Suricata on FreeBSD 10
After playing around with snort I decided to try out suricata (which is the multi-threaded alternative to snort). From their main page:
Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF and its supporting vendors.
Suricata Install
The FreeBSD version is pretty updated:
elatov@moxz:~$pkg search ^suricata
suricata-2.0.5
Installing it is pretty easy:
elatov@moxz:~$sudo pkg install suricata
Grabbing the rules
Suricata supports the Snort VRT rules and the Emerging Threats rules as well. Although not all the VRT rules are supported so if you are using the VRT rules you will get a couple of errors. You can pick and choose which VRT rules to use. The guide from Suricata only uses the ET rules.
Oinkmaster
If you just want to use the Emerging Threat rules then you can just use oinkmaster. First install it:
elatov@moxz:~$sudo pkg install oinkmaster
After that add the URL for Emerging Threats in the oinkmaster config file (/usr/local/etc/oinkmaster.conf):
url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
The rule set had some empty rules, so I added the following to skip them:
skipfile deleted.rules
skipfile emerging-deleted.rules
skipfile rbn.rules
skipfile rbn-malvertisers.rules
skipfile files.rules
skipfile emerging-icmp.rules
After that we can run the following to get the rules:
elatov@moxz:~$oinkmaster -o rules/
Loading /usr/local/etc/oinkmaster.conf
Downloading file from http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz... done.
Archive successfully downloaded, unpacking... done.
Setting up rules structures... done.
Processing downloaded rules... disabled 0, enabled 0, modified 0, total=18120
Setting up rules structures... done.
Comparing new files to the old ones... done.
Updating local rules files... done.
[***] Results from Oinkmaster started 20150104 15:27:16 [***]
[*] Rules modifications: [*]
None.
[*] Non-rule line modifications: [*]
None.
[+] Added files (consider updating your snort.conf to include them if needed): [+]
-> botcc.portgrouped.rules
-> botcc.rules
-> BSD-License.txt
-> ciarmy.rules
-> classification.config
-> compromised-ips.txt
-> compromised.rules
-> decoder-events.rules
-> drop.rules
-> dshield.rules
-> emerging-activex.rules
-> emerging-attack_response.rules
-> emerging-chat.rules
-> emerging-current_events.rules
-> emerging-dns.rules
-> emerging-dos.rules
-> emerging-exploit.rules
-> emerging-ftp.rules
-> emerging-games.rules
-> emerging-icmp_info.rules
-> emerging-imap.rules
-> emerging-inappropriate.rules
-> emerging-info.rules
-> emerging-malware.rules
-> emerging-misc.rules
-> emerging-mobile_malware.rules
-> emerging-netbios.rules
-> emerging-p2p.rules
-> emerging-policy.rules
-> emerging-pop3.rules
-> emerging-rpc.rules
-> emerging-scada.rules
-> emerging-scan.rules
-> emerging-shellcode.rules
-> emerging-smtp.rules
-> emerging-snmp.rules
-> emerging-sql.rules
-> emerging-telnet.rules
-> emerging-tftp.rules
-> emerging-trojan.rules
-> emerging-user_agents.rules
-> emerging-voip.rules
-> emerging-web_client.rules
-> emerging-web_server.rules
-> emerging-web_specific_apps.rules
-> emerging-worm.rules
-> emerging.conf
-> gen-msg.map
-> gpl-2.0.txt
-> http-events.rules
-> reference.config
-> sid-msg.map
-> smtp-events.rules
-> stream-events.rules
-> suricata-open.txt
-> tls-events.rules
-> tor.rules
-> unicode.map
Now in the suricata configuration we need to add all those rules. So under the /usr/local/suricata/suricata.yaml file make sure you have something like this:
default-rule-path: /usr/local/etc/suricata/rules
rule-files:
- botcc.portgrouped.rules
- botcc.rules
- ciarmy.rules
- compromised.rules
- decoder-events.rules
- drop.rules
- dshield.rules
- emerging-activex.rules
- emerging-attack_response.rules
- emerging-chat.rules
- emerging-current_events.rules
- emerging-dns.rules
..
