In this tutorial, you will learn how to install and setup Suricata on Ubuntu 22.04/Ubuntu 20.04. Suricata is an opensource network threat detection tool. Suricata uses rules and signatures to detect threat in network traffic. It also supports Lua scripting language that helps it unearth the most complex would be threats in the network. Suricata is a product of Open Information Security Foundation. It is capable of providing NIDS, IPS, NSM and offline pcap processing. It can be integrated with other tools such as BASE, Snorby, Sguil, SQueRT, ELK, SIEM solutions etc.
To see a complete list of features supported by Suricata, you can check all features.
Install and Setup Suricata on Ubuntu 22.04/Ubuntu 20.04
There are two ways in which you can install Suricata on Ubuntu;
In this guide, we are going to cover both methods of installing Suricata on Ubuntu 22.04/Ubuntu 20.04.
Confirm the available versions using the command;
apt-cache policy suricataInstall Suricata from Source On Ubuntu 22.04/Ubuntu 20.04
Installation Suricata from the Source on Ubuntu 22.04/Ubuntu 20.04 is the surest way to get the latest and stable version of Suricata up and running.
To install Suricata from the source, first install all the required dependencies installed.
sudo apt -y install libpcre3 libpcre3-dbg libpcre3-dev \
build-essential autoconf automake libtool libpcap-dev \
libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev \
libcap-ng-dev libcap-ng0 make libmagic-dev \
libjansson-dev libjansson4 pkg-config libnspr4-dev \
libnss3-dev liblz4-dev rustc cargo python3-pip python3-distutils
Suricata function as an IDS out of the box. If you need to include the IPS funtionality, install the following libraries.
sudo apt -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0Next, download the latest and stable Suricata tarball. You can simply download as shown below;
wget https://www.openinfosecfoundation.org/download/suricata-6.0.5.tar.gzOnce the download is complete, extract the tarball.
tar xzf suricata-6.0.5.tar.gzNavigate to Suricata tarball extract directory to configure Suricata engine for compilation. This ensures that Suricata is build with IPS capabilities.
cd suricata-6.0.5
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/varSummary of the Suricata configuration;
Suricata Configuration:
AF_PACKET support: yes
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
hiredis support: no
hiredis async with libevent: no
Prelude support: no
PCRE jit: yes
LUA support: no
libluajit: no
GeoIP2 support: no
Non-bundled htp: no
Hyperscan support: no
Libnet support: yes
liblz4 support: yes
HTTP2 decompression: no
Rust support: yes
Rust strict mode: no
Rust compiler path: /usr/bin/rustc
Rust compiler version: rustc 1.57.0
Cargo path: /usr/bin/cargo
Cargo version: cargo 1.57.0
Cargo vendor: yes
Python support: yes
Python path: /usr/bin/python3
Python distutils yes
Python yaml yes
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: yes
Profiling enabled: no
Profiling locks enabled: no
Plugin support (experimental): yes
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /varmake/log/suricata/
--prefix /usr
--sysconfdir /etc
--localstatedir /varmake
--datarootdir /usr/share
Host: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / g++ (real)
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -g -O2 -std=c11 -march=native -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
PCAP_CFLAGS -I/usr/include
SECCFLAGS
To build and install run 'make' and 'make install'.
You can run 'make install-conf' if you want to install initial configuration
files to /etc/suricata/. Running 'make install-full' will install configuration
and rules and provide you a ready-to-run suricata.
To install Suricata into /usr/bin/suricata, have the config in
/etc/suricata and use /var/log/suricata as log dir, use:
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/
Compile and install the Suricata engine
makemake install-fullThe make install-full command will simply install both Suricata initial configuration file and the Suricata rules using the new Suricata rule management tool, suricata-update.
If the installation is successful, you should see the output below;
copying /root/suricata-6.0.5/suricata-update/scripts-3.10/suricata-update -> /usr/bin
changing mode of /usr/bin/suricata-update to 755
running install_egg_info
Writing /usr/lib/python3.10/site-packages/suricata_update-1.2.4-py3.10.egg-info
make[3]: Nothing to be done for 'install-data-am'.
make[3]: Leaving directory '/root/suricata-6.0.5/suricata-update'
make[2]: Leaving directory '/root/suricata-6.0.5/suricata-update'
make[2]: Entering directory '/root/suricata-6.0.5'
make[3]: Entering directory '/root/suricata-6.0.5'
make[3]: Nothing to be done for 'install-exec-am'.
Run 'make install-conf' if you want to install initial configuration files. Or 'make install-full' to install configuration and rules
make[3]: Leaving directory '/root/suricata-6.0.5'
make[2]: Leaving directory '/root/suricata-6.0.5'
make[1]: Leaving directory '/root/suricata-6.0.5'
make install-conf
make[1]: Entering directory '/root/suricata-6.0.5'
install -d "/etc/suricata/"
install -d "/var/log/suricata/files"
install -d "/var/log/suricata/certs"
install -d "/var/run/"
install -m 770 -d "/var/run/suricata"
make[1]: Leaving directory '/root/suricata-6.0.5'
make install-rules
make[1]: Entering directory '/root/suricata-6.0.5'
LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata-update \
--suricata /usr/bin/suricata \
--suricata-conf /etc/suricata/suricata.yaml \
--no-test --no-reload
28/4/2022 -- 22:22:36 - -- Using data-directory /var/lib/suricata.
