Starting with Suricata 0.9.0 the engine can run as an unprivileged user. For this create a new user called “suricata”.
useradd --no-create-home --shell /bin/false --user-group --comment “Suricata IDP account” suricata
This command will create a user and group called “suricata”. It will be unable to login as the shell is set to /bin/false.
The next thing to do is creating a configuration directory. Create /etc/suricata/ and copy the suricata.yaml example config into it. The example configuration can be found in the source archive you used to build Suricata:
cp /path/to/suricata-0.9.0/suricata.yaml /etc/suricata/
cp /path/to/suricata-0.9.0/classification.config /etc/suricata/
Next, create the log directory.
The log directory needs to be writable for the user and group “suricata”, so change the ownership:
chown suricata:suricata /var/log/suricata
The last step I’ll be describing here is retrieving an initial ruleset. The 2 main rulesets you can use are Emerging Threats (ET) and Sourcefire’s VRT ruleset. Since putting VRT to use is a little bit more complicated I’ll be focussing on ET here.
First, download the emerging rules:
Go to /etc/suricata/ and extract the rules archive:
tar xzvf /path/to/emerging.rules.tar.gz
There is a lot more to rules, such as tuning and staying updated, but thats beyond the scope of this post.
Suricata is now ready to be started:
suricata -c /etc/suricata/suricata.yaml -i eth0 --user suricata --group suricata
If all is setup properly, Suricata will tell you it is now running:
 9/5/2010 — 18:17:47 – (tm-threads.c:1362) (TmThreadWaitOnThreadInit) — all 8 packet processing threads, 3 management threads initialized, engine started.
There are 3 log files in /var/log/suricata that will be interesting to monitor:
- stats.log: displays statistics on packets, tcp sessions etc.
- fast.log: a alerts log similar to Snort’s fast log.
- http.log: displays HTTP requests in a Apache style format.
This should get you going. There is a lot more to deploying Suricata that I plan to blog on later.