Claude
Skills
Sign in
Back

configuring-suricata-for-network-monitoring

Included with Lifetime
$97 forever

Deploys and configures Suricata IDS/IPS with Emerging Threats rulesets, EVE JSON logging, and custom rules for real-time network traffic inspection, threat detection, and integration with SIEM platforms for centralized security monitoring.

Securitynetwork-securitysuricataidsipsnetwork-monitoringscripts

What this skill does

# Configuring Suricata for Network Monitoring

## When to Use

- Deploying a high-performance IDS/IPS capable of multi-threaded packet processing for 10+ Gbps network links
- Monitoring network traffic with protocol-aware inspection for HTTP, TLS, DNS, SMB, and other protocols
- Generating structured EVE JSON logs for direct SIEM ingestion without custom parsers
- Running in inline (IPS) mode to actively block malicious traffic at network choke points
- Combining signature-based detection with protocol anomaly detection and file extraction

**Do not use** as a standalone security solution without complementary controls, for encrypted traffic inspection without TLS decryption capabilities, or on systems with insufficient CPU/memory for the expected traffic volume.

## Prerequisites

- Suricata 7.0+ installed from PPA or source (`suricata --build-info`)
- Network interface on a span port, tap, or inline bridge for traffic capture
- AF_PACKET or DPDK support for high-performance packet capture
- Emerging Threats Open or Pro ruleset subscription (or Snort Talos rules via oinkcode)
- suricata-update tool for automated rule management
- Elasticsearch/Kibana or Splunk for log analysis and visualization

## Workflow

### Step 1: Install Suricata and Dependencies

```bash
# Install from PPA (Ubuntu/Debian)
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt update
sudo apt install -y suricata suricata-update jq

# Verify installation
suricata --build-info | grep -E "Version|AF_PACKET|NFQueue"

# Or install from source for latest features
sudo apt install -y libpcre2-dev build-essential autoconf automake libtool \
  libpcap-dev libnet1-dev libyaml-dev libjansson-dev libcap-ng-dev \
  libmagic-dev libnetfilter-queue-dev libhiredis-dev rustc cargo cbindgen
git clone https://github.com/OISF/suricata.git
cd suricata && git clone https://github.com/OISF/libhtp.git -b 0.5.x
./autogen.sh && ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
  --enable-nfqueue --enable-af-packet
make -j$(nproc) && sudo make install install-conf
```

### Step 2: Configure Network Interfaces

```bash
# Disable NIC offloading features
sudo ethtool -K eth1 gro off lro off tso off gso off rx off tx off sg off

# Set interface to promiscuous mode
sudo ip link set eth1 promisc on

# For high-performance deployments, configure AF_PACKET with multiple threads
# Edit /etc/suricata/suricata.yaml
```