...
You will also notice that the rules archive included the following files:
- sid-msg.map
- gen-msg.map
- classification.config
- reference.config
Those are files used by barnyard2 when adding events to the MySQL DB to make sure the description and classification (and etc) of the event are correct. So make sure you have the following in your barnyard2 config (/usr/local/etc/barnyard2.conf):
config reference_file: /usr/local/etc/suricata/rules/reference.config
config classification_file: /usr/local/etc/suricata/rules/classification.config
config gen_file: /usr/local/etc/suricata/rules/gen-msg.map
config sid_file: /usr/local/etc/suricata/rules/sid-msg.map
Pulledpork
With pulledport you can do both (VRT and ET rules), if you want to automate getting the latest version you actually need the snort binary, cause it uses that to discover which version you are on, and if your snort is at the latest version then you it will grab the lastest snort VRT rules. Here is my pulledpork config:
elatov@moxz:~$grep -Ev '^$|^#' /usr/local/etc/pulledpork/pulledpork.conf
rule_url=https://www.snort.org/rules/|snortrules-snapshot.tar.gz|<oinkcode>
rule_url=https://rules.emergingthreatspro.com/open/suricata/|emerging.rules.tar.gz|open
ignore=deleted.rules,experimental.rules,local.rules
temp_path=/tmp
rule_path=/usr/local/etc/suricata/rules/et.rules
local_rules=/usr/local/etc/suricata/rules/local.rules
sid_msg=/usr/local/etc/suricata/sid-msg.map
sid_msg_version=1
sid_changelog=/var/log/suricata/sid_changes.log
snort_path=/usr/local/bin/snort
distro=FreeBSD-9-0
black_list=/usr/local/etc/suricata/rules/iplists/default.blacklist
IPRVersion=/usr/local/etc/suricata/rules/iplists
engine=suricata
version=0.7.0
Then we can get both rule sets in one big file (/usr/local/etc/suricata/rules/et.rules):
elatov@moxz:~$pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf -vv
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cummingsj@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Config File Variable Debug /usr/local/etc/pulledpork/pulledpork.conf
snort_path = /usr/local/bin/snort
sid_msg_version = 1
ignore = deleted.rules,experimental.rules,local.rules
local_rules = /usr/local/etc/suricata/rules/local.rules
rule_url = ARRAY(0x8532df48)
distro = FreeBSD-9-0
sid_msg = /usr/local/etc/suricata/sid-msg.map
temp_path = /tmp
sid_changelog = /var/log/suricata/id_changes.log
black_list = /usr/local/etc/suricata/rules/default.blacklist
engine = suricata
rule_path = /usr/local/etc/suricata/rules
IPRVersion = /usr/local/etc/suricata/rules/iplists
version = 0.7.0
MISC (CLI and Autovar) Variable Debug:
arch Def is: x86-64
Config Path is: /usr/local/etc/pulledpork/pulledpork.conf
Distro Def is: FreeBSD-9-0
Disabled policy specified
local.rules path is: /usr/local/etc/suricata/rules/local.rules
Rules file is: /tmp/rules
sid changes will be logged to: /var/log/suricata/id_changes.log
sid-msg.map Output Path is: /usr/local/etc/suricata/sid-msg.map
Snort Version is: 2.9.7.0
Snort Path is: /usr/local/bin/snort
Will process SO rules
Extra Verbose Flag is Set
Verbose Flag is Set
Base URL is: https://www.snort.org/rules/|snortrules-snapshot.tar.gz|<oinkcode> https://rules.emergingthreatspro.com/open/suricata/|emerging.rules.tar.gz|open
Checking latest MD5 for snortrules-snapshot-2970.tar.gz....
Fetching md5sum for: snortrules-snapshot-2970.tar.gz.md5
** GET https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5/<oinkcode> ==> 200 OK (1s)
most recent rules file digest: 455a8281b7cfca05526356d0f16c4362
Rules tarball download of snortrules-snapshot-2970.tar.gz....
