{"id":6502,"date":"2020-07-24T22:16:59","date_gmt":"2020-07-24T19:16:59","guid":{"rendered":"https:\/\/kifarunix.com\/?p=6502"},"modified":"2024-03-14T22:06:33","modified_gmt":"2024-03-14T19:06:33","slug":"install-and-setup-suricata-on-centos-8","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-setup-suricata-on-centos-8\/","title":{"rendered":"Install and Setup Suricata on CentOS 8"},"content":{"rendered":"\n<p>In this tutorial, you will learn how to install and setup Suricata on CentOS 8. <a aria-label=\"undefined (opens in a new tab)\" href=\"https:\/\/suricata-ids.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">Suricata<\/a> is a free and open source network threat detection engine. It can function as an intrusion detection  (IDS) engine, inline intrusion prevention system (IPS), network security monitoring (NSM) as well as offline pcap processing tool. It works by inspecting network traffic using rules and signature as well as Lua scripting support for detection of complex threats.<\/p>\n\n\n\n<p>With its ability to write its logs in YAML and JSON formats, Suricata can be integrated with other tools such as SIEMs, Splunk, Logstash\/Elasticsearch, Kibana for further logs processing and visualization.<\/p>\n\n\n\n<p>Suricata offers quite a number of features. Read about them on <a aria-label=\"undefined (opens in a new tab)\" href=\"https:\/\/suricata-ids.org\/features\/all-features\/\" target=\"_blank\" rel=\"noreferrer noopener\">All Suricata features page<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Installing Suricata on CentOS 8<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">System Requirements<\/h3>\n\n\n\n<p>Well, Suricata is multi-threaded, hence, if you have enough cores, you can avail as enough as possible. Also, allocate enough RAM.<\/p>\n\n\n\n<p>In this demo, we have allocated 2 vCPUs and 4GB RAM to our Suricata server.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Install Suricata on CentOS 8<\/h3>\n\n\n\n<p>There are various ways in which you can install Suricata on CentOS 8;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#install-suricata-from-source\">Install Suricata on CentOS 8 from Source<\/a><\/li>\n\n\n\n<li><a href=\"#install-suricata-from-epel-repos\">Install Suricata on CentOS 8 from EPEL Repos<\/a><\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-suricata-from-source\">Install Suricata on CentOS 8 from Source<\/h4>\n\n\n\n<h5 class=\"wp-block-heading\">Run system update<\/h5>\n\n\n\n<p>Update your system package by running the command below<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf update<\/code><\/pre>\n\n\n\n<h5 class=\"wp-block-heading\">Install Required Build tools and Dependencies<\/h5>\n\n\n\n<p>There are a number of package dependencies and build tools required for a successful build and install of Suricata on CentOS 8 from the source.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf config-manager --set-enabled PowerTools<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf install diffutils file-devel gcc jansson-devel make nss-devel libyaml-devel libcap-ng-devel libpcap-devel pcre-devel python3 python3-pyyaml rust-toolset zlib-devel curl wget tar lua lua-devel lz4-devel<\/code><\/pre>\n\n\n\n<h5 class=\"wp-block-heading\">Download Suricata Source Code<\/h5>\n\n\n\n<p>Download the latest stable release Suricata source code from <a aria-label=\"undefined (opens in a new tab)\" href=\"https:\/\/suricata-ids.org\/download\/\" target=\"_blank\" rel=\"noreferrer noopener\">Suricata downloads page<\/a>. As of this writing, Suricata 5.0.3 is the latest stable release version.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>wget https:\/\/www.openinfosecfoundation.org\/download\/suricata-5.0.3.tar.gz -P \/tmp<\/code><\/pre>\n\n\n\n<h5 class=\"wp-block-heading\">Extract Suricata Source Code<\/h5>\n\n\n\n<p>Once the download is complete, extract the source code;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cd \/tmp<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tar xzf suricata-5.0.3.tar.gz<\/code><\/pre>\n\n\n\n<h5 class=\"wp-block-heading\">Build and Install Suricata on CentOS 8<\/h5>\n\n\n\n<p>Navigate to the source directory and build and install Suricata on CentOS 8.