04: Capturing all the Packets - Running Suricata as a System Service

Name: 04: Capturing all the Packets - Running Suricata as a System Service
Uploaded: 2024-09-10T16:48:28.000Z
Duration: 6 min 18 s

How to Use Surata for Network Data Capture

Overview of Surata's Operation Modes

Surata operates in two primary modes: real-time listening on a network interface to capture data and offline ingestion of PCAP files. The real-time mode is the most common configuration.

Setting Up Surata with Systemd

After installing Surata, the first command to check its status is using systemctl, which interfaces with systemd components. Initially, the service may show as inactive or dead.

To start Surata, replace the status command with start. Upon checking the status again, it should now indicate that Surata is active or running.

Troubleshooting and Enabling Autostart

If issues arise while modifying the configuration file, systemd output can provide debug or error information for troubleshooting purposes.

To enable Surata to start automatically on boot, use the enable command along with surata.service. This ensures that it will run after every system reboot.

Reloading Rules in Surata

After updating rules in Surata, it's essential to reload them without stopping the service. The tool suratc provides commands for this purpose.

The command reload-rules allows users to refresh rules seamlessly. A successful operation returns a JSON message confirming completion without disrupting ongoing network monitoring.

Conclusion on Service Management

Playlists: Course: Getting Started with Suricata

Video description

Suricata has two primary modes of operation - to listen on a network interface in real-time to capture network data. Or, to ingest PCAPs in an offline mode. Listening to network traffic in real-time is going to be the most common way Suricata is configured and deployed and in this video, we’ll briefly discuss how to use systemd to control Suricata, reload rules, and install Suricata as a service.