Suricata Sensors¶
This section will guide you through the possibilities and configurations scenarios for using vanilla Suricata sensors with Clear NDR® Central Server.
Register a Suricata Sensor¶
Preparing a Suricata Sensor¶
A Suricata sensor can be any of the following major Linux distributions:
CentOS
Debian
Fedora
RedHat
SUSE
Ubuntu
that has Suricata running as a service.
On the remote (to be managed rulesets/log data) sensors you need to have the following in place:
Default Python version > 2.6 (Python 3 is not supported)
User called
ams
dedicated to CNCS connectionPasswordless sudo for that
ams
userThe
/home/ams/
directory for that user is presentMake sure the system has
rsync
package installedSSH enabled
Able to start/restart/stop suricata as a service via sudo aka -
service suricata restart
,service suricata start
,service suricata stop
Suricata config file location as follows:
/etc/suricata/suricata.yaml
Rule section in suricata.yaml containing only
scirius.rules
file
NOTE: Other rules need to be commented out as shown below :

NOTE: On CentOS based sensors:
The option Defaults requiretty in /etc/sudoers needs to be commented
/etc/hostname needs to be set with Clear NDR® Central Server IP/name information for logshipping
Note
Password for ams
user should be used as one time password for probe registration in the Clear NDR® Central Server interface.
Once a Suricata sensor registration has been made the password of the ams
user will be reset by CNCS. After that Clear NDR® Central Server will switch to use SSH key pair communication only.
Shipping logs from a Suricata Sensor¶
Clear NDR® Central Server also offers the possibility to centralize logs from a remote Suriacta sensor installation. You can enable that feature at any time for a particular Suricata sensor. Please see below Step 3 (optional).
Adding a remote sensor for the first time¶
After all requirements are in place you can add the sensor to CNCS as follows:
Step 1¶
In CNCS - go to Appliances
, on the left hand side under Appliance handling
click on Add probe
.
Fill in the information as on suggested/shown on the example below. Please note that you can add/chose a ruleset at a later stage if you would like:

NOTE: Please make sure selected Type
is Suricata for non Stamus issued appliances.
NOTE: If the remote installation has the IP address changed it will need to be reflected in these settings as well.
Step 2¶
Go to Appliances
, select the newly added sensor/probe, click on Edit
(under the Action tab on the left hand side),
check the information and make sure it is correct, click on Interfaces
and select the sniffing interface for the probe, click Submit
:

That step concludes the probe registration to the CNCS for rule management.
Step 3 (optional)¶
If you would like to ship the logs from the remote Suricata sensor to Clear NDR® Central Server go to Appliances
, select the newly added sensor, click on Edit
(under the Action tab on the left hand side),
check the information and make sure it is correct, click on Settings
and check the box Install filebeat
, click Submit
. Under Pending modifications
on the left hand side panel select Apply changes
.
You can either schedule or apply directly.
NOTE After executing the steps above, you should do an Update/Push Ruleset
in order to enable log shipping from the remote Suricata sensor to Clear NDR® Central Server.
To do that, go to Appliances
, select Update rulesets
from the Action
panel on the left. Then, select the relevant remote Suricata sensor from the Appliances
table. Select Actions
checkbox and click on the Apply
button. Once the Update/Push Ruleset
task is finished, logs should start coming to CNCS.