28/4/2022 -- 22:22:36 - -- Using /usr/share/suricata/rules for Suricata provided rules.
28/4/2022 -- 22:22:36 - -- Found Suricata version 6.0.5 at /usr/bin/suricata.
28/4/2022 -- 22:22:36 - -- Loading /etc/suricata/suricata.yaml
28/4/2022 -- 22:22:36 - -- Disabling rules for protocol http2
28/4/2022 -- 22:22:36 - -- Disabling rules for protocol modbus
28/4/2022 -- 22:22:36 - -- Disabling rules for protocol dnp3
28/4/2022 -- 22:22:36 - -- Disabling rules for protocol enip
28/4/2022 -- 22:22:36 - -- No sources configured, will use Emerging Threats Open
28/4/2022 -- 22:22:36 - -- Fetching https://rules.emergingthreats.net/open/suricata-6.0.5/emerging.rules.tar.gz.
100% - 3274660/3274660
28/4/2022 -- 22:22:42 - -- Done.
28/4/2022 -- 22:22:42 - -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules
28/4/2022 -- 22:22:42 - -- Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules
28/4/2022 -- 22:22:42 - -- Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules
28/4/2022 -- 22:22:42 - -- Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules
28/4/2022 -- 22:22:42 - -- Loading distribution rule file /usr/share/suricata/rules/dns-events.rules
28/4/2022 -- 22:22:42 - -- Loading distribution rule file /usr/share/suricata/rules/files.rules
28/4/2022 -- 22:22:42 - -- Loading distribution rule file /usr/share/suricata/rules/http-events.rules
28/4/2022 -- 22:22:42 - -- Loading distribution rule file /usr/share/suricata/rules/ipsec-events.rules
28/4/2022 -- 22:22:42 - -- Loading distribution rule file /usr/share/suricata/rules/kerberos-events.rules
28/4/2022 -- 22:22:42 - -- Loading distribution rule file /usr/share/suricata/rules/modbus-events.rules
28/4/2022 -- 22:22:42 - -- Loading distribution rule file /usr/share/suricata/rules/nfs-events.rules
28/4/2022 -- 22:22:42 - -- Loading distribution rule file /usr/share/suricata/rules/ntp-events.rules
28/4/2022 -- 22:22:42 - -- Loading distribution rule file /usr/share/suricata/rules/smb-events.rules
28/4/2022 -- 22:22:42 - -- Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules
28/4/2022 -- 22:22:42 - -- Loading distribution rule file /usr/share/suricata/rules/stream-events.rules
28/4/2022 -- 22:22:42 - -- Loading distribution rule file /usr/share/suricata/rules/tls-events.rules
28/4/2022 -- 22:22:43 - -- Ignoring file rules/emerging-deleted.rules
28/4/2022 -- 22:22:44 - -- Loaded 33238 rules.
28/4/2022 -- 22:22:44 - -- Disabled 14 rules.
28/4/2022 -- 22:22:44 - -- Enabled 0 rules.
28/4/2022 -- 22:22:44 - -- Modified 0 rules.
28/4/2022 -- 22:22:44 - -- Dropped 0 rules.
28/4/2022 -- 22:22:44 - -- Enabled 131 rules for flowbit dependencies.
28/4/2022 -- 22:22:44 - -- Creating directory /var/lib/suricata/rules.
28/4/2022 -- 22:22:44 - -- Backing up current rules.
28/4/2022 -- 22:22:44 - -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 33238; enabled: 25835; added: 33238; removed 0; modified: 0
28/4/2022 -- 22:22:45 - -- Writing /var/lib/suricata/rules/classification.config
28/4/2022 -- 22:22:45 - -- Skipping test, disabled by configuration.
28/4/2022 -- 22:22:45 - -- Done.
You can now start suricata by running as root something like:
/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0
If a library like libhtp.so is not found, you can run suricata with:
LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0
The Emerging Threats Open rules are now installed. Rules can be
updated and managed with the suricata-update tool.
For more information please see:
https://suricata.readthedocs.io/en/latest/rule-management/index.html
make[1]: Leaving directory '/root/suricata-6.0.5'
The configuration file is set under /etc/suricata/suricata.yaml while the default rules are written to /etc/suricata/rules/ and the ET open rules written to /var/lib/suricata/rules/suricata.rules.
Install Suricata on Ubuntu 22.04/Ubuntu 20.04 from PPA repository
Even though Suricata is available on the default Ubuntu 22.04/Ubuntu 20.04 repositories, it may not be up-to-date.
On the other hand, the OISF PPA repos do not work on Ubuntu 22.04 as of this writing.
Thus, the installation of the PPA below is applicable on Ubuntu 20.04 only.
As a result, to ensure that you got the latest version installed, you need to add the following PPA repository.
sudo add-apt-repository ppa:oisf/suricata-stable --yessudo apt updateOnce the PPA repo is set, install Suricata with the package manager.
apt-cache policy suricatasuricata:
Installed: (none)
Candidate: 6.0.5-0ubuntu2
Version table:
6.0.5-0ubuntu2 500
500 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu bionic/main amd64 Packages
3.2-2ubuntu3 500
500 http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
As you can see, we have the latest release version of Suricata.