Fetching rules file: snortrules-snapshot-2970.tar.gz
** GET https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz/<oinkode> ==> 302 Found
storing file at: /tmp/snortrules-snapshot-2970.tar.gz
current local rules file digest: 455a8281b7cfca05526356d0f16c4362
The MD5 for snortrules-snapshot-2970.tar.gz matched 455a8281b7cfca05526356d0f16c4362
Checking latest MD5 for emerging.rules.tar.gz....
Fetching md5sum for: emerging.rules.tar.gz.md5
** GET https://rules.emergingthreatspro.com/open/suricata//emerging.rules.tar.gz.md5 ==> 200 OK (1s)
most recent rules file digest: f54360373f97d972a154742e39289b1c
Rules tarball download of emerging.rules.tar.gz....
Fetching rules file: emerging.rules.tar.gz
** GET https://rules.emergingthreatspro.com/open/suricata//emerging.rules.tar.gz ==> 200 OK (4s)
storing file at: /tmp/emerging.rules.tar.gz
current local rules file digest: f54360373f97d972a154742e39289b1c
The MD5 for emerging.rules.tar.gz matched f54360373f97d972a154742e39289b1c
Prepping rules from emerging.rules.tar.gz for work....
extracting contents of /tmp/emerging.rules.tar.gz...
Ignoring plaintext rules: deleted.rules
Ignoring plaintext rules: experimental.rules
Ignoring plaintext rules: local.rules
Extracted: /tha_rules/ET-emerging-netbios.rules
Extracted: /tha_rules/ET-http-events.rules
Extracted: /tha_rules/ET-emerging-tftp.rules
Extracted: /tha_rules/ET-emerging-telnet.rules
Extracted: /tha_rules/ET-botcc.portgrouped.rules
Extracted: /tha_rules/ET-emerging-ftp.rules
Extracted: /tha_rules/ET-emerging-shellcode.rules
Extracted: /tha_rules/ET-emerging-imap.rules
Extracted: /tha_rules/ET-emerging-deleted.rules
Extracted: /tha_rules/ET-emerging-games.rules
Extracted: /tha_rules/ET-tls-events.rules
Extracted: /tha_rules/ET-emerging-misc.rules
Extracted: /tha_rules/ET-emerging-dos.rules
Extracted: /tha_rules/ET-emerging-worm.rules
Extracted: /tha_rules/ET-smtp-events.rules
Extracted: /tha_rules/ET-emerging-rpc.rules
Extracted: /tha_rules/ET-botcc.rules
Extracted: /tha_rules/ET-emerging-p2p.rules
Extracted: /tha_rules/ET-emerging-malware.rules
Extracted: /tha_rules/ET-emerging-exploit.rules
Extracted: /tha_rules/ET-emerging-policy.rules
Extracted: /tha_rules/ET-emerging-activex.rules
Extracted: /tha_rules/ET-emerging-scan.rules
Extracted: /tha_rules/ET-compromised.rules
Extracted: /tha_rules/ET-emerging-current_events.rules
Extracted: /tha_rules/ET-emerging-inappropriate.rules
Extracted: /tha_rules/ET-rbn.rules
Extracted: /tha_rules/ET-ciarmy.rules
Extracted: /tha_rules/ET-stream-events.rules
Extracted: /tha_rules/ET-emerging-icmp.rules
Extracted: /tha_rules/ET-decoder-events.rules
Extracted: /tha_rules/ET-emerging-chat.rules
Extracted: /tha_rules/ET-emerging-icmp_info.rules
Extracted: /tha_rules/ET-rbn-malvertisers.rules
Extracted: /tha_rules/ET-emerging-web_client.rules
Extracted: /tha_rules/ET-emerging-user_agents.rules
Extracted: /tha_rules/ET-files.rules
Extracted: /tha_rules/ET-emerging-trojan.rules
Extracted: /tha_rules/ET-emerging-dns.rules
Extracted: /tha_rules/ET-emerging-pop3.rules
Extracted: /tha_rules/ET-emerging-scada.rules
Extracted: /tha_rules/ET-emerging-smtp.rules
Extracted: /tha_rules/ET-emerging-attack_response.rules
Extracted: /tha_rules/ET-emerging-info.rules
Extracted: /tha_rules/ET-emerging-sql.rules
Extracted: /tha_rules/ET-drop.rules
Extracted: /tha_rules/ET-emerging-mobile_malware.rules
Extracted: /tha_rules/ET-emerging-snmp.rules
Extracted: /tha_rules/ET-emerging-web_specific_apps.rules
Extracted: /tha_rules/ET-tor.rules
Extracted: /tha_rules/ET-dshield.rules
Extracted: /tha_rules/ET-emerging-voip.rules
Extracted: /tha_rules/ET-emerging-web_server.rules
Prepping rules from snortrules-snapshot-2970.tar.gz for work....