### Step 3: Configure suricata.yaml

```yaml
# /etc/suricata/suricata.yaml (key sections)

# Network variables
vars:
  address-groups:
    HOME_NET: "[10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16]"
    EXTERNAL_NET: "!$HOME_NET"
    HTTP_SERVERS: "$HOME_NET"
    DNS_SERVERS: "$HOME_NET"
    SMTP_SERVERS: "$HOME_NET"

# Default rule path
default-rule-path: /var/lib/suricata/rules
rule-files:
  - suricata.rules

# AF_PACKET configuration for high performance
af-packet:
  - interface: eth1
    threads: auto
    cluster-id: 99
    cluster-type: cluster_flow
    defrag: yes
    use-mmap: yes
    ring-size: 200000
    buffer-size: 262144

# EVE JSON logging (primary output format)
outputs:
  - eve-log:
      enabled: yes
      filetype: regular
      filename: eve.json
      pcap-file: false
      community-id: true
      types:
        - alert:
            tagged-packets: yes
            payload: yes
            payload-printable: yes
            http-body: yes
            http-body-printable: yes
        - http:
            extended: yes
        - dns:
            query: yes
            answer: yes
        - tls:
            extended: yes
        - files:
            force-magic: yes
            force-hash: [md5, sha256]
        - smtp:
            extended: yes
        - flow
        - netflow
        - anomaly:
            enabled: yes
        - stats:
            totals: yes
            threads: yes

  # PCAP logging for captured packets that trigger alerts
  - pcap-log:
      enabled: yes
      filename: alert-%n.pcap
      limit: 100mb
      max-files: 50
      mode: normal
      use-stream-depth: no
      honor-pass-rules: no

# Stream engine settings
stream:
  memcap: 512mb
  checksum-validation: no
  reassembly:
    memcap: 1gb
    depth: 1mb
    toserver-chunk-size: 2560
    toclient-chunk-size: 2560

# Detection engine
detect:
  profile: high
  custom-values:
    toclient-groups: 200
    toserver-groups: 200
  sgh-mpm-context: auto
  inspection-recursion-limit: 3000

# Protocol detection and parsing
app-layer:
  protocols:
    http:
      enabled: yes
      memcap: 64mb
    tls:
      enabled: yes
      detection-ports:
        dp: 443, 8443
      ja3-fingerprints: yes
    dns:
      enabled: yes
      tcp:
        enabled: yes
      udp:
        enabled: yes
    smb:
      enabled: yes
      detection-ports:
        dp: 139, 445
    ssh:
      enabled: yes
      hassh: yes
```

### Step 4: Download and Manage Rulesets

```bash
# Update Suricata rules using suricata-update
sudo suricata-update

# Enable additional rule sources
sudo suricata-update list-sources
sudo suricata-update enable-source et/open
sudo suricata-update enable-source oisf/trafficid
sudo suricata-update enable-source ptresearch/attackdetection

# Update with all enabled sources
sudo suricata-update

# Check rule statistics
sudo suricata-update list-sources --enabled
wc -l /var/lib/suricata/rules/suricata.rules

# Disable noisy rules
sudo tee /etc/suricata/disable.conf << 'EOF'
# Disable overly broad rules
2100498
2013028
2210000-2210050
group:emerging-policy.rules
EOF

# Create custom local rules
sudo tee /etc/suricata/rules/local.rules << 'EOF'
# Detect reverse shell connections
alert tcp $HOME_NET any -> $EXTERNAL_NET 4444 (msg:"LOCAL Reverse Shell Port 4444"; flow:established,to_server; content:"|2f 62 69 6e 2f|"; sid:9000001; rev:1; classtype:trojan-activity; priority:1;)

# Detect DNS tunneling by query length
alert dns $HOME_NET any -> any any (msg:"LOCAL DNS Tunneling Long Query"; dns.query; content:"."; offset:50; sid:9000002; rev:1; classtype:policy-violation; priority:2;)

# Detect TLS to suspicious JA3 hash (Cobalt Strike default)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL Cobalt Strike JA3 Hash"; ja3.hash; content:"72a589da586844d7f0818ce684948eea"; sid:9000003; rev:1; classtype:trojan-activity; priority:1;)

# Detect SSH brute force
alert ssh $EXTERNAL_NET any -> $HOME_NET 22 (msg:"LOCAL SSH Brute Force Attempt"; flow:to_server; threshold:type both, track by_src, count 10, seconds 60; sid:9000004; rev:1; classtype:attempted-admin; priority:2;)

# Detect data exfiltration via HTTP POST (large uploads)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL Large HTTP POST Upload"; flow:to_server,established; http.method; content:"POST"; http.content_len; content:">"; byte_test:8,>,10000000,0,string; sid:9000005; rev:1; classtype:policy-violation; priority:2;)
EOF

# Add local rules to configuration
echo "  - local.rules" | sudo tee -a /etc/suricata/suricata.yaml
```

