{"code":"LS7VMB","title":"Introduction to Network Threat Detection with Suricata","speakers":["ZYRJ3B"],"submission_type":23,"track":27,"tags":[],"state":"confirmed","abstract":"This session offers a practical introduction to Suricata, an open-source Network Intrusion Detection and Intrusion Prevention System, focusing on its role in detecting and mitigating network threats. Through a series of practical exercises, participants will gain insights into the fundamentals of network security and how Suricata can be used to secure the networks.\r\n\r\nAttendees will face a series of exercises that enable them to evaluate network traffic and identify threats and anomalies. The workshop gives an opportunity to explore Suricata's features to enhance network security.\r\n\r\n-------------------------------------------------------------\r\n# Instructions\r\n\r\nTo actively participate, it is best to come prepared. Alternatively, you are welcome to come regardless, and you will either \"just\" observe or use Docker to be ready in a few moments. \r\n\r\nTherefore, ideally, to focus on the essential content of network traffic inspection, attendees should come with their own laptop, where Suricata and Evebox systems are ready to use. Ubuntu is the most common OS, but you can also have another OS or use a virtual machine. You can use native installation or Docker images (e.g., running on macOS or Windows).\r\n\r\n## Native installation:\r\n\r\nHow to install Suricata on Ubuntu/Debian/CentOS...):\r\nhttps://docs.suricata.io/en/latest/install.html#ubuntu-from-personal-package-archives-ppa\r\n\r\nHow to install Evebox:\r\nInstallation through APT/RPM repository is recommended\r\nhttps://evebox.org/docs/install/\r\n\r\n## Docker:\r\n\r\n### Environment preparation\r\n\r\nHave Docker installed and be in a folder which will be a working directory for Suricata and Evebox containers\r\n```bash\r\nmkdir -p suricata-demo/{etc,pcap,rules,logs}\r\ncd suricata-demo/\r\n```\r\n\r\n### Rule and config files initialization\r\n\r\n```bash\r\nsudo docker run --rm -it   --entrypoint /bin/sh   -v \"$(pwd)/etc:/etc/suricata\"   -v \"$(pwd)/rules:/var/lib/suricata/rules\"   jasonish/suricata:latest   -c \"suricata-update --no-reload --no-test && /usr/bin/suricata -V\"\r\n```\r\n\r\n### PCAP_PATH \r\n\r\nshould be the only thing to be adjusted to the path to PCAP that you want to inspect.\r\n```bash\r\nPCAP_PATH=~/Downloads/HTTP.cap && rm -f $(pwd)/{pcap,logs}/* && cp \"$PCAP_PATH\" \"$(pwd)/pcap/\" && sudo docker run --rm -v \"$(pwd)/pcap:/pcap:ro\" -v \"$(pwd)/rules:/rules:ro\" -v \"$(pwd)/etc:/etc/suricata\" -v \"$(pwd)/logs:/var/log/suricata\" jasonish/suricata:latest suricata -r /pcap/* -l /var/log/suricata -S /rules/suricata.rules -c /etc/suricata/suricata.yaml && sudo docker run --rm -v \"$(pwd)/logs:/var/log/suricata:ro\" -p 5636:5636 jasonish/evebox:latest evebox oneshot --host 0.0.0.0 /var/log/suricata/eve.json\r\n```\r\n\r\nInstructions might need to be adjusted if you run on Windows - use of a Linux-based VM can be the easiest.\r\n\r\n\r\n# Verify the setup\r\nYou can verify the installation by:\r\n- downloading some pcap, e.g,. from here: https://wiki.wireshark.org/samplecaptures\r\n- running the pcap through Suricata and Evebox with this command (or use the Docker command):\r\n`suricata -r |PATH_TO_PCAP| -l /tmp/ -S /dev/null -k none && sudo evebox oneshot /tmp/eve.json`\r\n\r\nIn the events section of the Evebox local website, you should now see Suricata events.","duration":105,"slot_count":1,"content_locale":"cs","do_not_record":false,"image":null,"resources":[93],"slots":[6002],"answers":[183]}