Scribd
Upload
30 views12 pages

Suricata and Crowdsec Setup

Uploaded by

Yago Castro
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
30 views12 pages

Suricata and Crowdsec Setup

Uploaded by

Yago Castro
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

Suricata and Crowdsec Setup. As part of a larger Defe... https://medium.com/@VSpec/suricata-and-crowdsec-s...

Open in app Sign up Sign in


To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.
Search

Suricata and Crowdsec Setup


VSpec · Follow
4 min read · Jan 22, 2024

Listen Share

As part of a larger Defensive Security project that I am working on, I decided to set up Suricata as an Intrusion
Detection System on a Linux machine, and then use Crowdsec’s open source toolkit to parse the alert logs generated by
Suricata.

The following guide is for a very simple Proof of Concept. It will get the systems up and running, but will require more
fine tuning based on individual user needs.

This guide will show you how to set up both Suricata and Crowdsec on a Linux Mint machine.

Suricata
Start by running “sudo apt update && apt upgrade” to make sure your system is up to date, and install the latest
Suricata repository:

“sudo add-apt-repository ppa:oisf/suricata-stable”.

Install Suricata:

“sudo apt install suricata”.

Next, we will configure the required settings in Suricata. Start by opening the yaml config file:

1 de 12 25/7/24, 12:32
Suricata and Crowdsec Setup. As part of a larger Defe... https://medium.com/@VSpec/suricata-and-crowdsec-s...

“sudo nano /etc/suricata/suricata.yaml”.


To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.

First, we must specify the Network Interface we want to monitor. Run ifconfig, and copy the name of your interface.
Then search for the “af-packet” field in the file, and replace the interface name:

Second, change the HOME_NET value to the network address your system resides on:

Now you can start Suricata: “sudo systemctl enable suricata”. And verify with “sudo systemctl status suricata”.

Lets update Suricata: “sudo suricata-update” to load it’s rules, and perform a configuration test.

2 de 12 25/7/24, 12:32
Suricata and Crowdsec Setup. As part of a larger Defe... https://medium.com/@VSpec/suricata-and-crowdsec-s...

To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.

3 de 12 25/7/24, 12:32
Suricata and Crowdsec Setup. As part of a larger Defe... https://medium.com/@VSpec/suricata-and-crowdsec-s...

To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.

Lastly, we need to change the default-rule location in our suricata.yaml config file to /var/lib/suricata/rules as it is not
set by default:

Now that our configurations are done, lets run Suricata in test mode:

“sudo suricata -T -c /etc/suricata/suricata.yaml -v”.

Reload Suricata: “sudo systemctl reload suricata”, and check the status again.

4 de 12 25/7/24, 12:32
Suricata and Crowdsec Setup. As part of a larger Defe... https://medium.com/@VSpec/suricata-and-crowdsec-s...

To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.

You can test if it is working by running “curl http://testmynids.org/uid/index.html”, and then check the log files:

Thats all for Suricata for now, lets move on to Crowdsec.

CrowdSec
Run the following command to install the Crowdsec repository on your system. Keep in mind, there is no stable release
for Mint at this time, so we will force an Ubuntu OS recognize:

“curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | os=ubuntu dist=jammy sudo -E


bash”.

Install Crowdsec:

“apt install crowdsec”.

Now we need to enroll the engine we installed into our crowdsec console. For linux, this is very simple, follow the
instructions in Crowdsec once you have your account set up, create an engine and you will be given the following

5 de 12 25/7/24, 12:32
Suricata and Crowdsec Setup. As part of a larger Defe... https://medium.com/@VSpec/suricata-and-crowdsec-s...

command:
To make Medium work, we log user data. By using Medium, you agree to
“sudo cscli console enroll <key>”.
our Privacy Policy, including cookie policy.

Next, restart crowdsec:

“sudo systemctl restart crowdsec”.

Then, install crowdsec’s Suricata Collections, Log Parsers and Scenarios, so that Crowdsec can properly Identify the
logs and Alerts generated by Suricata. Run the following 3 commands:

cscli collections install crowdsecurity/suricata

cscli parsers install crowdsecurity/suricata-logs

cscli scenarios install crowdsecurity/suricata-alerts

Now reload crowdsec: “sudo systemctl reload crowdsec”.

