VIDEO
HIGHLIGHT
Log InSign up
03: I’ve Installed Suricata - Now What? Essential Suricata Configuration
SummaryTranscriptChat

03: I’ve Installed Suricata - Now What? Essential Suricata Configuration

Getting Started with Surata Configuration

Overview of Surata Installation and Configuration

  • Surata offers an easy installation process through pre-built binaries for various operating systems. This video focuses on configuring Surata after installation.
  • The default configuration file is located at /etc/surata/surata.yaml, which is a YAML file requiring administrative permissions to edit.

Key Elements in the Configuration File

  • The configuration file contains numerous options, making it easy to feel overwhelmed. It's advisable to back up the original file before making changes.
  • Step one involves informing Surata about your network, with a focus on the vars section that includes critical variables like home_net and external_net.

Understanding Network Variables

  • The home_net variable defines the internal IP ranges you want to monitor, typically set to RFC1918 addresses by default. Adjusting this is crucial for accurate detection of alerts.
  • The external_net variable serves as the negation of home_net, while lesser-used variables such as HTTP servers can also be defined but default to using the home_net.

Output Settings and Logging

  • Step two covers selecting outputs, starting with the default log directory at /var/log/surata, where you'll find the eve.json file containing all logged data.
  • The JSON formatted log can be utilized by other tools (e.g., SIEM systems), encompassing alert data along with application logs and flow data.

Global Stats Configuration

  • By default, global stats are enabled in Surata's configuration. If not needed, users can disable this feature by changing settings in the config file and restarting Surata.

Advanced Logging Features

  • Further down in the output section, there are options for generating legacy logs (fast.log) and controlling JSON format settings.
  • Community ID generation is disabled by default but allows integration between Surata and other tools like Zeek or Elasticsearch for better log correlation.

Event Records and Data Types

  • Surata primarily produces event records in JSON format. Users can refine logging types for popular protocols like HTTP or DNS within their configurations.
  • Extended logging options allow capturing additional HTTP headers or even all headers per request/response.

Packet Capture Capabilities

  • Full packet capture (PCAP logging) is available but not enabled by default; users must configure this feature if desired.

File Detection and Extraction Features

Configuration Steps for Surot

Step 3: Interface Configuration

  • The interface under AF packet must match the system's interface name to ensure proper traffic monitoring.
  • If there is a mismatch, Surot will not be able to identify which interface to use for monitoring.

Step 4: Application Layer Protocol Configuration

  • This step involves configuring application layer parsers provided by Surot, which enhance log files beyond basic flow information.
  • Users can enable or disable various protocol parsers and customize configurations; however, caution is advised if unsure about changes.

Understanding the Configuration File

  • The configuration file may seem overwhelming, but breaking it down into organized components helps in understanding its relevance to Surot's operation.
Playlists: Course: Getting Started with Suricata
Video description

Suricata provides an easy installation path using pre-built binaries for several popular operating systems. But what do you do after you’ve installed Suricata? In this video, we’ll explore Suricata’s configuration file and identify essential elements to get your network monitoring up and running!