Suricata#

Suricata is a free and open source, mature, fast and robust network threat detection engine.

The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing.

Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats.

Install Suricata#

Install Suricata (OSX)

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Mac_OS_X_10_11

Download open Emerging Threat rules

wget https://rules.emergingthreats.net/open/suricata/emerging.rules.zip
tar zxvf emerging.rules.tar.gz
sudo mkdir /var/lib/suricata/
sudo mv rules /var/lib/suricata/

Update Suricata config to point to that folder /etc/suricata/suricata.yaml

default-rule-path: /var/lib/suricata/rules

rule-files:
  - emerging*

Download Security Datasets Pcaps#

Clone Project and change directories

git clone https://github.com/OTRF/Security-Datasets && cd Security-Datasets/datasets/large

Decompress every PCAP in the same folder (Password Protected: infected)

find apt29/day*/pcaps -name '*.zip' -execdir unzip -P infected {} \;

Run Suricata#

Run Suricata on every single PCAP and append results from every PCAP to fast.log and eve.json files in their respective directories.

find apt29/day*/pcaps -name '*cap' -execdir suricata -r {} -k none \;

Stack count the alers generated

jq 'select((.event_type == "alert") and .alert.category != "Generic Protocol Command Decode") | .alert.signature' apt29/day1/pcaps/eve.json | sort | uniq -c

Security Datasets

Suricata

Contents

Suricata#

Install Suricata#

Download Security Datasets Pcaps#

Run Suricata#