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cd suricata-5.0.3<\/code><\/pre>\n\n\n\n<p>Run the configure script to adapt Suricata to the system and verify that all required dependencies are in place.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>.\/configure --sysconfdir=\/etc --localstatedir=\/var --prefix=\/usr\/ --enable-lua --enable-geopip <\/code><\/pre>\n\n\n\n<p>The command installs Suricata into <code>\/usr\/bin\/suricata<\/code>, have the config in<code> \/etc\/suricata<\/code> and use <code>\/var\/log\/suricata<\/code> as log directory.<\/p>\n\n\n\n<p>For more build options, refer to <code>.\/configure --help<\/code>.<\/p>\n\n\n\n<p>Compile and install Suricata rules and configurations.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>make<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>make install-full<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>...\n22\/7\/2020 -- 21:14:44 - &lt;Info&gt; -- Backing up current rules.\n22\/7\/2020 -- 21:14:44 - &lt;Info&gt; -- Writing rules to \/var\/lib\/suricata\/rules\/suricata.rules: total: 27530; enabled: 20677; added: 27530; removed 0; modified: 0\n22\/7\/2020 -- 21:14:44 - &lt;Info&gt; -- Skipping test, disabled by configuration.\n22\/7\/2020 -- 21:14:44 - &lt;Info&gt; -- Done.\n\nYou can now start suricata by running as root something like:\n  \/usr\/bin\/suricata -c \/etc\/suricata\/suricata.yaml -i eth0\n\nIf a library like libhtp.so is not found, you can run suricata with:\n  LD_LIBRARY_PATH=\/usr\/lib \/usr\/bin\/suricata -c \/etc\/suricata\/suricata.yaml -i eth0\n\nThe Emerging Threats Open rules are now installed. Rules can be\nupdated and managed with the suricata-update tool.\n\nFor more information please see:\n  https:\/\/suricata.readthedocs.io\/en\/latest\/rule-management\/index.html\n\nmake[1]: Leaving directory '\/tmp\/suricata-5.0.3'\n<\/code><\/pre>\n\n\n\n<p>Suricata is now installed from sources on CentOS 8.<\/p>\n\n\n\n<h4 class=\"wp-block-heading install-suricata-from-epel-repos\">Install Suricata on CentOS 8 from EPEL Repos<\/h4>\n\n\n\n<p>For a seamless installation of Suricata on CentOS 8, using EPEL repos to install it is a sure bet.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Install EPEL Repos on CentOS 8<\/h5>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf install epel-release<\/code><\/pre>\n\n\n\n<h5 class=\"wp-block-heading\">Install Suricata from EPEL Repos CentOS 8<\/h5>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf info suricata<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>Available Packages\nName         : suricata\nVersion      : 5.0.3\nRelease      : 1.el8\nArchitecture : x86_64\nSize         : 2.3 M\nSource       : suricata-5.0.3-1.el8.src.rpm\nRepository   : epel\nSummary      : Intrusion Detection System\nURL          : https:\/\/suricata-ids.org\/\nLicense      : GPLv2\n...\n<\/code><\/pre>\n\n\n\n<p>As you can see, the EPEL repos provides the latest stable release version of Suricata.<\/p>\n\n\n\n<p>You can then install it by executing the command;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf install suricata<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Suricata Rules<\/h3>\n\n\n\n<p>Suricata utilizes various rule sets\/signatures to detect and alert on matching threats. Rules are also known as Signatures. &nbsp;<a href=\"https:\/\/rules.emergingthreats.net\/open\/\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noreferrer noopener\">Emerging Threats<\/a>,&nbsp;<a aria-label=\"undefined (opens in a new tab)\" href=\"http:\/\/www.emergingthreatspro.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Emerging Threats Pro<\/a>&nbsp;and source fire&#8217;s&nbsp;<a aria-label=\"undefined (opens in a new tab)\" href=\"http:\/\/www.snort.org\/vrt\/\" target=\"_blank\" rel=\"noreferrer noopener\">VRT<\/a> are the most commonly used rules.<\/p>\n\n\n\n<p>In most cases, you can find the rules files under <code>\/etc\/suricata\/rules\/<\/code>. This is when you install Suricata from repos.