You can then do the installation by executing the command;
sudo apt install suricata jqjq enables you to read the Suricata eve.json logs
You can instead install Suricata with debugging enabled.
sudo apt install suricata-dbg jqTo install Suricata on Ubuntu 22.04 from the default repos, simply run;
apt install suricata jqThat is all with installation.
You can check what configurations options are installed with Suricata;
sudo suricata --build-infoThe command also gets you the version of installed Suricata.
Sample output;
This is Suricata version 6.0.5 RELEASE
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST
SIMD support: none
Atomic intrinsics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 7.5.0, C version 201112
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.40, linked against LibHTP v0.5.40
Suricata Configuration:
AF_PACKET support: yes
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: yes
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
hiredis support: yes
hiredis async with libevent: yes
Prelude support: no
PCRE jit: yes
LUA support: yes, through luajit
libluajit: yes
GeoIP2 support: yes
Non-bundled htp: yes
Hyperscan support: yes
Libnet support: yes
liblz4 support: yes
HTTP2 decompression: no
Rust support: yes
Rust strict mode: no
Rust compiler path: /usr/bin/rustc
Rust compiler version: rustc 1.57.0
Cargo path: /usr/bin/cargo
Cargo version: cargo 1.57.0
Cargo vendor: yes
Python support: yes
Python path: /usr/bin/python3
Python distutils yes
Python yaml yes
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: yes
Profiling enabled: no
Profiling locks enabled: no
Plugin support (experimental): yes
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/
--prefix /usr
--sysconfdir /etc
--localstatedir /var
--datarootdir /usr/share
Host: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / g++ (real)
GCC Protect enabled: yes
GCC march native enabled: no
GCC Profile enabled: no
Position Independent Executable enabled: yes
CFLAGS -g -O2 -fdebug-prefix-map=/build/suricata-QUjETh/suricata-6.0.5=. -fstack-protector-strong -Wformat -Werror=format-security -std=c11 -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
PCAP_CFLAGS -I/usr/include
SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
Configure Suricata on Ubuntu 22.04/Ubuntu 20.04
At the end of installation, you will have Suricata rules under /etc/suricata/rules/ and the main configuration file under /etc/suricata/suricata.yaml.
The default Suricata configuration file commented well enough to provide a clear understanding of what every setting is for.
To begin with, you need to configure Suricata to differentiate between your internal network to be proctected and external network. This can be done by defining the correct values for the HOME_NET and EXTERNAL_NET variables respectively under the address groups.
vim /etc/suricata/suricata.yaml HOME_NET: "[10.0.2.0/24]"
...
EXTERNAL_NET: "!$HOME_NET"
...In my case, am using the IP address, 10.0.2.0/24, as my home network. The external networks are set to any that doesn’t match the home networks.
You can define multiple networks.
Also, define the interface on which Suricata will use to inspect the traffic. By default, Suricata uses eth0 interfaces.
So get your interfaces using the ip command and determine which one to configure Suricata to use.
ip aSample output;
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:87:10:f0 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic enp0s3
valid_lft 84377sec preferred_lft 84377sec
inet6 fe80::a00:27ff:fe87:10f0/64 scope link
valid_lft forever preferred_lft forever
3: enp0s8: mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:7e:14:7d brd ff:ff:ff:ff:ff:ff
inet 192.168.57.10/24 brd 192.168.57.255 scope global enp0s8
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fe7e:147d/64 scope link
valid_lft forever preferred_lft forever
In my case, will use interface enp0s3. you can also see that the HOME_NET defined is on that interface.
The interfaces can be set by updating the value of interface under af-packets section;
af-packet:
- interface: enp0s3Next, install Suricata Emerging Threat rules.
By default, the Suricata rules are placed under /etc/suricata/rules/ directory.
To list the default Suricata rules;
ls -1 /etc/suricata/rules/app-layer-events.rules
decoder-events.rules
dhcp-events.rules
dnp3-events.rules
dns-events.rules
files.rules
http2-events.rules
http-events.rules
ipsec-events.rules
kerberos-events.rules
modbus-events.rules
mqtt-events.rules
nfs-events.rules
ntp-events.rules
smb-events.rules
smtp-events.rules
stream-events.rules
tls-events.rules
With the default rules, only less detection can be made. Emerging Threat rules are the most comprehensive rule set optimized for the Suricata open source IDS/IPS engine.
The default rules will also be loaded by the suricata-update tool.
To install Suricata ET rules, use the suricata-update command as shown below;
NOTE that the ET Open rules are installed automatically when you build Suricata from source and install using the make install-full command.
sudo suricata-updateSample output;
28/4/2022 -- 18:51:21 - -- Using data-directory /var/lib/suricata.
28/4/2022 -- 18:51:21 - -- Using Suricata configuration /etc/suricata/suricata.yaml
28/4/2022 -- 18:51:21 - -- Using /etc/suricata/rules for Suricata provided rules.
28/4/2022 -- 18:51:21 - -- Found Suricata version 6.0.5 at /usr/bin/suricata.
28/4/2022 -- 18:51:21 - -- Loading /etc/suricata/suricata.yaml
28/4/2022 -- 18:51:21 - -- Disabling rules for protocol http2
28/4/2022 -- 18:51:21 - -- Disabling rules for protocol modbus
28/4/2022 -- 18:51:21 - -- Disabling rules for protocol dnp3
28/4/2022 -- 18:51:21 - -- Disabling rules for protocol enip
28/4/2022 -- 18:51:21 - -- No sources configured, will use Emerging Threats Open
28/4/2022 -- 18:51:21 - -- Fetching https://rules.emergingthreats.net/open/suricata-6.0.5/emerging.rules.tar.gz.
