Suricata (for IPFire 3.x)

To use suricata on your IPFire 3.x your first need to install the package via pakfire install suricata.
Pakfire then will install the latest version.

You need some rules for detection, they can be downloaded from emergingthread or use snort based rules from other sources.

Unpack the rules to /etc/suricata/rules and check the suricata config file, to remove the comment mark for the rules you want to use.

You can run suricata in 2 modes. Binding directly to an interface or using iptables to bind on certain chains or rules.

Interface based by adding the desired interface to the cmdline:

suricata -c /etc/suricata/suricata-open.yaml -i red0 -D

For running in inline mode you need to have a NFQUEUE on your system:

suricata -c /etc/suricata/suricata.conf -i -q 0 -q 1 -D

Add a queue by adding:

iptables -I INPUT -j  NFQUEUE --queue-balance 0:1

Be aware that stoping suricata without deleting flushing the chain will result in a queue of dead because no more packets are taken from there.

It may improve the performance using the balanced queue, but if you really need to handle traffic taking the device option is the best atm.

Using iperf and gigabit we faced a ground speed of 750 MBit, using interface mode 500 MBit and using queue based 100 MBit per second.

• http://home.regit.org/?p=417
• http://home.regit.org/2011/04/some-new-features-of-ips-mode-in-suricata-1-1beta2/