# Suricata 安裝 ## 安裝在需要監控之agent上 [參考網頁](https://documentation.wazuh.com/current/proof-of-concept-guide/integrate-network-ids-suricata.html) 1. Install Suricata on the Ubuntu endpoint. We tested this process with version 6.0.8 and it can take some time: ```=bash sudo add-apt-repository ppa:oisf/suricata-stable sudo apt-get update sudo apt-get install suricata -y ``` 2. Download and extract the Emerging Threats Suricata ruleset: ```=bash cd /tmp/ && curl -LO https://rules.emergingthreats.net/open/suricata-6.0.8/emerging.rules.tar.gz sudo tar -xvzf emerging.rules.tar.gz && sudo mv rules/*.rules /etc/suricata/rules/ sudo chmod 640 /etc/suricata/rules/*.rules ``` 3. Modify Suricata settings in the /etc/suricata/suricata.yaml file and set the following variables: ``` HOME_NET: "[140.122.184.28]" #現在正在安裝Suricata的agent的IP EXTERNAL_NET: "any" default-rule-path: /etc/suricata/rules rule-files: - "*.rules" # Global stats configuration stats: enabled: no # Linux high speed capture support af-packet: - interface: enp1s0 ``` 4. Restart the Suricata service: ```=bash sudo systemctl restart suricata ``` 5. Add the following configuration to the /var/ossec/etc/ossec.conf file of the Wazuh agent. This allows the Wazuh agent to read the Suricata logs file: ```=bash <ossec_config> <localfile> <log_format>json</log_format> <location>/var/log/suricata/eve.json</location> </localfile> </ossec_config> ``` 6. Restart the Wazuh agent to apply the changes: ```=bash sudo systemctl restart wazuh-agent ``` ## Attack emulation Ping the Ubuntu endpoint IP address from the Wazuh server: ``` ping -n 10 140.122.184.28 ``` 如下圖