Understanding Suricata Config – append

Config Example

  - fast:
    enabled: yes
    filename: fast.log
    append: no


Suricata generates multiple log files e.g.

 -rw-r--r--. 1 root root 4.3G Aug 13 12:47 eve.json
 -rw-r--r--. 1 root root  17K Aug 13 15:01 suricata.log
 -rw-r--r--. 1 root root 1.8G Aug 13 18:11 stats.log
 -rw-r--r--. 1 root root 2.0M Aug 13 18:11 fast.log

When we restart or re-run suricata deamon it has to decide what to do with the existing files. It has two options to decide from.

Continue reading

Installing Suricata 4.1.2 from source on CentOS 7

Suricata IDS binary package is available in the EPEL repository for CentOS 7 but it’s not always the latest stable release. At the time of writing the v4.1.2 is the latest stable release and v4.0.6 is available in the EPEL repo.

We’ll proceed with installing from the source tar.gz.

Installing pre-requisite

Prepare the system by installing all the dependencies required for a full working Suricata v4.2 installation.

$ sudo yum -y install epel-release
$ sudo yum -y install jq cargo openssl-devel PyYAML lz4-devel gcc libpcap-devel pcre-devel libyaml-devel file-devel zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar make libnetfilter_queue-devel lua-devel

Download & Unpack Suricata v4.2

$ wget https://www.openinfosecfoundation.org/download/suricata-4.1.2.tar.gz
$ tar xzvf suricata-4.1.2.tar.gz
$ cd suricata-4.1.2
Continue reading

Suricata 4.1 + Ubuntu 18.04 – Binary Installation

Suricata IDS is available in the default repository and the package is maintained by members of Ubuntu MOTU Developers community. Unfortunately, it’s not always the latest stable release. As of writing, it offered v3.2 and the official stable release is v4.1, that’s a huge delay in packaging. 

ubuntu@ubuntu:~$ sudo apt list -a suricata
Listing… Done
suricata/bionic,now 3.2-2ubuntu3 amd64

“Check out the Ubuntu Packaging Guide if you are interested in contributing to the community by maintaining packages.”

However, Open InfoSec Foundation (OISF) the developers of Suricata do maintain an official repository for Ubuntu and that is the preferred way to source the latest stable release. Installing the repository is simple.

Continue reading