recommend re-evaluating your use of Suricata, it may not be the tool you are looking for.