Scanning a PCAP file with a large IDS ruleset can be beneficial for putting a name to suspicious or malicious activity. It can also be useful for creating signatures on previously undetected malware or deciding which rules to actively run in your environment.
This post will act as a guide for running the Emerging Threats Suricata ruleset against PCAP files on a typical Linux host. In this case, I used a fresh installation of Ubuntu 17.10. This can also be done on a more robust, pre-configured environment such as Security Onion.
Steps
- Start with Ubuntu or your Linux distro of choice. Ubuntu with Cinnamon UI is great for a light-weight utility machine (sudo apt install cinnamon-desktop-environment).
- Open a terminal and install suricata and pyyaml with:
sudo apt install suricata
pip3 install pyyaml - Move the helper script (suricata_et_rule_update.py) to your environment and run. This will download rules and configuration files from Emerging Threat's open ruleset and move them to
/etc/suricata/. It also enabled informational rules in EmergingThreat's included configuration file.
sudo python3 suricata_et_rule_update.py
3a. If you are an ETPRO subscriber, modify the variables at the top of the script to point to the expanded ruleset and appropriate config files.
base_url = 'https://rules.emergingthreatspro.com/{etpro key}/suricata-1.3-enhanced/'
filename_rule_tar = 'etpro.rules.tar.gz'
filename_yaml = 'suricata-1.3-etpro.yaml' - Move your PCAP to the environment and run suricata against it with the following command:
sudo suricata -c /etc/suricata/suricata-1.3-open.modified.yaml -r path/to/pcap.pcap - View results in
/var/log/suricata/fast.log
sudo cat /var/log/suricata/fast.log