extracting contents of /tmp/snortrules-snapshot-2970.tar.gz...
Ignoring plaintext rules: deleted.rules
Ignoring plaintext rules: experimental.rules
Ignoring plaintext rules: local.rules
Extracted: /tha_rules/VRT-snmp.rules
Extracted: /tha_rules/VRT-exploit.rules
Extracted: /tha_rules/VRT-exploit-kit.rules
Extracted: /tha_rules/VRT-pua-p2p.rules
Extracted: /tha_rules/VRT-browser-chrome.rules
Extracted: /tha_rules/VRT-malware-tools.rules
Extracted: /tha_rules/VRT-file-flash.rules
Extracted: /tha_rules/VRT-os-solaris.rules
Extracted: /tha_rules/VRT-file-image.rules
Extracted: /tha_rules/VRT-rservices.rules
Extracted: /tha_rules/VRT-protocol-scada.rules
Extracted: /tha_rules/VRT-browser-webkit.rules
Extracted: /tha_rules/VRT-malware-cnc.rules
Extracted: /tha_rules/VRT-os-other.rules
Extracted: /tha_rules/VRT-telnet.rules
Extracted: /tha_rules/VRT-scada.rules
Extracted: /tha_rules/VRT-dns.rules
Extracted: /tha_rules/VRT-web-misc.rules
Extracted: /tha_rules/VRT-multimedia.rules
Extracted: /tha_rules/VRT-app-detect.rules
Extracted: /tha_rules/VRT-sql.rules
Extracted: /tha_rules/VRT-indicator-obfuscation.rules
Extracted: /tha_rules/VRT-web-coldfusion.rules
Extracted: /tha_rules/VRT-policy-multimedia.rules
Extracted: /tha_rules/VRT-imap.rules
Extracted: /tha_rules/VRT-sensitive-data.rules
Extracted: /tha_rules/VRT-icmp-info.rules
Extracted: /tha_rules/VRT-ftp.rules
Extracted: /tha_rules/VRT-web-attacks.rules
Extracted: /tha_rules/VRT-misc.rules
Extracted: /tha_rules/VRT-policy.rules
Extracted: /tha_rules/VRT-tftp.rules
Extracted: /tha_rules/VRT-protocol-imap.rules
Extracted: /tha_rules/VRT-spyware-put.rules
Extracted: /tha_rules/VRT-protocol-ftp.rules
Extracted: /tha_rules/VRT-finger.rules
Extracted: /tha_rules/VRT-server-other.rules
Extracted: /tha_rules/VRT-other-ids.rules
Extracted: /tha_rules/VRT-browser-ie.rules
Extracted: /tha_rules/VRT-protocol-other.rules
Extracted: /tha_rules/VRT-rpc.rules
Extracted: /tha_rules/VRT-malware-other.rules
Extracted: /tha_rules/VRT-bad-traffic.rules
Extracted: /tha_rules/VRT-content-replace.rules
Extracted: /tha_rules/VRT-shellcode.rules
Extracted: /tha_rules/VRT-oracle.rules
Extracted: /tha_rules/VRT-file-executable.rules
Extracted: /tha_rules/VRT-smtp.rules
Extracted: /tha_rules/VRT-file-java.rules
Extracted: /tha_rules/VRT-server-mssql.rules
Extracted: /tha_rules/VRT-server-mail.rules
Extracted: /tha_rules/VRT-chat.rules
Extracted: /tha_rules/VRT-web-client.rules
Extracted: /tha_rules/VRT-browser-other.rules
Extracted: /tha_rules/VRT-virus.rules
Extracted: /tha_rules/VRT-file-other.rules
Extracted: /tha_rules/VRT-file-office.rules
Extracted: /tha_rules/VRT-protocol-services.rules