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ls -1 \/etc\/suricata\/rules\/<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\napp-layer-events.rules\ndecoder-events.rules\ndhcp-events.rules\ndnp3-events.rules\ndns-events.rules\nfiles.rules\nhttp2-events.rules\nhttp-events.rules\nipsec-events.rules\nkerberos-events.rules\nmodbus-events.rules\nmqtt-events.rules\nnfs-events.rules\nntp-events.rules\nsmb-events.rules\nsmtp-events.rules\nstream-events.rules\ntls-events.rules\n<\/code><\/pre>\n\n\n\n<p>Emergency Threat rules are usually stored as <code><strong>\/var\/lib\/suricata\/rules\/suricata.rules<\/strong><\/code>.<\/p>\n\n\n\n<p>The <strong>suricata.rules<\/strong> file usually contains all the rules defined on the rules file located under the <code><strong>\/etc\/suricata\/rules\/<\/strong><\/code>.<\/p>\n\n\n\n<p>To install and update Emergency Threat rules, use  the <code><strong>suricata-update<\/strong><\/code> command.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>suricata-update<\/code><\/pre>\n\n\n\n<p>This downloads and installs <code>suricata.rules<\/code>.<\/p>\n\n\n\n<p>A rule\/signature consists of the following sections:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The <strong>action<\/strong>, that determines what happens when the signature matches.<\/li>\n\n\n\n<li>The <strong>header<\/strong>, defining the protocol, IP addresses, ports and direction of the rule.<\/li>\n\n\n\n<li>The <strong>rule options<\/strong>, defining the specifics of the rule.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>alert ip any any -&gt; any any (msg:\"SURICATA Applayer Mismatch protocol both directions\"; flow:established; app-layer-event:applayer_mismatch_protocol_both_directions; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260000; rev:1;)<\/code><\/pre>\n\n\n\n<p>Read more on <a href=\"https:\/\/suricata.readthedocs.io\/en\/suricata-4.1.2\/rules\/intro.html\" target=\"_blank\" rel=\"noopener\">introduction to Suricata rules<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Suricata Basic Setup<\/h3>\n\n\n\n<p><code><strong>\/etc\/suricata\/suricata.yaml<\/strong><\/code> is the default Suricata configuration file.<\/p>\n\n\n\n<p>The configuration file contains a lot of configurable options. However, for our basic setup, we will only focus on the network interface on which Suricata is listening on and the IP address attached to that interface.<\/p>\n\n\n\n<p>To find the interface and the IP address, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ip --brief add<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>lo               UNKNOWN        127.0.0.1\/8 ::1\/128 \nenp0s3           UP             10.0.2.15\/24 \n<strong>enp0s8<\/strong>           UP             <strong>192.168.56.133<\/strong>\/24 fe80::12c8:9a8a:6d1:deaf\/64<\/code><\/pre>\n\n\n\n<p>In our case, our interface is <strong>enp0s8<\/strong> and the IP address is <strong><code>192.168.56.133<\/code><\/strong>.<\/p>\n\n\n\n<p>Open and edit the Suricata config file.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/suricata\/suricata.yaml<\/code><\/pre>\n\n\n\n<p>Under the <strong>vars<\/strong> section, you need to configure Suricata to differentiate between your internal network to be protected and external network. This can be done by defining the correct values for the&nbsp;<code>HOME_NET<\/code>&nbsp;and&nbsp;<code>EXTERNAL_NET<\/code>&nbsp;variables respectively under the address groups.<\/p>\n\n\n\n<p>The <strong><code>HOME_NET<\/code><\/strong> variable should include the IP address of the interface on which Suricata is listening on and all the local networks to protect.<\/p>\n\n\n\n<p>The <code>EXTERNAL_NET<\/code>&nbsp;variables should define any IP or network that is not local.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>...\nvars:\n  # more specific is better for alert accuracy and performance\n  address-groups:\n    #HOME_NET: \"[192.168.0.0\/16,10.0.0.0\/8,172.16.0.0\/12]\"\n<strong>    HOME_NET: \"[192.168.56.133]\"\n<\/strong>    #HOME_NET: \"[192.168.0.0\/16]\"\n    #HOME_NET: \"[10.0.0.0\/8]\"\n    #HOME_NET: \"[172.16.0.0\/12]\"\n    #HOME_NET: \"any\"\n\n<strong>    EXTERNAL_NET: \"!$HOME_NET\"<\/strong>\n...\n<\/code><\/pre>\n\n\n\n<p>Under the <code><strong>af-packet<\/strong><\/code> section, set the value of the interface to your interface name.