Suricata with Logstash - Part 2: Setup and Configure Suricata

Pre-installation requirements

For Ubuntu 10.04 LTS and later, install the packages below to support IDS and IPS function on Suricata.

$sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0

Note: If you don't plant to use Suricata in IPS mode, you may remove

libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0

Download Suricata

Download Suricata (latest version as of writing is 2.0.1)

Once downloaded, extract and navigate to the folder.

$wget http://www.openinfosecfoundation.org/download/suricata-2.0.1.tar.gz
tar -xvzf suricata-2.0.1.tar.gz
cd suricata-2.0.1

Compile

For IDS Mode:

$./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var

For IPS Mode:

$./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var

Start building by triggering the following commands:

$make
$sudo make install-full

Test

To make sure Suricata is properly installed, run Suricata by:

$sudo suricata -c /etc/suricata/suricata.yaml -i (interface)

Replace the with your machine's interface name (i.e. eth0)
A similar message should show that Suricata is running successfully:

View the real-time events by:

$cd /var/log/suricata
$tail -f stats.log or http.log

Below is a sample how the real-time logging should look like:

http.log

stats.log

What's next?

Now that you have running Suricata, the next part is viewing all those events visually. :-)