100% - 3274660/3274660
28/4/2022 -- 18:51:27 - -- Done.
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/app-layer-events.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/decoder-events.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/dhcp-events.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/dnp3-events.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/dns-events.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/files.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/http-events.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/ipsec-events.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/kerberos-events.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/modbus-events.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/nfs-events.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/ntp-events.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/smb-events.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/smtp-events.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/stream-events.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/tls-events.rules
28/4/2022 -- 18:51:28 - -- Ignoring file rules/emerging-deleted.rules
28/4/2022 -- 18:51:29 - -- Loaded 33238 rules.
28/4/2022 -- 18:51:29 - -- Disabled 14 rules.
28/4/2022 -- 18:51:29 - -- Enabled 0 rules.
28/4/2022 -- 18:51:29 - -- Modified 0 rules.
28/4/2022 -- 18:51:29 - -- Dropped 0 rules.
28/4/2022 -- 18:51:30 - -- Enabled 131 rules for flowbit dependencies.
28/4/2022 -- 18:51:30 - -- Creating directory /var/lib/suricata/rules.
28/4/2022 -- 18:51:30 - -- Backing up current rules.
28/4/2022 -- 18:51:30 - -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 33238; enabled: 25835; added: 33238; removed 0; modified: 0
28/4/2022 -- 18:51:30 - -- Writing /var/lib/suricata/rules/classification.config
28/4/2022 -- 18:51:30 - -- Testing with suricata -T.
28/4/2022 -- 18:51:30 - -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
28/4/2022 -- 18:51:30 - -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
28/4/2022 -- 18:51:30 - -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
28/4/2022 -- 18:52:08 - -- Done.
The ET rules are written to /var/lib/suricata/rules/suricata.rules.
Note that Suricata is configured to load Suricata-Update managed rules by default.
vim /etc/suricata/suricata.yaml...
default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rules
..If you want to write the ET rules under /etc/suricata/rules/, specify the output directory on suricata-update command.
sudo suricata-update -o /etc/suricata/rules/Running Suricata on Ubuntu
You can now start and enable Suricata service to run on system boot.
However, always before you start Suricata, run the configuration check;
sudo suricata -T -c /etc/suricata/suricata.yaml -vIn case of any error, fix it before you can start Suricata
If there is no error, then start Suricata;
sudo systemctl enable --now suricataYou can check the status;
sudo systemctl status suricataTesting Suricata Rules
We will use the downloaded ET rules to test Suricata detection.
As a test, we are going to demonstrate how to alert on a possible SYN flood using Hping3.
You can install hping3 tool on a separate system or on same system running Suricata;
sudo apt install hping3Before you can proceed, you need to disable packet offload features on the network interface on which Suricata is listen.
ethtool -K enp0s3 gro off lro offIf you get the Cannot change large-receive-offload, it means that your interface doesn’t support this feature and it is safe to ignore it. However, you can verify this by running the command below;
ethtool -k enp0s3 | grep largelarge-receive-offload: off [fixed]Next, fire Suricata in PCAP live mode by executing the command below.
By the way, there are various modes in which Suricata can run. You can list them by running the command below;
suricata --list-runmodesSo to run in live PCAP mode, run the commands below. You can change your monitoring interface.
systemctl stop suricatarm -rf /var/run/suricata.pidsuricata -D -c /etc/suricata/suricata.yaml -i enp0s3You can omit option -D to run in foreground.
Perform a simple DDoS attack test against our Suricata host from a different host.
hping3 -S -p 80 --flood --rand-source 10.0.2.15 -I enp0s3 -c 50While Suricata is running on Suricata host and while the DDoS attack test against Suricata host is running p, tail the Suricata alert logs on Suricata host to see what is happening;
tail -f /var/log/suricata/fast.logYou should be able to get some sample alerts;
04/28/2022-20:53:23.163746 [**] [1:2400001:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 2 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 42.133.35.225:16743 -> 10.0.2.15:80
04/28/2022-20:53:23.167683 [**] [1:2400011:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 12 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 146.51.146.59:16820 -> 10.0.2.15:80
04/28/2022-20:53:23.192930 [**] [1:2400001:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 2 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 42.171.44.198:16969 -> 10.0.2.15:80
04/28/2022-20:53:23.205414 [**] [1:2400001:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 2 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 42.160.30.47:17115 -> 10.0.2.15:80
04/28/2022-20:53:23.235223 [**] [1:2400001:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 2 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 42.219.24.133:17293 -> 10.0.2.15:80
04/28/2022-20:53:23.294544 [**] [1:2400025:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 26 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 198.56.117.198:17846 -> 10.0.2.15:80
04/28/2022-20:53:23.297399 [**] [1:2400015:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 16 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 165.102.152.191:17899 -> 10.0.2.15:80
04/28/2022-20:53:23.555831 [**] [1:2400001:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 2 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 42.222.235.227:20024 -> 10.0.2.15:80
04/28/2022-20:53:23.580783 [**] [1:2400009:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 10 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 119.232.119.66:20190 -> 10.0.2.15:80
....
You can also read the Suricata Eve Json Logs. See examples below.
Analysing PCAP files using Suricata
It is also possible to analyze network traffic packet captures using Suricata.