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>...\n# Linux high speed capture support\n<strong>af-packet:\n<\/strong>  - interface: <strong>enp0s8<\/strong>\n...<\/code><\/pre>\n\n\n\n<p>Save and exit the configuration file.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Specify Suricata Rules<\/h3>\n\n\n\n<p>Define the Suricata rules-files to use. We are using the default ET rules in this demo;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>...\ndefault-rule-path: \/var\/lib\/suricata\/rules\n\nrule-files:\n  - suricata.rules\n...<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Disable Packet Offloading<\/h3>\n\n\n\n<p>Disable Suricata packet offloading by disabling interface Large Receive Offload (LRO)\/Generic Receive Offload (GRO);<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ethtool -K &lt;interface&gt; gro off lro off<\/code><\/pre>\n\n\n\n<p>Replace <code>&lt;interface&gt;<\/code> with your interface.<\/p>\n\n\n\n<p>First check if these features are enabled;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ethtool -k enp0s8 | grep -iE \"generic|large\"<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>\ttx-checksum-ip-generic: on\ngeneric-segmentation-offload: on\ngeneric-receive-offload: off\nlarge-receive-offload: off &#91;fixed]<\/code><\/pre>\n\n\n\n<p>If enabled, disable by running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ethtool -K enp0s8 gro off lro off<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Running Suricata<\/h3>\n\n\n\n<p>Suricata can be managed by a systemd service.<\/p>\n\n\n\n<p>Before you can run it, you need to specify the interface on which it is listening in <code><strong>\/etc\/sysconfig\/suricata<\/strong><\/code> config file.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/sysconfig\/suricata<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>...\n\n# Add options to be passed to the daemon\n#OPTIONS=\"-i eth0 --user suricata \"\nOPTIONS=\"-i <strong>enp0s8<\/strong> --user suricata \"<\/code><\/pre>\n\n\n\n<p>Save and exit the file,<\/p>\n\n\n\n<p>Start and enable Suricata to run on boot on CentOS 8.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl enable --now suricata<\/code><\/pre>\n\n\n\n<p>You can check the status;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl status suricata<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\u25cf suricata.service - Suricata Intrusion Detection Service\n   Loaded: loaded (\/usr\/lib\/systemd\/system\/suricata.service; enabled; vendor preset: disabled)\n   Active: active (running) since Thu 2020-07-23 16:50:34 EAT; 29s ago\n     Docs: man:suricata(1)\n  Process: 19153 ExecStartPre=\/bin\/rm -f \/var\/run\/suricata.pid (code=exited, status=0\/SUCCESS)\n Main PID: 19154 (Suricata-Main)\n    Tasks: 7 (limit: 5027)\n   Memory: 387.6M\n   CGroup: \/system.slice\/suricata.service\n           \u2514\u250019154 \/sbin\/suricata -c \/etc\/suricata\/suricata.yaml --pidfile \/var\/run\/suricata.pid -i enp0s8 --user suricata\n\nJul 23 16:50:34 ceph-admin.kifarunix-demo.com systemd[1]: Starting Suricata Intrusion Detection Service...\nJul 23 16:50:34 ceph-admin.kifarunix-demo.com systemd[1]: Started Suricata Intrusion Detection Service.\nJul 23 16:50:34 ceph-admin.kifarunix-demo.com suricata[19154]: 23\/7\/2020 -- 16:50:34 - &lt;Notice&gt; - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode\nJul 23 16:50:42 ceph-admin.kifarunix-demo.com suricata[19154]: 23\/7\/2020 -- 16:50:42 - &lt;Notice&gt; - all 1 packet processing threads, 4 management threads initialized, \n<\/code><\/pre>\n\n\n\n<p>Note that instead of using s systemd service above, you can run Suricata with a simple command;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>suricata -D -c \/etc\/suricata\/suricata.yaml -i enp0s8<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Suricata logging;<\/h4>\n\n\n\n<p>To check if Suricata is running check the Suricata log:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tail \/var\/log\/suricata\/suricata.log<\/code><\/pre>\n\n\n\n<p>You should see such a line;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>...