Deploy and configure Suricata as a network intrusion prevention system with custom rules, Emerging Threats rulesets, and inline traffic inspection for real-time threat blocking.
Suricata is a high-performance, open-source network threat detection engine developed by the Open Information Security Foundation (OISF). It functions as an IDS (Intrusion Detection System), IPS (Intrusion Prevention System), and network security monitoring tool. Suricata performs deep packet inspection using extensive rule sets, protocol analysis, and file extraction capabilities. In IPS mode, Suricata inspects packets inline and can actively block malicious traffic. This skill covers deploying Suricata in IPS mode, configuring rulesets, writing custom rules, performance tuning, and integration with logging infrastructure.
| Mode | Function | Network Position |
|---|---|---|
| IDS (AF_PACKET) | Passive monitoring, alert-only | TAP/SPAN mirror |
| IPS (NFQUEUE) | Inline blocking via netfilter | In traffic path |
| IPS (AF_PACKET) | Inline blocking via AF_PACKET | Bridge between interfaces |
| Offline (PCAP) | Analyze captured traffic files | N/A |
Suricata rules follow a structured format:
action protocol src_ip src_port -> dst_ip dst_port (rule_options;)
alert, pass, drop, reject, rejectsrc, rejectdst, rejectbothtcp, udp, icmp, ip, http, tls, dns, smtp, ftp-> (unidirectional), <> (bidirectional)# Add Suricata PPA (Ubuntu)
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install -y suricata suricata-update
# Verify installation
suricata --build-info
suricata -V
Edit /etc/suricata/suricata.yaml:
%YAML 1.1
---