How to Set Up Suricata Network Intrusion Detection
Suricata is a high-performance network intrusion detection and prevention system (IDS/IPS) capable of real-time traffic analysis, protocol identification, and threat detection. Running Suricata on your Breeze instance provides deep visibility into network threats targeting your server.
Installing Suricata
On Ubuntu or Debian:
sudo apt update
sudo apt install -y software-properties-common
sudo add-apt-repository -y ppa:oisf/suricata-stable
sudo apt update
sudo apt install -y suricataOn AlmaLinux or Rocky Linux:
sudo dnf install -y epel-release
sudo dnf install -y suricataConfiguring Suricata
The main configuration file is /etc/suricata/suricata.yaml. Key settings to configure:
vars:
address-groups:
HOME_NET: "[your-breeze-ip/32]"
EXTERNAL_NET: "!$HOME_NET"
port-groups:
HTTP_PORTS: "80"
SHELLCODE_PORTS: "!80"
SSH_PORTS: "22"
af-packet:
- interface: eth0
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rulesInstalling and Updating Rules
Suricata uses rule sets to detect threats. Use suricata-update to manage them:
# Update rules from default sources
sudo suricata-update
# List available rule sources
sudo suricata-update list-sources
# Enable additional rule sources
sudo suricata-update enable-source et/open
sudo suricata-update enable-source oisf/trafficid
# Update rules after adding sources
sudo suricata-updateRunning Suricata in IDS Mode
Start Suricata in IDS mode to monitor traffic without blocking:
# Test configuration
sudo suricata -T -c /etc/suricata/suricata.yaml
# Start Suricata
sudo systemctl enable --now suricata
# Check status
sudo systemctl status suricataRunning Suricata in IPS Mode
For active blocking, run Suricata inline using NFQ (Netfilter Queue):
# Configure iptables to send traffic through Suricata
sudo iptables -I FORWARD -j NFQUEUE --queue-num 0
sudo iptables -I INPUT -j NFQUEUE --queue-num 0
sudo iptables -I OUTPUT -j NFQUEUE --queue-num 0
# Start Suricata in IPS mode
sudo suricata -c /etc/suricata/suricata.yaml -q 0Monitoring Alerts
Suricata logs alerts in EVE JSON format for easy parsing:
# View recent alerts
sudo tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")'
# View fast.log for human-readable alerts
sudo tail -f /var/log/suricata/fast.log
# Count alerts by signature
sudo cat /var/log/suricata/eve.json | jq -r 'select(.event_type=="alert") | .alert.signature' | sort | uniq -c | sort -rn | head -20Writing Custom Rules
Create custom detection rules for threats specific to your environment:
# Detect SSH brute force attempts
alert ssh $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH Brute Force Attempt"; \
flow:to_server,established; threshold:type both, track by_src, count 5, seconds 60; \
classtype:attempted-admin; sid:1000001; rev:1;)
# Detect potential web shell upload
alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Possible Web Shell Upload"; \
flow:to_server,established; content:"POST"; http_method; \
content:".php"; http_uri; content:"eval("; http_client_body; \
classtype:web-application-attack; sid:1000002; rev:1;)Save custom rules in /var/lib/suricata/rules/local.rules and add the file to your suricata.yaml rule-files list.
Performance Tuning
- Thread count — set
threading.detect-thread-ratiobased on available CPU cores - Memory limits — configure
stream.memcapandflow.memcapbased on available RAM - Disable unused protocols — turn off protocol parsers you do not need
Best Practices
- Update rules daily — schedule
suricata-updatevia cron and reload Suricata after updates - Start in IDS mode — monitor and tune before switching to IPS to avoid blocking legitimate traffic
- Integrate with a SIEM — forward EVE JSON logs to a centralized logging system
- Review alerts regularly — investigate high-severity alerts promptly and tune out false positives
- Monitor Suricata performance — check
stats.logfor packet drops that indicate overload
Suricata provides enterprise-grade network intrusion detection for your Breeze instance, enabling you to detect and respond to threats in real time.