Posts

Showing posts from May, 2016

Building an IDS on RHEL 7 using Suricata

Image
I was recently tasked with throwing up a replacement IDS box after an appliance 'died' in not-so-mysterious circumstances during some DC work. The IDS (Suricata) was stipulated, as was the base platform (RHEL 7).

I wanted to share here some of the notes I made during the build and subsequent testing, some useful links as well as one 'gotcha' I encountered along the way. These might cause you headaches in keeping your IDS running.

There are a ton of good articles already around covering how to get Suricata working on CentOS (RHEL's community backed spin off) but special mention has to go out to Daniel Miessler's guide which I've linked to below. In terms of getting Suricata up and running it really covers everything.


That gotcha
You can provide Suricata with parameters around pcap file management if you're capturing full packet and writing it to disk. These parameters are the size limit for each pcap file and the number of files to retain. For example, you c…