Suricata Installation

Table of contents

Suricata is a NIDS solution, which is open source and can be deployed quickly on dedicated hardware to monitor one or more traffic points on your network, or directly on Unix-like hosts to monitor only their own network traffic. Because Suricata is capable of generating JSON records
of NIDS events, it can be easily integrated with Wazuh.

Installation

  1. First of all, how this program is really designed for Linux and adapted to the tools that
    found in Windows, we will have to install NCAP. A library needed to perform actions
    network packet capture. You can install via this link.      
    https://npcap.com/dist/npcap-1.71.exe
  2. We will then download the following file, and proceed to perform the normal installation of the
    program so that it will allow us to choose different configurations, such as the
    location where we want to install it.   https://www.openinfosecfoundation.org/download/windows/Suricata-6.0.6-1-64bit.msi 
  3. Next we will download the following configurations:                           https://apoloanalytics.com/wp-content/config-apolo/Suricata-Apolo.zip 
  4. We will paste the files contained in this «.zip» to the location where we have installed
    our program and we will replace everything. The default address is:
    C:\Program Files\Suricata

Setup

  1. When turning on our IDS we will have to run the program, if we have created direct access
    on the desktop we will open it, if this is not the case we execute the following commands via cmd:
    cd «C:\Program Files\Meerkat»
    suricata.exe -c suricata.yaml -i
  2. We will see several logs of what the program is doing so that finally a log appears similar to the following:
  3. Then we enter Wazuh, look for the “Manage Agent” application. In the top menu, under View, select View Config. Just above the last </ossec_config> we will include the following line. The location option should be changed to the program installation path or direction. In the file, it will be defined the same as in the example, stipulated as such in the configuration (<path>/eve-*).

<localfile>

<location> C:\Program Files\Suricata\log\eve-* </location>

<log_format> json </log_format>

</localfile>

Updated on febrero 7, 2024
Table of contents