I recently found out that Fedora includes Vuurmuur in it’s repositories. Since Suricata is also included, I figured I would do a quick write up on how to setup a Fedora IPS. While writing it turned more into a real “howto”, so I decided to submit it to Howtoforge.
It can be found here one HowtoForge.
Vuurmuur on Fedora is at the 0.7 version, which is still the current stable. It’s rather old though, and it reminds me again I need to make sure the 0.8 branch gets to a stable release soon. The Suricata included in Fedora 17 is 1.2.1, with 1.3.2 expected to land any day now.
The guide sets the user up from base Fedora install to a working IPS, but doesn’t cover any advanced topics such as rule management, event management etc. Still, I hope it’s useful to some, especially those that are intimidated by Vuurmuur’s and Suricata’s initial learning curves.
Looking forward to feedback! 🙂
Thanks for the tutorial, it helped me a lot installing Suricata IPS on SL6! 🙂
I can see packets going through the NFQUEUE fine and the facebook website test rule you provide works fine too.
However, I’m a little unsure of where to go from here. I’ve installed Oinkmaster to automatically update the rules from EmeringThreats each day.
Do I need to individually configure rules to ‘drop’ via Oinkmaster in order to get Suricata protecting the network?
There is lots if data showing up in fast.log, http.log, but I get the impression these are just alerts and nothing is actually being dropped.
In addition, if I enable drop logging, there are some packets being dropped, but it’s not clear what for 😦