To demonstrate how this can be done, we will download sample malware related PCAP files from Malware-Traffic-Analysis.NET and read them using Suricata, against the default ET open rules;
Be cautious about downloading Malware related PCAP files to your machine. The tests done here in a controlled environment.
Unzip the PCAP file (password: infected);
unzip 2017-06-28-traffic-analysis-exercise.pcap.zipCreate directory to write Suricata PCAP logs to;
mkdir /var/log/suricata/pcapRun Suricata against PCAP file;
systemctl stop suricatasudo suricata -c /etc/suricata/suricata.yaml -r 2017-06-28-traffic-analysis-exercise.pcap -l /var/log/suricata/pcap/When completed, the logs should be under /var/log/suricata/pcap/;
ls -1 /var/log/suricata/pcap/eve.json
fast.log
stats.log
suricata.logCheck sample stats logs;
cat /var/log/suricata/pcap/stats.log
------------------------------------------------------------------------------------
Date: 4/29/2022 -- 09:32:37 (uptime: 0d, 00h 00m 19s)
------------------------------------------------------------------------------------
Counter | TM Name | Value
------------------------------------------------------------------------------------
decoder.pkts | Total | 17239
decoder.bytes | Total | 12113758
decoder.ipv4 | Total | 17239
decoder.ethernet | Total | 17239
decoder.tcp | Total | 15023
decoder.udp | Total | 2216
decoder.avg_pkt_size | Total | 702
decoder.max_pkt_size | Total | 11734
flow.tcp | Total | 914
flow.udp | Total | 732
flow.wrk.spare_sync_avg | Total | 100
flow.wrk.spare_sync | Total | 18
flow.wrk.flows_evicted_needs_work | Total | 484
flow.wrk.flows_evicted_pkt_inject | Total | 914
flow.wrk.flows_evicted | Total | 3
flow.wrk.flows_injected | Total | 484
tcp.sessions | Total | 914
tcp.syn | Total | 1257
tcp.synack | Total | 708
tcp.rst | Total | 177
tcp.stream_depth_reached | Total | 2
tcp.overlap | Total | 49
detect.alert | Total | 17
app_layer.flow.http | Total | 542
app_layer.tx.http | Total | 643
app_layer.flow.tls | Total | 3
app_layer.flow.dhcp | Total | 4
app_layer.tx.dhcp | Total | 4
app_layer.flow.failed_tcp | Total | 61
app_layer.flow.dns_udp | Total | 662
app_layer.tx.dns_udp | Total | 1401
app_layer.flow.failed_udp | Total | 66
flow.mgr.full_hash_pass | Total | 1
flow.spare | Total | 9700
flow.mgr.rows_maxlen | Total | 1
flow.mgr.flows_checked | Total | 3
flow.mgr.flows_notimeout | Total | 3
tcp.memuse | Total | 1818624
tcp.reassembly_memuse | Total | 294912
flow.memuse | Total | 7394304
Suricata EVE json logs can be read nicely using jq command.
tail -f eve.json | jq -c '.'
{"timestamp":"2017-06-27T16:38:32.234351+0300","flow_id":1969211924994338,"event_type":"flow","src_ip":"192.168.1.96","src_port":49671,"dest_ip":"192.168.1.1","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":72,"bytes_toclient":145,"start":"2017-06-27T16:44:38.776482+0300","end":"2017-06-27T16:44:38.810428+0300","age":0,"state":"established","reason":"shutdown","alerted":false}}
{"timestamp":"2017-06-27T16:38:32.234351+0300","flow_id":843743660604227,"event_type":"flow","src_ip":"192.168.1.96","src_port":49333,"dest_ip":"104.25.97.5","dest_port":25,"proto":"TCP","flow":{"pkts_toserver":3,"pkts_toclient":0,"bytes_toserver":194,"bytes_toclient":0,"start":"2017-06-27T16:44:11.981827+0300","end":"2017-06-27T16:44:20.993775+0300","age":9,"state":"new","reason":"shutdown","alerted":false},"tcp":{"tcp_flags":"02","tcp_flags_ts":"02","tcp_flags_tc":"00","syn":true,"state":"syn_sent"}}
{"timestamp":"2017-06-27T16:38:32.234351+0300","flow_id":1969768122005184,"event_type":"flow","src_ip":"192.168.1.96","src_port":49757,"dest_ip":"65.52.128.33","dest_port":25,"proto":"TCP","flow":{"pkts_toserver":3,"pkts_toclient":0,"bytes_toserver":194,"bytes_toclient":0,"start":"2017-06-27T16:44:19.898752+0300","end":"2017-06-27T16:44:28.918443+0300","age":9,"state":"new","reason":"shutdown","alerted":false},"tcp":{"tcp_flags":"02","tcp_flags_ts":"02","tcp_flags_tc":"00","syn":true,"state":"syn_sent"}}
