June 1, 2015
Fedora Linux 21 and 22 have Suricata 2.0.8 in their default repositories making it very easy to get started. The following was done on Fedora 22, but should be applicable to Fedora 21 as well.
yum install suricata
By default, Suricata will be configured to run on eth0, if you need to change this, edit /etc/sysconfig/suricata and change eth0 to your desired interface.
To start Suricata one time:
systemctl start suricata
To have it restarted on each boot:
systemctl enable suricata
But you'll probably want to have it started after your network is ready. This can be done by including network-online.target in the unit file /usr/lib/systemd/system/suricata.service
[Unit]
Description=Suricata Intrusion Detection Service
After=syslog.target network-online.target
[Service]
ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml $OPTIONS
EnvironmentFile=-/etc/sysconfig/suricata
[Install]
WantedBy=multi-user.target
Even though we have not downloaded any rules yet, Suricata will still log HTTP requests, DNS requests, TLS certificates and SSH connection by default. These can be observed by monitoring /var/log/suricata/eve.log.
tail -f /var/log/suricata/eve.log
To get the most out of Suricata you will want to download some rules. The Emerging Threats Open rules are freely available and can be installed with the following commands:
cd /etc/suricata
curl http://rules.emergingthreats.net/open/suricata-2.0/emerging.rules.tar.gz | tar zxvf -
systemctl restart suricata