Now that we have something to control Suricata make sure to set the configuration variables for Suricata.
Ensure your HOME_NET is correct or your results are not going to be so great.
# Holds the address group vars that would be passed in a Signature. # These would be retrieved during the Signature address parsing stage. address-groups: HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" EXTERNAL_NET: any HTTP_SERVERS: "$HOME_NET" SMTP_SERVERS: "$HOME_NET" SQL_SERVERS: "$HOME_NET" DNS_SERVERS: "$HOME_NET" TELNET_SERVERS: "$HOME_NET" AIM_SERVERS: any # Holds the port group vars that would be passed in a Signature. # These would be retrieved during the Signature port parsing stage. port-groups: HTTP_PORTS: "80" SHELLCODE_PORTS: "!80" ORACLE_PORTS: 1521 SSH_PORTS: 22
Now that Suricata is is configured and runs we can install something to manage the events being generated by it.
BASE is listed in the http://www.openinfosecfoundation.org/index.php/faqs as something that is supported.
cd /usr/ports/security/base/ make install clean
BASE has a long list of dependencies to install, so go grab a coffee.