{"timestamp":"2017-06-27T16:38:32.234351+0300","flow_id":1406916953807328,"event_type":"flow","src_ip":"192.168.1.96","src_port":51196,"dest_ip":"192.168.1.1","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":70,"bytes_toclient":70,"start":"2017-06-27T16:44:34.629216+0300","end":"2017-06-27T16:44:34.791316+0300","age":0,"state":"established","reason":"shutdown","alerted":false}}
{"timestamp":"2017-06-27T16:38:32.234351+0300","flow_id":984833338220399,"event_type":"flow","src_ip":"192.168.1.96","src_port":50135,"dest_ip":"85.25.207.48","dest_port":25,"proto":"TCP","flow":{"pkts_toserver":2,"pkts_toclient":1,"bytes_toserver":132,"bytes_toclient":54,"start":"2017-06-27T16:44:41.696175+0300","end":"2017-06-27T16:44:42.348224+0300","age":1,"state":"closed","reason":"shutdown","alerted":false},"tcp":{"tcp_flags":"16","tcp_flags_ts":"02","tcp_flags_tc":"14","syn":true,"rst":true,"ack":true,"state":"closed"}}
{"timestamp":"2017-06-27T16:38:32.234351+0300","flow_id":281214614185271,"event_type":"flow","src_ip":"192.168.1.96","src_port":51286,"dest_ip":"192.168.1.1","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":68,"bytes_toclient":84,"start":"2017-06-27T16:44:15.271671+0300","end":"2017-06-27T16:44:15.306178+0300","age":0,"state":"established","reason":"shutdown","alerted":false}}
{"timestamp":"2017-06-27T16:38:32.234351+0300","flow_id":1547864893767677,"event_type":"flow","src_ip":"192.168.1.96","src_port":54127,"dest_ip":"192.168.1.1","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":75,"bytes_toclient":91,"start":"2017-06-27T16:44:07.933885+0300","end":"2017-06-27T16:44:07.963764+0300","age":0,"state":"established","reason":"shutdown","alerted":false}}
{"timestamp":"2017-06-27T16:38:32.234351+0300","flow_id":1548103264785416,"event_type":"flow","src_ip":"192.168.1.96","src_port":60896,"dest_ip":"192.168.1.1","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":70,"bytes_toclient":102,"start":"2017-06-27T16:44:12.283656+0300","end":"2017-06-27T16:44:12.339124+0300","age":0,"state":"established","reason":"shutdown","alerted":false}}
{"timestamp":"2017-06-27T16:38:32.234351+0300","flow_id":703680482353737,"event_type":"flow","src_ip":"192.168.1.96","src_port":57898,"dest_ip":"224.0.0.252","dest_port":5355,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":2,"pkts_toclient":0,"bytes_toserver":128,"bytes_toclient":0,"start":"2017-06-27T16:44:15.303689+0300","end":"2017-06-27T16:44:15.409326+0300","age":0,"state":"new","reason":"shutdown","alerted":false}}
Print HTTP related events;
cat /var/log/suricata/pcap/eve.json | jq 'select(.event_type=="http")'Sample output;
{
"timestamp": "2017-06-27T16:43:51.060995+0300",
"flow_id": 1208665555479627,
"pcap_cnt": 303,
"event_type": "http",
"src_ip": "192.168.1.96",
"src_port": 49189,
"dest_ip": "119.28.70.207",
"dest_port": 80,
"proto": "TCP",
"tx_id": 0,
"http": {
"hostname": "centler.at",
"url": "/auth/ajax/847598782/?min=data",
"http_user_agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
"http_content_type": "text/html",
"http_method": "POST",
"protocol": "HTTP/1.1",
"status": 302,
"redirect": "/auth/index.php",
"length": 41
}
}
{
"timestamp": "2017-06-27T16:43:51.784326+0300",
"flow_id": 1208665555479627,
"pcap_cnt": 307,
"event_type": "http",
"src_ip": "192.168.1.96",
"src_port": 49189,
"dest_ip": "119.28.70.207",
"dest_port": 80,
"proto": "TCP",
"tx_id": 1,
"http": {
"hostname": "centler.at",
"url": "/auth/min/828949448/",
"http_user_agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
"http_content_type": "text/html",
"http_method": "POST",
"protocol": "HTTP/1.1",
"status": 302,
"redirect": "/auth/index.php",
"length": 153
}
}
{
"timestamp": "2017-06-27T16:38:36.765886+0300",
"flow_id": 2030595573592962,
"pcap_cnt": 210,
"event_type": "http",
"src_ip": "192.168.1.96",
"src_port": 49184,
"dest_ip": "119.28.70.207",
"dest_port": 80,
"proto": "TCP",
"tx_id": 0,
"metadata": {
"flowints": {
"tcp.retransmission.count": 4
}
},
"http": {
"hostname": "matied.com",
"url": "/gerv.gun",
"http_user_agent": "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)",
"http_content_type": "application/octet-stream",