\n23\/7\/2020 -- 16:50:42 - - all 1 packet processing threads, 4 management threads initialized, engine started.<\/code><\/pre>\n\n\n\n<p>To check Suricata statistics;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tail -f \/var\/log\/suricata\/stats.log<\/code><\/pre>\n\n\n\n<p>To check Suricata alert logs;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tail -f \/var\/log\/suricata\/fast.log<\/code><\/pre>\n\n\n\n<p>Suricata can also write logs in EVE Json output. The default log file is;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tail -f \/var\/log\/suricata\/eve.json<\/code><\/pre>\n\n\n\n<p>Check our other guide on&nbsp;<a href=\"https:\/\/kifarunix.com\/install-and-setup-suricata-on-ubuntu-22-04-ubuntu-20-04\/#read-suricata-eve-json-logs-with-jq\" target=\"_blank\" rel=\"noreferrer noopener\">how to read Suricata Eve JSON logs<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Testing Suricata Rules<\/h3>\n\n\n\n<p>In this demo, we are using the default ET Suricata rules. If you have created you own custom rules, be sure to test the Suricata rules for syntax errors;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>suricata -c \/etc\/suricata\/suricata.yaml -T -v<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>23\/7\/2020 -- 17:44:10 - - Running suricata under test mode\n23\/7\/2020 -- 17:44:10 - - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode\n23\/7\/2020 -- 17:44:10 - - CPUs\/cores online: 1\n23\/7\/2020 -- 17:44:10 - - fast output device (regular) initialized: fast.log\n23\/7\/2020 -- 17:44:10 - - eve-log output device (regular) initialized: eve.json\n23\/7\/2020 -- 17:44:10 - - stats output device (regular) initialized: stats.log\n23\/7\/2020 -- 17:44:12 - - 1 rule files processed. 20676 rules successfully loaded, 0 rules failed\n23\/7\/2020 -- 17:44:12 - - Threshold config parsed: 0 rule(s) found\n23\/7\/2020 -- 17:44:12 - - 20679 signatures processed. 1138 are IP-only rules, 3987 are inspecting packet payload, 15324 inspect application layer, 103 are decoder event only\n<strong>23\/7\/2020 -- 17:44:25 - - Configuration provided was successfully loaded. Exiting.\n<\/strong>23\/7\/2020 -- 17:44:25 - - cleaning up signature grouping structure\u2026 complete\n<\/code><\/pre>\n\n\n\n<p>Then restart Suricata;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl restart suricata<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Perform SSH DDoS Test Attack<\/h3>\n\n\n\n<p>On another system, install hping3 tool and perform an SSH DDoS test attack.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf install hping3<\/code><\/pre>\n\n\n\n<p>Then attack SSH on the server running Suricata.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>hping3 -S -p 22 --flood --rand-source 192.168.56.133<\/code><\/pre>\n\n\n\n<p>Refer to <code>man hping3<\/code>.<\/p>\n\n\n\n<p>While hping is running, tail the alert logs on Suricata server;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tail -f \/var\/log\/suricata\/fast.log<\/code><\/pre>\n\n\n\n<p>You should see such log lines;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>...\n07\/24\/2020-21:43:02.613445 [<strong>] [1:2400000:2768] ET DROP Spamhaus DROP Listed Traffic Inbound group 1 [<\/strong>] [Classification: Misc Attack] [Priority: 2] {TCP} 42.163.214.132:4391 -&gt; 192.168.56.133:22\n07\/24\/2020-21:43:02.751133 [<strong>] [1:2400007:2768] ET DROP Spamhaus DROP Listed Traffic Inbound group 8 [<\/strong>] [Classification: Misc Attack] [Priority: 2] {TCP} 122.8.52.209:11845 -&gt; 192.168.56.133:22\n07\/24\/2020-21:43:02.800769 [<strong>] [1:2400012:2768] ET DROP Spamhaus DROP Listed Traffic Inbound group 13 [<\/strong>] [Classification: Misc Attack] [Priority: 2] {TCP} 160.184.221.156:15315 -&gt; 192.168.56.133:22\n07\/24\/2020-21:43:02.801827 [<strong>] [1:2400009:2768] ET DROP Spamhaus DROP Listed Traffic Inbound group 10 [<\/strong>] [Classification: Misc Attack] [Priority: 2] {TCP} 139.81.59.221:15607 -&gt; 192.168.56.133:22\n07\/24\/2020-21:43:02.802528 [<strong>] [1:2400013:2768] ET DROP Spamhaus DROP Listed Traffic Inbound group 14 [<\/strong>] [Classification: Misc Attack] [Priority: 2] {TCP} 163.198.206.175:15818 -&gt; 192.168.56.133:22\n07\/24\/2020-21:43:02.803033 [<strong>] [1:2400021:2768] ET DROP Spamhaus DROP Listed Traffic Inbound group 22 [<\/strong>] [Classification: Misc Attack] [Priority: 2] {TCP} 196.194.135.87:15970 -&gt; 192.168.56.133:22\n07\/24\/2020-21:43:02.803268 [<strong>] [1:2400006:2768] ET DROP Spamhaus DROP Listed Traffic Inbound group 7 [<\/strong>] [Classification: Misc Attack] [Priority: 2] {TCP} 110.41.189.155:16042 -&gt; 192.168.56.133:22\n07\/24\/2020-21:43:02.803548 [<strong>] [1:2400009:2768] ET DROP Spamhaus DROP Listed Traffic Inbound group 10 [<\/strong>] [Classification: Misc Attack] [Priority: 2] {TCP} 143.135.26.50:16131 -&gt; 192.168.56.133:22\n07\/24\/2020-21:43:02.870288 [<strong>] [1:2400021:2768] ET DROP Spamhaus DROP Listed Traffic Inbound group 22 [<\/strong>] [Classification: Misc Attack] [Priority: 2] {TCP} 196.194.107.110:19140 -&gt; 192.168.56.133:22\n07\/24\/2020-21:43:02.871212 [<strong>] [1:2400003:2768] ET DROP Spamhaus DROP Listed Traffic Inbound group 4 [<\/strong>] [Classification: Misc Attack] [Priority: 2] {TCP} 101.194.46.143:19453 -&gt; 192.168.56.133:22\n07\/24\/2020-21:43:02.871608 [<strong>] [1:2400021:2768] ET DROP Spamhaus DROP Listed Traffic Inbound group 22 [<\/strong>] [Classification: Misc Attack] [Priority: 2] {TCP} 196.16.182.33:19588 -&gt; 192.168.56.133:22\n...\n<\/code><\/pre>\n\n\n\n<p>With that simple test, we can see that Suricata is setup and running well using the default Emergency Threat rules.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Reference<\/h3>\n\n\n\n<p>Read more on <a aria-label=\"undefined (opens in a new tab)\" href=\"https:\/\/suricata.readthedocs.io\/en\/suricata-5.0.3\/\" target=\"_blank\" rel=\"noreferrer noopener\">Suricata User Guide<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Related Tutorials<\/h3>\n\n\n\n<p><a aria-label=\"undefined (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-and-setup-suricata-on-ubuntu-18-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Setup Suricata on Ubuntu 18.04<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Other CentOS 8 Tutorials<\/h3>\n\n\n\n<p><a aria-label=\"undefined (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-and-setup-wazuh-server-in-centos-8-fedora-32\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Setup Wazuh Server in CentOS 8\/Fedora 32<\/a><\/p>\n\n\n\n<p><a aria-label=\"undefined (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-and-use-docker-ce-on-centos-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Use Docker CE on CentOS 8<\/a><\/p>\n\n\n\n<p><a aria-label=\"undefined (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-and-configure-filebeat-on-centos-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Configure Filebeat on CentOS 8<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/setup-openvpn-server-on-centos-8\/\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noreferrer noopener\">Setup OpenVPN Server on CentOS 8<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to install and setup Suricata on CentOS 8. Suricata is a free and open source network threat detection<\/p>\n","protected":false},"author":1,"featured_media":12369,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,34,317],"tags":[1142,1833,1832,1838,1837,318,1834,1835,1836],"class_list":["post-6502","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-security","category-suricata","tag-centos-8","tag-configure-suricata-on-centos-8","tag-install-suricata-centos-8","tag-install-suricata-from-repos","tag-install-suricata-from-source","tag-suricata","tag-suricata-centos-8","tag-suricata-et-rules","tag-suricata-yml","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6502"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=6502"}],"version-history":[{"count":14,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6502\/revisions"}],"predecessor-version":[{"id":21444,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6502\/revisions\/21444"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/12369"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=6502"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=6502"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=6502"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}