### Step 5: Deploy and Validate

```bash
# Validate configuration
sudo suricata -T -c /etc/suricata/suricata.yaml -v

# Run Suricata in IDS mode
sudo suricata -c /etc/suricata/suricata.yaml --af-packet=eth1 -D

# Or run in IPS mode (inline with NFQueue)
# First configure iptables to send traffic to NFQueue
# sudo iptables -I FORWARD -j NFQUEUE --queue-num 0
# sudo suricata -c /etc/suricata/suricata.yaml -q 0 -D

# Create systemd service
sudo tee /etc/systemd/system/suricata.service << 'EOF'
[Unit]
Description=Suricata IDS/IPS
After=network.target
Requires=network.target

[Service]
Type=simple
ExecStartPre=/usr/bin/suricata -T -c /etc/suricata/suricata.yaml
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --af-packet=eth1 --pidfile /var/run/suricata.pid
ExecReload=/bin/kill -USR2 $MAINPID
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

sudo systemctl enable --now suricata

# Test with a known signature
curl http://testmynids.org/uid/index.html
# Should trigger ET GPL rule for uid.

# Verify
Files: 5
Size: 36.3 KB
Complexity: 67/100
Category: Security
Source: https://github.com/mukul975/anthropic-cybersecurity-skills/tree/main/skills/configuring-suricata-for-network-monitoring

Related in Security

mac-ops

Included

Comprehensive macOS workstation operations — diagnose kernel panics, identify failing drives, audit launchd startup items, decode wake reasons, triage TCC permission denials, manage APFS snapshots, recover from no-boot. Use for: Mac is slow, slow bootup, won't boot, kernel panic, kernel_task hot, mds_stores CPU, photoanalysisd, cloudd, login loop, gray screen, sleep wake failure, drive failing, IO errors, APFS snapshots eating space, Time Machine local snapshots, Spotlight indexing, launchd, LaunchAgent, LaunchDaemon, login items, TCC permissions, Full Disk Access, Screen Recording denied, Gatekeeper, quarantine, com.apple.quarantine, app is damaged, helper tool, /Library/PrivilegedHelperTools, pmset, wake reasons, dark wake, sysdiagnose, panic.ips, DiagnosticReports, configuration profile, MDM profile, remote diagnostics over SSH.

Securityscripts

a11y-audit

Included

Run accessibility audits on web projects combining automated scanning (axe-core, Lighthouse) with WCAG 2.1 AA compliance mapping, manual check guidance, and structured reporting. Output is configurable: markdown report only, markdown plus machine-readable JSON, or markdown plus issue tracker integration. Use this skill whenever the user mentions "accessibility audit", "a11y audit", "WCAG audit", "accessibility check", "compliance scan", or asks to check a web project for accessibility issues. Also trigger when the user wants to verify WCAG conformance or map findings to a specific standard (CAN-ASC-6.2, EN 301 549, ADA/AODA).

Securityscripts

erpclaw

Included

AI-native ERP system with self-extending OS. Full accounting, invoicing, inventory, purchasing, tax, billing, HR, payroll, advanced accounting (ASC 606/842, intercompany, consolidation), and financial reporting. 413 actions across 14 domains, 43 expansion modules. Constitutional guardrails, adversarial audit, schema migration. Double-entry GL, immutable audit trail, US GAAP.

Securityscripts

assess

Included

Assesses and rates quality 0-10 across multiple dimensions (correctness, maintainability, security, performance, testability, simplicity) with pros/cons analysis. Compares against project conventions and prior decisions from memory. Produces structured evaluation reports with actionable improvement suggestions. Use when evaluating code, designs, architectures, or comparing alternative approaches.

Securityscripts

spring-boot-security-jwt

Included

Provides JWT authentication and authorization patterns for Spring Boot 3.5.x covering token generation with JJWT, Bearer/cookie authentication, database/OAuth2 integration, and RBAC/permission-based access control using Spring Security 6.x. Use when implementing authentication or authorization in Spring Boot applications.

Securityscripts

code-hardcode-audit

Included

Detect hardcoded values, magic numbers, and leaked secrets. TRIGGERS - hardcode audit, magic numbers, PLR2004, secret scanning.

Securityscripts
Sign up & unlock — $97