"http_method": "GET",
"protocol": "HTTP/1.1",
"status": 200,
"length": 241664
}
}
{
"timestamp": "2017-06-27T16:43:54.272260+0300",
"flow_id": 1826666252504918,
"pcap_cnt": 858,
"event_type": "http",
"src_ip": "192.168.1.96",
"src_port": 49191,
"dest_ip": "143.95.151.192",
"dest_port": 80,
"proto": "TCP",
"tx_id": 0,
"http": {
"hostname": "vantagepointtechnologies.com",
"url": "/wp.exe",
"http_user_agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)",
"http_content_type": "application/x-msdownload",
"http_method": "GET",
"protocol": "HTTP/1.1",
"status": 200,
"length": 307712
}
}
TLS related;
cat /var/log/suricata/pcap/eve.json | jq 'select(.event_type=="tls")'
{
"timestamp": "2017-06-27T16:43:49.292042+0300",
"flow_id": 1396905382088718,
"pcap_cnt": 230,
"event_type": "tls",
"src_ip": "192.168.1.96",
"src_port": 49187,
"dest_ip": "172.217.6.164",
"dest_port": 443,
"proto": "TCP",
"tls": {
"subject": "C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com",
"issuerdn": "C=US, O=Google Inc, CN=Google Internet Authority G2",
"serial": "68:2B:42:89:B2:FA:4F:14",
"fingerprint": "f1:df:a7:7b:37:69:9c:46:ef:73:fb:79:0c:f8:44:3b:e5:fe:a1:91",
"sni": "www.google.com",
"version": "TLS 1.2",
"notbefore": "2017-06-21T14:35:50",
"notafter": "2017-09-13T13:53:00",
"ja3": {
"hash": "4d7a28d6f2263ed61de88ca66eb011e3",
"string": "771,60-47-61-53-5-10-49191-49171-49172-49195-49187-49196-49188-49161-49162-64-50-106-56-19-4,65281-0-10-11-13,23-24,0"
},
"ja3s": {
"hash": "042b018de1d862323f09d5767e4068d5",
"string": "771,49171,65281-11"
}
}
}
{
"timestamp": "2017-06-27T16:43:49.578377+0300",
"flow_id": 978846150396712,
"pcap_cnt": 276,
"event_type": "tls",
"src_ip": "192.168.1.96",
"src_port": 49188,
"dest_ip": "172.217.6.164",
"dest_port": 443,
"proto": "TCP",
"tls": {
"session_resumed": true,
"sni": "www.google.com",
"version": "TLS 1.2",
"ja3": {
"hash": "4d7a28d6f2263ed61de88ca66eb011e3",
"string": "771,60-47-61-53-5-10-49191-49171-49172-49195-49187-49196-49188-49161-49162-64-50-106-56-19-4,65281-0-10-11-13,23-24,0"
},
"ja3s": {
"hash": "042b018de1d862323f09d5767e4068d5",
"string": "771,49171,65281-11"
}
}
}
{
"timestamp": "2017-06-27T16:44:32.873234+0300",
"flow_id": 1033531824280031,
"pcap_cnt": 14770,
"event_type": "tls",
"src_ip": "192.168.1.96",
"src_port": 49932,
"dest_ip": "208.83.223.34",
"dest_port": 80,
"proto": "TCP",
"tls": {
"subject": "CN=www.6acbzspvq.net",
"issuerdn": "CN=www.xfbploco2q.com",
"serial": "2D:70:0A:B4:E1:06:3A:A3",
"fingerprint": "18:e1:ae:ae:3d:ac:3f:47:5b:3c:d9:2d:c9:fe:4e:b4:03:19:2f:03",
"sni": "www.kid67ap2i5b5d4ekvcg.com",
"version": "TLSv1",
"notbefore": "2017-02-17T00:00:00",
"notafter": "2017-10-03T23:59:59",
"ja3": {
"hash": "c201b92f8b483fa388be174d6689f534",
"string": "769,49162-49172-136-135-57-56-49167-49157-132-53-49159-49161-49169-49171-69-68-51-50-49164-49166-49154-49156-150-65-4-5-47-49160-49170-22-19-49165-49155-65279-10-255,0-11-10-13-15,23-25-28-27-24-26-22-14-13-11-12-9-10,0-1-2"
},
"ja3s": {
"hash": "f893bd75dac422ca264dc8551c450278",
"string": "769,49172,65281-11-15"
}
}
}
You can also extract fields using jq;
cat /var/log/suricata/pcap/eve.json | jq '"\(.timestamp),\(.event_type),\(.flow_id),\(.src_ip):\(.src_port),\(.dest_ip):\(.dest_port)"'
"2017-06-27T16:43:49.210173+0300,dns,616557069022461,192.168.1.96:52437,192.168.1.1:53"
"2017-06-27T16:43:49.230063+0300,dns,616557069022461,192.168.1.96:52437,192.168.1.1:53"
"2017-06-27T16:43:49.292042+0300,tls,1396905382088718,192.168.1.96:49187,172.217.6.164:443"
"2017-06-27T16:38:32.234351+0300,flow,1145860237051004,192.168.1.96:137,192.168.1.255:137"
"2017-06-27T16:43:49.578377+0300,tls,978846150396712,192.168.1.96:49188,172.217.6.164:443"
"2017-06-27T16:38:32.234351+0300,dns,741166934430575,192.168.1.96:58520,192.168.1.1:53"
"2017-06-27T16:38:32.435448+0300,dns,741166934430575,192.168.1.96:58520,192.168.1.1:53"
"2017-06-27T16:40:52.379419+0300,dhcp,14958840826395,192.168.1.1:67,192.168.1.96:68"
"2017-06-27T16:43:49.212127+0300,dhcp,14958852390047,192.168.1.1:67,192.168.1.96:68"
