FSI/ucstudent/pl-suricata on centos - installation notes.txt

# Installation of Suricata (CentOS 9) with support for the "nfq" module
############################################################################

##### Option 1: Install via YUM package manager
yum install epel-release -y
yum install suricata  

# Check that suricata has support for NFQ
suricata --build-info | grep NFQ
# Update rules
suricata-update
# Check configuration 
suricata -T -c /etc/suricata/suricata.yaml


##### Option 2: Install from source 
##### Download and install required packages
yum install epel-release -y
dnf config-manager --set-enabled crb
yum groupinstall "Development Tools" -y
##### Download and install required packages
yum install epel-release -y
dnf config-manager --set-enabled crb
yum groupinstall "Development Tools" -y

yum install -y \
libpcap-devel \
pcre-devel \
libyaml-devel \
file-devel \
jansson-devel \
libcap-ng-devel \
libnetfilter_queue-devel \
libnfnetlink-devel \
libnetfilter_queue \
zlib-devel \
pcre2-devel \
rust cargo \
wget \
tar


# Download the latest stable version of Suricata
cd /usr/src/
wget https://www.openinfosecfoundation.org/download/suricata-8.0.3.tar.gz
tar zxvf suricata-8.0.3.tar.gz

# Compile and install
cd suricata-8.0.3/
./configure --enable-nfqueue

make -j$(nproc)
make install
make install-conf
make install-rules
ldconfig

# Update rules
/usr/local/bin/suricata-update


##### Check configuration
/usr/local/bin/suricata --build-info | grep NFQ
suricata -T -c /usr/local/etc/suricata/suricata.yaml


##### Example usage

# Send packets to suricata via NFQUEUE
iptables -A OUTPUT -j NFQUEUE --queue-num 0
iptables -A INPUT -j NFQUEUE --queue-num 0

# Run suricata in inline mode (queue 0)
suricata -q 0 -c /usr/local/etc/suricata/suricata.yaml


##### Check logs
# Analisar alertas resumidos no ficheiro "fast.log"
cat fast.log
# Analisar informação detalhada dos ataques no formato JSON no ficheiro "eve.json"
cat eve.json | jq 'select(.event_type=="alert")' | more