Feb 21 2010 11:55PM GMT
Posted by: Dan O'Connor
suricata freebsd, suricata install, suricata install freebsd
Installing Suricata on FreeBSD – Part 2
Posted by: Dan O'Connor
suricata freebsd, suricata install, suricata install freebsd
With everything in place you can now start suricata.
suricata -c /usr/local/etc/suricata.yaml -i em0
Got a good start.
70 rule files processed. 7977 rules succesfully loaded, 5 rules failed
Here is the 5 that did not load, I only added the emerging threats rules not the snort release set ( those caused Suricata to crash ).
[100072] 20/2/2010 -- 22:20:51 - (detect-bytetest.c:267) (DetectBytetestParse) -- [ERRCODE: SC_ERR_INVALID_OPERATOR(111)] - Invalid operator [100072] 20/2/2010 -- 22:20:51 - (detect.c:291) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(29)] - Error parsing signature "alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Hello Request (2)"; content:"|e4 10|"; depth:2; byte_test:2,<=,65535,16,relative; byte_test:2,<=,65535,0,relative; threshold: type limit, count 5, seconds 600, track by_src; classtype:policy-violation; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009971; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_eMule; sid:2009971; rev:4;)" from file /usr/local/etc/suricata/rules/emerging-p2p.rules at line 194 [100072] 20/2/2010 -- 22:20:52 - (detect-distance.c:48) (DetectDistanceSetup) -- [ERRCODE: SC_ERR_DISTANCE_MISSING_CONTENT(88)] - distance needs two preceeding content options [100072] 20/2/2010 -- 22:20:52 - (detect.c:291) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(29)] - Error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Egspy Infection Report via HTTP"; flow:established,to_server; uricontent:"/keylogkontrol/"; content:"|0d 0a|User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; distance:0; classtype:trojan-activity; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EgySpy&threatid=48410; reference:url,doc.emergingthreats.net/2008047; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Egyspy; sid:2008047; rev:2;)" from file /usr/local/etc/suricata/rules/emerging-virus.rules at line 915 [100072] 20/2/2010 -- 22:20:52 - (detect-distance.c:48) (DetectDistanceSetup) -- [ERRCODE: SC_ERR_DISTANCE_MISSING_CONTENT(88)] - distance needs two preceeding content options [100072] 20/2/2010 -- 22:20:52 - (detect.c:291) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(29)] - Error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Spambot (often Tibs) Post-Infection Checkin"; flow:established,to_server; uricontent:"/access.php?"; nocase; uricontent:"w="; nocase; uricontent:"&a="; nocase; content:"|0d 0a|Host\: "; distance:0; pcre:"/Host\: \d+\.\d+\.\d+\.\d+\x0d\x0a/"; content:"|0d 0a|Cache-Control\: no-cache|0d 0a|"; content:!"|0d 0a|User-Agent\: "; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008174; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Tibs; sid:2008174; rev:2;)" from file /usr/local/etc/suricata/rules/emerging-virus.rules at line 2240 [100072] 20/2/2010 -- 22:20:52 - (detect.c:335) (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES(32)] - No rules loaded from /usr/local/etc/suricata/rules/emerging-web.rules [100072] 20/2/2010 -- 22:20:55 - (detect-uricontent.c:303) (DoDetectUricontentSetup) -- [ERRCODE: SC_ERR_NO_URICONTENT_NEGATION(92)] - uricontent negation is not supported at this time. See bug #31. [100072] 20/2/2010 -- 22:20:55 - (detect.c:291) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(29)] - Error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Mozilla/5.0|0d 0a|"; nocase; uricontent:!"|0d 0a|Host\: download.releasenotes.nokia.com"; content:!"Mozilla/5.0|0d 0a|Connection\: Close|0d 0a 0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009295; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_Agents_Suspicious; sid:2009295; rev:6;)" from file /usr/local/etc/suricata/rules/emerging-user_agents.rules at line 483 [100072] 20/2/2010 -- 22:20:55 - (detect-distance.c:48) (DetectDistanceSetup) -- [ERRCODE: SC_ERR_DISTANCE_MISSING_CONTENT(88)] - distance needs two preceeding content options [100072] 20/2/2010 -- 22:20:55 - (detect.c:291) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(29)] - Error parsing signature "alert udp any any -> any 53 (msg:"ET CURRENT_EVENTS DNS BIND 9 Dynamic Update DoS attempt"; byte_test:1,&,40,2; byte_test:1,>,0,5; byte_test:1,>,0,1; content:"|00 00 06|"; distance:8; content:"|c0 0c 00 ff|"; distance:2; reference:cve,2009-0696; classtype:attempted-dos; reference:url,doc.emergingthreats.net/2009701; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Bind; sid:2009701; rev:3;)" from file /usr/local/etc/suricata/rules/emerging-current_events.rules at line 65 [100072] 20/2/2010 -- 22:20:55 - (detect.c:376) (SigLoadSignatures) -- 70 rule files processed. 7977 rules succesfully loaded, 5 rules failed [100072] 20/2/2010 -- 22:20:55 - (detect-engine-sigorder.c:787) (SCSigOrderSignatures) -- ordering signatures in memory SCSigOrderSignatures: Total Signatures to be processed by thesigordering module: 7989
Let’s to check to make sure the ids system is logging, check the config file for the logging dir, the default is /var/log/suricata/. You may have to create a noise rule ( any any -> any any ), but there should start to be alerts hitting the fast.log file.
Now that we know it kinda works, there is some configuration to do in part 3.
Comment
RSS Feed
Email a friend