"2017-06-27T16:38:32.234351+0300,flow,14958840826395,192.168.1.1:67,192.168.1.96:68"
"2017-06-27T16:43:49.687811+0300,dns,1401481669738179,192.168.1.96:60539,192.168.1.1:53"
"2017-06-27T16:43:50.009831+0300,dns,1401481669738179,192.168.1.96:60539,192.168.1.1:53"
"2017-06-27T16:43:51.060995+0300,http,1208665555479627,192.168.1.96:49189,119.28.70.207:80"
"2017-06-27T16:43:51.060995+0300,fileinfo,1208665555479627,192.168.1.96:49189,119.28.70.207:80"
"2017-06-27T16:43:51.284182+0300,fileinfo,1208665555479627,119.28.70.207:80,192.168.1.96:49189"
"2017-06-27T16:43:51.784326+0300,http,1208665555479627,192.168.1.96:49189,119.28.70.207:80"
"2017-06-27T16:43:51.784326+0300,fileinfo,1208665555479627,192.168.1.96:49189,119.28.70.207:80"
"2017-06-27T16:43:51.801800+0300,dns,518773548727304,192.168.1.96:60140,192.168.1.1:53"
"2017-06-27T16:43:52.085008+0300,dns,518773548727304,192.168.1.96:60140,192.168.1.1:53"
"2017-06-27T16:43:54.003440+0300,dns,1643097202756976,192.168.1.96:60430,192.168.1.1:53"
"2017-06-27T16:43:54.101299+0300,dns,1643097202756976,192.168.1.96:60430,192.168.1.1:53"
"2017-06-27T16:38:34.751226+0300,fileinfo,2030595573592962,119.28.70.207:80,192.168.1.96:49184"
"2017-06-27T16:43:54.234623+0300,fileinfo,1826666252504918,143.95.151.192:80,192.168.1.96:49191"
"2017-06-27T16:43:59.543714+0300,fileinfo,1592057959177462,59.106.164.230:80,192.168.1.96:49192"
"2017-06-27T16:38:36.765886+0300,http,2030595573592962,192.168.1.96:49184,119.28.70.207:80"
"2017-06-27T16:38:32.234351+0300,flow,1008264517306702,192.168.1.96:68,255.255.255.255:67"
"2017-06-27T16:43:54.272260+0300,http,1826666252504918,192.168.1.96:49191,143.95.151.192:80"
"2017-06-27T16:44:01.280900+0300,dns,2212227614591300,192.168.1.96:53513,192.168.1.1:53"
"2017-06-27T16:44:01.281004+0300,dns,655426523842988,192.168.1.96:57867,192.168.1.1:53"
"2017-06-27T16:44:01.281104+0300,dns,120718127876624,192.168.1.96:49681,192.168.1.1:53"
"2017-06-27T16:44:01.281307+0300,dns,477653532494555,192.168.1.96:64654,192.168.1.1:53"
"2017-06-27T16:44:01.281806+0300,dns,349755848871118,192.168.1.96:52283,192.168.1.1:53"
"2017-06-27T16:44:01.282006+0300,dns,2098836183010710,192.168.1.96:57208,192.168.1.1:53"
"2017-06-27T16:44:01.282256+0300,dns,2182596635217552,192.168.1.96:62422,192.168.1.1:53"
"2017-06-27T16:44:01.282555+0300,dns,403960483631035,192.168.1.96:59591,192.168.1.1:53"
"2017-06-27T16:44:01.282568+0300,dns,1549767563890632,192.168.1.96:61234,192.168.1.1:53"
"2017-06-27T16:44:01.315494+0300,dns,120718127876624,192.168.1.96:49681,192.168.1.1:53"
"2017-06-27T16:44:01.316081+0300,dns,1549767563890632,192.168.1.96:61234,192.168.1.1:53"
"2017-06-27T16:44:01.316250+0300,dns,477653532494555,192.168.1.96:64654,192.168.1.1:53"
"2017-06-27T16:44:01.316362+0300,dns,2212227614591300,192.168.1.96:53513,192.168.1.1:53"
"2017-06-27T16:44:01.316573+0300,dns,655426523842988,192.168.1.96:57867,192.168.1.1:53"
"2017-06-27T16:44:01.316670+0300,dns,2098836183010710,192.168.1.96:57208,192.168.1.1:53"
"2017-06-27T16:44:01.316770+0300,dns,2182596635217552,192.168.1.96:62422,192.168.1.1:53"
"2017-06-27T16:44:01.358088+0300,dns,403960483631035,192.168.1.96:59591,192.168.1.1:53"
"2017-06-27T16:44:01.477310+0300,dns,349755848871118,192.168.1.96:52283,192.168.1.1:53"
"2017-06-27T16:44:01.484050+0300,http,1442410561397618,192.168.1.96:49198,64.125.133.18:80"
"2017-06-27T16:44:01.484050+0300,fileinfo,1442410561397618,192.168.1.96:49198,64.125.133.18:80"
"2017-06-27T16:44:01.559644+0300,fileinfo,1442410561397618,64.125.133.18:80,192.168.1.96:49198"
"2017-06-27T16:44:01.562102+0300,http,1442410561397618,192.168.1.96:49198,64.125.133.18:80"
"2017-06-27T16:44:01.562102+0300,fileinfo,1442410561397618,192.168.1.96:49198,64.125.133.18:80"
"2017-06-27T16:43:53.341648+0300,fileinfo,1303906455409010,145.131.10.21:80,192.168.1.96:49190"
"2017-06-27T16:43:53.967647+0300,http,1303906455409010,192.168.1.96:49190,145.131.10.21:80"
That is all about how to install and configure Suricata on Ubuntu 22.04/Ubuntu 20.04.
Feel free to read more about Suricata on their documentation page.
Other Tutorials;
