suricata install and check

[sahostking]

So thinking of installing suricata but just want to check if this is correct:

apt-get install suricata
modprobe nfnetlink_queue

nano /etc/pve/firewall/132.fw
Add below to the file above
[OPTIONS]
ips: 1
ips_queues: 0

Now go to proxmox a be sure on Datacenter the firewall is enabled which it is
Then go to VM level and ensure the firewall is on the network under hardware and on in firewall section and loglevel set to debug for now.

Once done go to /etc/suricata/suricata.yaml

And change eth0 to eno1 as proxmox host server network is eno1?

af-packet:
- interface: eth0

to

af-packet:
- interface: eno1

and

pcap:
- interface: eth0

to

pcap:
- interface: eno1

Once done restart suricata and I am done?

Getting missing rules issue though

6/10/2022 -- 14:38:39 - <Info> - stats output device (regular) initialized: stats.log
6/10/2022 -- 14:38:39 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/suricata.rules
6/10/2022 -- 14:38:39 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rules were loaded!

So not sure if its working now or not.

Any ideas what I am missing.

 

[Moayad]

Hello,

Any ideas what I am missing.

Have you followed our docs about suricata [0]?


[0] https://pve.proxmox.com/pve-docs/chapter-pve-firewall.html#_suricata_ips_integration

 

[sahostking]

yip thats exactly as written above. I even pasted what was in your docs above. It does not work that simply though. There must be some tweaks regarding rules that need to be done.

6/10/2022 -- 15:15:57 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/suricata.rules
6/10/2022 -- 15:15:57 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rules were loaded!
6/10/2022 -- 15:15:57 - <Info> - Threshold config parsed: 0 rule(s) found
6/10/2022 -- 15:15:57 - <Info> - 0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
6/10/2022 -- 15:15:57 - <Info> - Going to use 24 thread(s)


This sounds very much like no rules are loaded.

I'm googling a bit so I am sure will resolve it eventually was just wondering if anyone else had tips or a better procedure regarding it.

 

[Moayad]

Are the rules in the `/var/lib/suricata/rules` path?

Did you check from the permission of the rules?

Says the output of `suricata -T` any warnings or errors?

 

[sahostking]

Not to worry. Got it working. Had to add it in that path but also place it in the suricata.yaml file aswell so it reads it.
Once I did that rules started working.
Last thing is getting it into IPS mode as currently its only alerting and not blocking even though it has nfqueue set as per your instructions.

 

[ljprevo]

Why was this never updated? Sorry this is old, but this is the thing that bothers me about IT, instructions are put out there, but NEVER detailed enough. You go on a wild goose chase to get it up an running correct. The proxmox instructions say how to get ISP installed, but not how its used.

"Had to add it in that path but also place it in the suricata.yaml file aswell so it reads it."
Could the original poster give detailed instructions how they got it to work? What is it? I have a lot of China ip's hitting my host and I want them automatically blocked.

 

[ciaran]

Don't know what the OP did @ljprevo but I just installed suricata. I followed the additional installation instructions over at the suricata website (https://docs.suricata.io/en/latest/quickstart.html#basic-setup) which suggests running 'suricata-update' once I did this I then edited the /etc/suricata/suricata.yaml file where it said default-rule-path I changed the value from 'etc/suricata/rules' to '/var/lib/suricata/rules' restarted suricata and for the VMs I've enabled it appears to be working 'woop!'