Extracted: /tha_rules/VRT-protocol-nntp.rules
Extracted: /tha_rules/VRT-server-webapp.rules
Extracted: /tha_rules/VRT-pop3.rules
Extracted: /tha_rules/VRT-x11.rules
Extracted: /tha_rules/VRT-pua-other.rules
Extracted: /tha_rules/VRT-dos.rules
Extracted: /tha_rules/VRT-browser-firefox.rules
Extracted: /tha_rules/VRT-web-frontpage.rules
Extracted: /tha_rules/VRT-protocol-pop.rules
Extracted: /tha_rules/VRT-os-mobile.rules
Extracted: /tha_rules/VRT-preprocessor.rules
Extracted: /tha_rules/VRT-server-samba.rules
Extracted: /tha_rules/VRT-indicator-scan.rules
Extracted: /tha_rules/VRT-indicator-shellcode.rules
Extracted: /tha_rules/VRT-os-windows.rules
Extracted: /tha_rules/VRT-pop2.rules
Extracted: /tha_rules/VRT-protocol-voip.rules
Extracted: /tha_rules/VRT-malware-backdoor.rules
Extracted: /tha_rules/VRT-browser-plugins.rules
Extracted: /tha_rules/VRT-phishing-spam.rules
Extracted: /tha_rules/VRT-server-mysql.rules
Extracted: /tha_rules/VRT-scan.rules
Extracted: /tha_rules/VRT-protocol-telnet.rules
Extracted: /tha_rules/VRT-policy-social.rules
Extracted: /tha_rules/VRT-web-cgi.rules
Extracted: /tha_rules/VRT-attack-responses.rules
Extracted: /tha_rules/VRT-protocol-rpc.rules
Extracted: /tha_rules/VRT-protocol-tftp.rules
Extracted: /tha_rules/VRT-blacklist.rules
Extracted: /tha_rules/VRT-nntp.rules
Extracted: /tha_rules/VRT-mysql.rules
Extracted: /tha_rules/VRT-server-apache.rules
Extracted: /tha_rules/VRT-protocol-finger.rules
Extracted: /tha_rules/VRT-voip.rules
Extracted: /tha_rules/VRT-p2p.rules
Extracted: /tha_rules/VRT-specific-threats.rules
Extracted: /tha_rules/VRT-pua-toolbars.rules
Extracted: /tha_rules/VRT-file-pdf.rules
Extracted: /tha_rules/VRT-server-oracle.rules
Extracted: /tha_rules/VRT-web-iis.rules
Extracted: /tha_rules/VRT-indicator-compromise.rules
Extracted: /tha_rules/VRT-netbios.rules
Extracted: /tha_rules/VRT-botnet-cnc.rules
Extracted: /tha_rules/VRT-protocol-snmp.rules
Extracted: /tha_rules/VRT-file-multimedia.rules
Extracted: /tha_rules/VRT-ddos.rules
Extracted: /tha_rules/VRT-policy-spam.rules
Extracted: /tha_rules/VRT-decoder.rules
Extracted: /tha_rules/VRT-pua-adware.rules
Extracted: /tha_rules/VRT-icmp.rules
Extracted: /tha_rules/VRT-file-identify.rules
Extracted: /tha_rules/VRT-policy-other.rules
Extracted: /tha_rules/VRT-web-php.rules
Extracted: /tha_rules/VRT-protocol-icmp.rules
Extracted: /tha_rules/VRT-backdoor.rules
Extracted: /tha_rules/VRT-server-iis.rules
Extracted: /tha_rules/VRT-info.rules
Extracted: /tha_rules/VRT-protocol-dns.rules
Extracted: /tha_rules/VRT-web-activex.rules
Extracted: /tha_rules/VRT-os-linux.rules
Reading rules...
