wget http://www.openinfosecfoundation.org/download/suricata-2.0.2.tar.gz
tar -xvzf suricata-2.0.2.tar.gz
cd suricata-2.0.2
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var
make
sudo make install
sudo ldconfig


sudo mkdir /var/log/suricata


user: suricata
group: suricata


iptables -I INPUT -i [EXT_IF] -p tcp --sport 80  -j NFQUEUE

iptables -I FORWARD -j NFQUEUE


tar -xvf v2-1.13.tar.gz
cd barnyard2-2-1.13/
./autogen.sh
./configure --with-postgresql
make
sudo make install


config reference_file:      /etc/suricata/reference.config
config classification_file: /etc/suricata/classification.config
config gen_file:            /etc/suricata/rules/gen-msg.map
config sid_file:            /etc/suricata/rules/sid-msg.map


ethtool -K p2p1 tso off
ethtool -K p2p1 gro off
ethtool -K p2p1 lro off
ethtool -K p2p1 gso off
ethtool -K p2p1 rx off
ethtool -K p2p1 tx off
ethtool -K p2p1 sg off
ethtool -K p2p1 rxvlan off
ethtool -K p2p1 txvlan off


- file-store:
    enabled: yes      # set to yes to enable
    log-dir: files    # directory to store the files
    force-magic: no   # force logging magic on all stored files
    force-md5: no     # force logging of md5 checksums
    waldo: file.waldo # waldo file to store the file_id across runs


  - file-log:
      enabled: yes
      filename: files-json.log
      append: yes
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
      force-magic: no   # force logging magic on all logged files
      force-md5: no     # force logging of md5 checksums


tail -f /var/log/suricata/files-json.log | logprocessor-program


pyinotify -e IN_CLOSE_WRITE -v /suricata/file/dir -c clamav


  - tls-log:
      enabled: yes
      filename: tls.log
      extended: yes


alert tls any any -> any any (msg:"forged internal CA certificate"; tls.subject:"CN=*.example.org"; tls.issuerdn:!"CN=Internal CA"; sid:8; rev:1;)


certutil -d sql:$HOME/.pki/nssdb/ -L

certutil -d sql:$HOME/.pki/nssdb/ -L -n "Internal CA"