This session offers a practical introduction to Suricata, an open-source Network Intrusion Detection and Intrusion Prevention System, focusing on its role in detecting and mitigating network threats. Through a series of practical exercises, participants will gain insights into the fundamentals of network security and how Suricata can be used to secure the networks.

Attendees will face a series of exercises that enable them to evaluate network traffic and identify threats and anomalies. The workshop gives an opportunity to explore Suricata's features to enhance network security.

Instructions

To focus on the essential content of network traffic inspection, attendees should come with their own laptop where Suricata and Evebox systems are ready to use. Ubuntu is the most common OS, but you can also have another OS or use a virtual machine. You can use native installation or Docker images (e.g., running on macOS or Windows).

Native installation:

How to install Suricata on Ubuntu/Debian/CentOS...):
https://docs.suricata.io/en/latest/install.html#ubuntu-from-personal-package-archives-ppa

How to install Evebox:
Installation through APT/RPM repository is recommended
https://evebox.org/docs/install/

Docker:

Environment preparation

Have Docker installed and be in a folder which will be a working directory for Suricata and Evebox containers

mkdir -p suricata-demo/{etc,pcap,rules,logs}
cd suricata-demo/

Rule and config files initialization

sudo docker run --rm -it -v $(pwd)/etc:/etc/suricata -v $(pwd)/rules:/var/lib/suricata/rules jasonish/suricata:latest suricata-update --no-reload --no-test && suricata -V

PCAP_PATH

should be the only thing to be adjusted to the path to PCAP that you want to inspect.

PCAP_PATH=~/Downloads/HTTP.cap && rm -f $(pwd)/{pcap,logs}/* && cp $PCAP_PATH "$(pwd)/pcap/" && sudo docker run --rm -v "$(pwd)/pcap:/pcap:ro" -v "$(pwd)/rules:/rules:ro" -v "$(pwd)/etc:/etc/suricata:ro" -v "$(pwd)/logs:/var/log/suricata" jasonish/suricata:latest suricata -r /pcap/* -l /var/log/suricata -S /rules/suricata.rules -c /etc/suricata/suricata.yaml && sudo docker run --rm -v "$(pwd)/logs:/var/log/suricata:ro" -p 5636:5636 jasonish/evebox:latest evebox oneshot --host 0.0.0.0 /var/log/suricata/eve.json

Instructions might need to be adjusted if you run on Windows - use of a Linux-based VM can be the easiest.

Verify the setup

You can verify the installation by:
- downloading some pcap, e.g,. from here: https://wiki.wireshark.org/samplecaptures
- running the pcap through Suricata and Evebox with this command (or use the Docker command):
suricata -r |PATH_TO_PCAP| -l /tmp/ -S /dev/null -k none && sudo evebox oneshot /tmp/eve.json

In the events section of the Evebox local website, you should now see Suricata events.