Suricata on macOS

Help
1

OS/X 12.1 (Monterey, intel)
suricata 6.0.4

I have suricata running on a couple of linux systems. I decided that it should be possible to have it run on an OS/X system as well. I installeded suricata as shown at https://macappstore.org/suricata/, all of which worked as expected. “suricata -V” displays its version (yay!) 6.0.4. Its build-info shows that only IPFW is enabled.

For the linux systems there are number of steps to prep the firewall for working with suricata. Is there a tutorial (or similar) about how to set up and run suricata on an OS/X system?

2

No one has done this?

3

I do not know about that script you ran on that page but what I did is install with homebrew by running this.
brew install suricata

Then run ifconfig in terminal
after you find out what adapter you are using like en0 for your wifi if its the same an mine

Then you have to open this file.
/usr/local/etc/suricata/suricata.yaml
search for the word interface and replace the interface in the config with en0 if it says en0
make sure you have the proper IP range for your home network.

Then update
sudo suricata-update
List all the sources and lists
suricata-update list-sources
Add a list like this
sudo suricata-update enable-source malsilo/win-malware

Then if you run the application like this

sudo /usr/local/Cellar/suricata/7.0.1/libexec/bin/suricata -c /usr/local/etc/suricata/suricata.yaml -s signatures.rules -i en0

It should be running now

open another terminal and test to see if it is working by
typing this
curl http://testmynids.org/uid/index.html

Now you should check in the log
cat /usr/local/var/log/suricata/fast.log

and you should see an alert if it is working properly. I hope helped you let me know if you need some more help
You can even type
suricata -h
Into the terminal and see all the different things you can do if you run it with -D you can run it as a daemon like this
sudo /usr/local/Cellar/suricata/7.0.1/libexec/bin/suricata -c /usr/local/etc/suricata/suricata.yaml -s signatures.rules -i en0 -D

1 Like
4

This is an excellent write-up.

For M1 Macs, Homebrew puts Suricata below /opt/homebrew, so your command would look something like this on an M1 machine:

sudo /opt/homebrew/bin/suricata -c /opt/homebrew/etc/suricata/suricata.yaml -s signatures.rules -i en0

Basically, replace the beginning of the path you provide (/usr/local/) with /opt/homebrew.

Thank you again!

Jeff G

1 Like
6

Thank you and I suppose we could add a few more things here like the drop.conf
The enable drop.conf actually drops traffic on the rule rather than alert you

located /usr/local/Cellar/suricata/7.0.2/lib/suricata/python/suricata/update/configs/drop.conf

There is an enable.conf as well for enabling more rules it uses the same syntax if you use the same list below you will enable everything possible but you will get some errors for some rules that can not be enabled. the enable.conf is located at

/usr/local/Cellar/suricata/7.0.2/lib/suricata/python/suricata/update/configs/enable.conf

Here are the groups that you can add to those files

group:cinsarmy*
group:etn_aggressive.rules
group:malsilo.rules
group:emerging.rules
group:sslblacklist.rules
group:ja3_fingerprints.rules
group:hunting.rules
group:trafficid.rules
group:app-layer-events.rules
group:decoder-events.rules
group:dhcp-events.rules
group:dnp3-events.rules
group:dns-events.rules
group:files.rules
group:http-events.rules
group:ipsec-events.rules
group:kerberos-events.rules
group:modbus-events.rules
group:nfs-events.rules
group:ntp-events.rules
group:smb-events.rules
group:smb*
group:smtp-events.rules
group:stream-events.rules
group:tls-events.rules
group:emerging-deleted.rules
group:suricata.rules
group:3coresec.rules
group:botcc.portgrouped.rules
group:botcc.rules
group:ciarmy.rules
group:compromised.rules
group:drop.rules
group:dshield.rules
group:emerging-activex.rules
group:emerging-adware_pup.rules
group:emerging-attack_response.rules
group:emerging-chat.rules
group:emerging-coinminer.rules
group:emerging-current_events.rules
group:emerging-dns.rules
group:emerging-dos.rules
group:emerging-exploit.rules
group:emerging-exploit_kit.rules
group:emerging-ftp.rules
group:emerging-hunting.rules
group:emerging-icmp.rules
group:emerging-icmp_info.rules
group:emerging-imap.rules
group:emerging-inappropriate.rules
group:emerging-info.rules
group:emerging-ja3.rules
group:emerging-malware.rules
group:emerging-misc.rules
group:emerging-mobile_malware.rules
group:emerging-netbios.rules
group:emerging-p2p.rules
group:emerging-phishing.rules
group:emerging-policy.rules
group:emerging-pop3.rules
group:emerging-rpc.rulesgroup:emerging-scada.rules
group:emerging-scan.rules
group:emerging-shellcode.rules
group:emerging-smtp.rules
group:emerging-snmp.rules
group:emerging-sql.rules
group:emerging-telnet.rules
group:emerging-tftp.rules
group:emerging-user_agents.rules
group:emerging-voip.rules
group:emerging-web_client.rules
group:emerging-web_server.rules
group:emerging-web_specific_apps.rules
group:emerging-worm.rules
group:threatview_CS_c2.rules
group:tor.rules
group:app-layer-events.rules
group:decoder-events.rules
group:dhcp-events.rules
group:dnp3-events.rules
group:dns-events.rules
group:http-events.rules
group:ipsec-events.rules
group:kerberos-events.rules
group:modbus-events.rules
group:nfs-events.rules
group:ntp-events.rules
group:smb-events.rules
group:smtp-events.rules
group:stream-events.rules
group:tls-events.rules

Then save the file and you can update and call on the drop.conf and enable.conf

And then do an update referencing your new config files. You will now have the rules enabled and set to drop traffic next time you update as listed below.

sudo suricata-update --drop-conf=/usr/local/Cellar/suricata/7.0.2/lib/suricata/python/suricata/update/configs/drop.conf --enable-conf=/usr/local/Cellar/suricata/7.0.2/lib/suricata/python/suricata/update/configs/enable.conf

Now you have an intrusion prevention system.

1 Like
7

These are template files that generally should not be edited, as they will be overwritten on a Suricata-Update. Instead create the files enable.conf, drop.conf, etc in whatever the Brew equivalent of /etc/suricata/ would be.

2 Likes
8

On an Apple silicon Mac, Homebrew would likely use:

/opt/homebrew/etc/suricata

On an Intel Mac likely:

/usr/local/homebrew/etc/suricata

Jeff G.

9

Thank you for the assistance here it is very much appreciated.