Next, we have to make sure that Crowdsec is actually reading the logs that are generated by Suricata. We will do that by
opening the acquisition file in crowdsec, and adding the path to those logs:

“sudo nano /etc/crowdsec/acquis.yaml”

And add the highlighted fields in the image below:

6 de 12 25/7/24, 12:32
Suricata and Crowdsec Setup. As part of a larger Defe... https://medium.com/@VSpec/suricata-and-crowdsec-s...

To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.

IMPORTANT STEP***
By default, Crowdsec will whitelist any traffic coming from your local network. For this setup, we will be testing from
an attack machine on the same network that the monitored system resides on. The easiest way to bypass this, is to
simply delete the whitelist file. There are better ways to do this, but this will serve our purposes.

“cscli parsers delete crowdsecurity/whitelists”

You now have Suricata running on your monitored system as an IDS. You also have a Crowdsec engine running on that
same system. Which you can monitor in the Crowdsec portal.

The final result? Logs generated in Suricata, creating alerts, and being parsed to Crowdsec for real-time visibility:

Thanks for reading!

Cybersecurity Technology Tech Intrusion Detection Linux

7 de 12 25/7/24, 12:32
Suricata and Crowdsec Setup. As part of a larger Defe... https://medium.com/@VSpec/suricata-and-crowdsec-s...

To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.

Follow

Written by VSpec
2 Followers

More from VSpec

VSpec

30 Days of Malware Analysis — Part 1


Just before the holidays, I decided to sign up for TCM Security’s Practical Malware Analysis Course. I wanted to dive deeper into the…

Jan 23

See all from VSpec

Recommended from Medium

8 de 12 25/7/24, 12:32
Suricata and Crowdsec Setup. As part of a larger Defe... https://medium.com/@VSpec/suricata-and-crowdsec-s...

To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.

Khalid Chbail

Building a Home SOC Lab (Part 1)- ELK Stack SIEM solution

May 6 354 4

Jonathan Mondaut

How ChatGPT Turned Me into a Hacker


Discover how ChatGPT helped me become a hacker, from gathering resources to tackling CTF challenges, all with the power of AI.

Jun 18 273 7

Lists

9 de 12 25/7/24, 12:32
Suricata and Crowdsec Setup. As part of a larger Defe... https://medium.com/@VSpec/suricata-and-crowdsec-s...

AI Regulation
6 stories · 516 saves
To make Medium work, we log user data. By using Medium, you agree to
our Privacy Policy, including cookie policy.
ChatGPT prompts
48 stories · 1823 saves

Generative AI Recommended Reading


52 stories · 1227 saves

Apple's Vision Pro


7 stories · 71 saves

Hunter

CVE-2024–30078: The Log4j-Level Vulnerability in Windows WiFi Driver


Just a few days ago, Windows hit the headlines with yet another critical vulnerability!

Jun 21 62

10 de 12 25/7/24, 12:32
Suricata and Crowdsec Setup. As part of a larger Defe... https://medium.com/@VSpec/suricata-and-crowdsec-s...

N1neKitsune

To make Medium work, we log user data. By using Medium, you agree to
[Monitoring] Installation and Configuration of Aurora Agent: The Free and Powerful EDR
our Privacy Policy, including cookie policy.
Today, we’re diving into the use of Aurora Agent, an essential tool for safeguarding your computer systems…

May 24 20

Abhay Parashar in The Pythoneers

17 Mindblowing Python Automation Scripts I Use Everyday


Scripts That Increased My Productivity and Performance

1d ago 4.1K 31

11 de 12 25/7/24, 12:32
Suricata and Crowdsec Setup. As part of a larger Defe... https://medium.com/@VSpec/suricata-and-crowdsec-s...

Corey Jones in HackSpark

Setting up Snort to monitor To make Medium work, we log user data. By using Medium, you agree to
your SOC Lab
our Privacy Policy, including cookie policy.
This will be my first post in hopefully a series of post about setting up a SOC home lab, My hope is to share anything i learn with…

May 13 13
See more recommendations

12 de 12 25/7/24, 12:32

You might also like