Cleanup....
removed 173 temporary snort files or directories from /tmp/tha_rules!
Setting Flowbit State....
Enabled 63 flowbits
Done
Writing /tmp/rules....
Done
Generating sid-msg.map....
Done
Writing v1 /tmp/sid-msg.map....
Done
Writing /tmp/id_changes.log....
Done
Rule Stats...
New:-------42899
Deleted:---0
Enabled Rules:----22469
Dropped Rules:----0
Disabled Rules:---20429
Total Rules:------42898
No IP Blacklist Changes
Done
Please review /var/log/suricata/id_changes.log for additional details
Fly Piggy Fly!
At this point we can modify the suricata config file (/usr/local/etc/suricata/suricata.yaml) and just define one rule file and comment out the rest:
default-rule-path: /usr/local/etc/suricata/rules
rule-files:
- et.rules
# - botcc.portgrouped.rules
# - botcc.rules
# - ciarmy.rules
# - compromised.rules
Now we can mofify the barnyard2 config (/usr/local/etc/barnyard2.conf) to point to the correct classification files (most of these are available from the suricata install, they are just called file.template):
config reference_file: /usr/local/etc/suricata/reference.config
config classification_file: /usr/local/etc/suricata/classification.config
config gen_file: /usr/local/etc/suricata/gen-msg.map
config sid_file: /usr/local/etc/suricata/sid-msg.map
Now the configuration is ready for the rules part.
If you really want to you can use both in conjunction (oinkmaster for ET and pulledpork for VRT). You would have to use the create-sidmap.pl script (available in the oinkmaster source) to generate sid-mgs.map file from the rules directiores. The usage is descbibed in the oinkmaster FAQs:
create-sidmap.pl /etc/snort/rules/official/ \
/etc/snort/rules/bleeding/ \
/etc/snort/rules/local/ \
> /etc/snort/sid-msg.map
If you ever need to generate the gen-sid.map file manually the process is described here:
cat /etc/snort/rules/sid-msg.map | awk -F '|' '{print "1 || "$1" || "$3}' > /etc/snort/rules/gen-msg.map
Pulledpork already takes care of the sid-msg.map file and it sounds like it will get to the gen-msg.map file eventually as well.
Suricata Configuration
Since we will be using barnyard2 let’s configure suricata to log output in unified2 format:
outputs:
# a line based alerts log similar to Snort's fast.log
- fast:
enabled: yes
filename: fast.log
append: yes
- unified2-alert:
enabled: yes
filename: merged.log
Since we will be running in daemon mode let’s disable console mode:
logging:
outputs:
- console:
enabled: no
- file:
enabled: yes
filename: /var/log/suricata/suricata.log
- syslog:
enabled: no
facility: local5
format: "[%i] <%d> -- "
With Suricata you can actually reload rules without restarting the whole daemon (pretty cool). Here is the setting for that:
detect-engine:
- profile: medium
- custom-values:
toclient-src-groups: 2
toclient-dst-groups: 2
toclient-sp-groups: 2
toclient-dp-groups: 3
toserver-src-groups: 2
toserver-dst-groups: 4
toserver-sp-groups: 2
toserver-dp-groups: 25
- sgh-mpm-context: auto
- inspection-recursion-limit: 3000
# When rule-reload is enabled, sending a USR2 signal to the Suricata process
# will trigger a live rule reload. Experimental feature, use with care.
- rule-reload: true
Lastly make sure the configuration is okay:
elatov@moxz:~$sudo suricata -c /usr/local/etc/suricata/suricata.yaml -T -i em0
4/1/2015 -- 16:05:52 - <Info> - Running suricata under test mode
Then add the following to /etc/rc.conf to enable the suricata daemon:
elatov@moxz:~$grep suricata /etc/rc.conf
suricata_enable="YES"
suricata_interface="em0"
suricata_flags="-D -v"
Then you can start the service with the following:
elatov@moxz:~$sudo service suricata start
and don’t forget to start barnyard2 (btw the full setup for that and snorby are here):
elatov@moxz:~$sudo service barnyard2 start
If you update the rules, you can run the following to reload them. First find out the PID:
elatov@moxz:~$ps -auwwx | grep suri
root 27081 107.9 31.4 741544 650528 - Ss 4:10PM 0:10.27 /usr/local/bin/suricata -D -v -i em0 --pidfile /var/run/suricata_em0.pid -c /usr/local/etc/suricata/suricata.yaml
and then send a USR2 signal to the procees:
elatov@moxz:~$sudo kill -USR2 27081
and if you check out the logs (/var/log/suricata/suricata.log) you will see the following:
4/1/2015 -- 16:10:47 - <Notice> - rule reload starting
4/1/2015 -- 16:10:47 - <Info> - IP reputation disabled
4/1/2015 -- 16:10:52 - <Info> - 1 rule files processed. 21150 rules successfully loaded, 1319 rules failed
4/1/2015 -- 16:10:52 - <Info> - 21158 signatures processed. 1075 are IP-only rules, 7314 are inspecting packet payload, 15524 inspect application layer, 72 are decoder event only
4/1/2015 -- 16:10:52 - <Info> - building signature grouping structure, stage 1: preprocessing rules... complete
4/1/2015 -- 16:10:53 - <Info> - building signature grouping structure, stage 2: building source address list... complete
4/1/2015 -- 16:10:56 - <Info> - building signature grouping structure, stage 3: building destination address lists... complete
4/1/2015 -- 16:10:58 - <Info> - Threshold config parsed: 0 rule(s) found
4/1/2015 -- 16:10:58 - <Info> - Live rule swap has swapped 1 old det_ctx's with new ones, along with the new de_ctx
4/1/2015 -- 16:10:58 - <Info> - cleaning up signature grouping structure... complete
4/1/2015 -- 16:10:58 - <Notice> - rule reload complete
You will notice some rules failed to load and those are the VRT rules that are not written specificly for Suricata but only Snort. After some time you will see new events getting fired:
elatov@moxz:~$ls -lart /var/log/suricata/ | tail -4
-rw-r--r-- 1 root wheel 1852307 Jan 4 16:10 suricata.log
-rw-r----- 1 root wheel 194 Jan 4 16:15 merged.log.1420413029
-rw-r----- 1 root wheel 4513 Jan 4 16:15 fast.log
-rw-r--r-- 1 snort snort 2056 Jan 4 16:15 barnyard2.waldo
I enabled the fast.log just for now so I could see what alerts are getting fired without checking snorby or the DB. And I saw the following:
elatov@moxz:~$tail -4 /var/log/suricata/fast.log
01/04/2015-08:08:39.990476 [**] [1:2210016:1] SURICATA STREAM CLOSEWAIT FIN out of window [**] [Classification: (null)] [Priority: 3] {TCP} 10.0.0.3:10050 -> 10.0.0.2:52628
01/04/2015-12:24:02.543448 [**] [1:2100366:8] GPL ICMP_INFO PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.114:8 -> 10.0.0.3:0
01/04/2015-14:02:00.402123 [**] [1:2522386:2079] ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 194 [**] [Classification: Misc Attack] [Priority: 2] {UDP} 173.255.194.200:123 -> 10.0.0.3:123
01/04/2015-16:15:16.557229 [**] [1:2100366:8] GPL ICMP_INFO PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.114:8 -> 10.0.0.3:0
Notice I have a ping test alert.