Suricata - IDS/IPS. Observe Protect Adapt

Start observing, protecting, and adapting your network with Suricata to monitor, analyze, and detect network threats in real time.

Suricata

Suricata is a high performance, open source network analysis and threat detection software used by most private and public organizations, and embedded by major vendors to protect their assets.

Suricata generates structured EVE logs collected to Wazuh, enabling centralized detection, correlation, and analysis of network security events.

Requirements (Suricata host):

  • Wazuh XDR/SIEM installed
  • Ubuntu 16.04–24.04 (64-bit)
  • x86_64/ARM64
  • Root privileges
  • CPU 4vCPU, RAM 8GB, Storage 50GB

Install Suricata:

1
2
3
4
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install suricata jq

Configure Suricata host:

1
sudo nano /etc/suricata/suricata.yaml
1
2
3
4
5
6
7
8
9
10
11
12
HOME_NET: "<UBUNTU_IP>"
EXTERNAL_NET: "any"

default-rule-path: /etc/suricata/rules
rule-files:
  - "*.rules"

stats:
  enabled: yes

af-packet:
  - interface: enp0s3

Replace <UBUNTU_IP> with your system’s IP address and adjust the interface name enp0s3 to match your environment.

1
sudo systemctl restart suricata

Configure Suricata rules:

1
2
cd /tmp/
curl -LO https://rules.emergingthreats.net/open/suricata-8.0.1/emerging.rules.tar.gz
1
2
3
4
sudo tar -xvzf emerging.rules.tar.gz
sudo mkdir /etc/suricata/rules
sudo mv rules/*.rules /etc/suricata/rules/
sudo chmod 777 /etc/suricata/rules/*.rules

Review Suricata status:

1
sudo systemctl status suricata
1
tail -f /var/log/suricata/eve.json | jq .

Requirements (Wazuh agent):

  • Ubuntu/Debian Linux (64-bit)
  • Root privileges

Configure Wazuh agent:

1
sudo nano /var/ossec/etc/ossec.conf
1
2
3
4
<localfile>
  <log_format>json</log_format>
  <location>/var/log/suricata/eve.json</location>
</localfile>
1
sudo systemctl restart wazuh-agent

Review Suricata via Wazuh dashboard:

1
ping -c 20 "<UBUNTU_IP>"
  • Log in to Wazuh dashboard
  • Open Threat Hunting rule.groups:suricata

Suricata alerts are collected into Wazuh, giving security teams centralized insight and the ability to monitor, analyze, and respond to security threats.

Security Engineer
#suricata #ids #ips
Suricata - IDS/IPS. Observe Protect Adapt
https://1337rokudenashi.github.io/6f1a9d2b-4c3f-4b9a-8f5d-1a2b3c4d5e6f/
Author
1337rokudenashi
Posted on
October 31, 2025
Licensed under