summaryrefslogtreecommitdiff
path: root/docs/configuration/service/suricata.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration/service/suricata.rst')
-rw-r--r--docs/configuration/service/suricata.rst101
1 files changed, 101 insertions, 0 deletions
diff --git a/docs/configuration/service/suricata.rst b/docs/configuration/service/suricata.rst
new file mode 100644
index 00000000..b72bc52a
--- /dev/null
+++ b/docs/configuration/service/suricata.rst
@@ -0,0 +1,101 @@
+.. _suricata:
+
+########
+suricata
+########
+
+Suricata and VyOS are powerful tools for ensuring network security and traffic management.
+Suricata is an open-source intrusion detection and prevention system (IDS/IPS) that analyzes network packets in real-time.
+
+
+Suricata Features
+=================
+
+Intrusion Detection (IDS): Analyzes network traffic and detects suspicious activities, attacks, and malicious traffic.
+Intrusion Prevention (IPS): Blocks or modifies suspicious traffic in real-time, preventing attacks before they penetrate the network.
+Network Security Monitoring (NSM): Collects and analyzes network data to detect anomalies and identify threats.
+Multi-Protocol Support: Suricata supports analysis of various network protocols such as HTTP, FTP, SMB, and many others.
+In configuration mode, the commands are as follows:
+
+.. code-block:: none
+
+ vyos@vyos# set service suricata
+ Possible completions:
+ +> address-group Address group name
+ + interface Interface to use
+ > log Suricata log outputs
+ +> port-group Port group name
+
+These commands create a flexible interface for configuring the Suricata service, allowing users to specify addresses, ports,
+and logging parameters.
+
+After completing the service configuration in configuration mode, the main configuration file suricata.yaml is created,
+into which all specified parameters are added. Then, to ensure proper operation, the command :opcmd:`update suricata` must be run
+from operational mode, waiting for Suricata to update all its rules, which are used for analyzing traffic for threats and attacks.
+
+
+Configuration
+=============
+
+.. cfgcmd:: set service suricata address-group <text> <address | group>
+
+ Address groups are useful when you need to create rules that apply to specific IP addresses.
+ For example, if you want to create a rule that monitors traffic going to or from a specific IP address,
+ you can use the group name instead of the actual IP address. This simplifies rule management and makes the
+ configuration more flexible.
+
+ * ``address`` IP address or subnet.
+
+ * ``group`` Address group.
+
+.. cfgcmd:: set service suricata port-group <text> <address | group>
+
+ Port groups are useful when you need to create rules that apply to specific ports.
+ For example, if you want to create a rule that monitors traffic directed to a specific port or group of ports,
+ you can use the group name instead of the actual port. This also simplifies rule management and makes
+ the configuration more flexible.
+
+ * ``port`` Port number.
+
+ * ``group`` Port group.
+
+.. cfgcmd:: set service suricata interface <text>
+
+ The interface that will be monitored by the Suricata service.
+
+
+.. cfgcmd:: set service suricata log eve <filename | filetype | type>
+
+ Configuration of the logging file.
+
+ * ``filename`` Log file (default: eve.json).
+
+ * ``filetype`` EVE logging destination (default: regular).
+
+ * ``type`` Log types.
+
+Operation Mode
+==============
+
+.. cfgcmd:: update suricata
+
+ Checks for the existence of the Suricata configuration file, updates the service,
+ and then restarts it. If the configuration file is not found, a message indicates that Suricata is not configured.
+
+
+.. cfgcmd:: restart suricata
+
+ Restarts the service. It checks if the Suricata service is active before attempting to restart it.
+ If it is not active, a message indicates that the service is not configured. This command is used when adding new rules manually.
+
+Conclusion
+==============
+
+Using address and port groups allows you to make your Suricata configuration more flexible and manageable.
+Instead of specifying IP addresses and ports directly in each rule, you can define them once in the vars section and then
+reference them by group names. This is especially useful in large networks and complex configurations where multiple IP addresses
+and ports need to be monitored.
+
+
+
+ \ No newline at end of file