<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:669413356;
mso-list-template-ids:-473654666;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style>
</head><body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Look in the etc directory in the suricata install directory. There is a sample suricata.service file<br>
<br>
Logging is set up in the yaml file<br>
<br>
<a href="http://suricata.readthedocs.io/en/latest/output/index.html">http://suricata.readthedocs.io/en/latest/output/index.html</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="text-autospace:none"><b><span style="font-size:12.0pt;font-family:"Times New Roman",serif">Charles DeVoe Jr.</span></b><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">Manager of Engineering</span><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">Multi-State Information Sharing and Analysis Center (MS-ISAC) </span><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">31 Tech Valley Drive</span><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">East Greenbush, NY 12061</span><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"> </span><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><a href="mailto:charles.devoe@cisecurity.org"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">charles.devoe@cisecurity.org</span></a><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">(518) 266-3494</span><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">7x24 Security Operations Center</span><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><a href="mailto:SOC@cisecurity.org"><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:#0B4CB4">SOC@cisecurity.org</span></a><span style="font-size:12.0pt;font-family:"Times New Roman",serif"> -
1-866-787-4722</span><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"> </span><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"> </span><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><img border="0" width="158" height="37" style="width:1.6458in;height:.3854in" id="Picture_x0020_5" src="cid:image001.png@01D3B9FB.CEA5F970" alt="/Users/cdevoe/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_70285037"></span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">
</span><a href="https://www.facebook.com/CenterforIntSec"><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:windowtext;text-decoration:none"><img border="0" width="21" height="22" style="width:.2187in;height:.2291in" id="Picture_x0020_4" src="cid:image002.png@01D3B9FB.CEA5F970" alt="/Users/cdevoe/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_796977712"></span></a><span style="font-size:12.0pt;font-family:"Times New Roman",serif"> </span><a href="https://twitter.com/CISecurity"><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:windowtext;text-decoration:none"><img border="0" width="21" height="22" style="width:.2187in;height:.2291in" id="Picture_x0020_3" src="cid:image003.png@01D3B9FB.CEA5F970" alt="/Users/cdevoe/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_659387394"></span></a><span style="font-size:12.0pt;font-family:"Times New Roman",serif"> </span><a href="https://www.youtube.com/user/TheCISecurity"><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:windowtext;text-decoration:none"><img border="0" width="21" height="22" style="width:.2187in;height:.2291in" id="Picture_x0020_2" src="cid:image004.png@01D3B9FB.CEA5F970" alt="/Users/cdevoe/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_56466421"></span></a><span style="font-size:12.0pt;font-family:"Times New Roman",serif"> </span><a href="https://www.linkedin.com/company/the-center-for-internet-security"><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:windowtext;text-decoration:none"><img border="0" width="21" height="22" style="width:.2187in;height:.2291in" id="Picture_x0020_1" src="cid:image005.png@01D3B9FB.CEA5F970" alt="/Users/cdevoe/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_740292238"></span></a><o:p></o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">Oisf-users <oisf-users-bounces@lists.openinfosecfoundation.org> on behalf of Steve Castellarin <steve.castellarin@gmail.com><br>
<b>Date: </b>Monday, March 12, 2018 at 9:07 AM<br>
<b>To: </b>Blason R <blason16@gmail.com><br>
<b>Cc: </b>"oisf-users@lists.openinfosecfoundation.org" <oisf-users@lists.openinfosecfoundation.org><br>
<b>Subject: </b>Re: [Oisf-users] Suricata on DNS Sinkhole in IPS mode<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><a name="_MailOriginalBody"><br>
<br>
<o:p></o:p></a></p>
<div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody">Hi Blason, <o:p>
</o:p></span></p>
<div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody">I have no experience with questions 1 and 2, but for question 3 I have this configuration to log all DNS activity:<br>
<br>
outputs:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"> - eve-log<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"> enabled: yes<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"> filetype: regular<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"> filename: eve-dns.json<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"> types:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"> - dns:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"> query: yes<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"> answer: yes<o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody">On Sun, Mar 11, 2018 at 12:00 AM, Blason R <</span><a href="mailto:blason16@gmail.com" target="_blank"><span style="mso-bookmark:_MailOriginalBody">blason16@gmail.com</span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody">>
wrote:<o:p></o:p></span></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody">Hi Team, <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody">I am trying to install Suricata in IPS mode on CentOS 7. Below are the challenges I am facing and need help<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody">I have installed suricata using default RPM<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody">Downloaded the rules<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody">Now I need to start Suricata using default .yaml file, <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"><o:p> </o:p></span></p>
</div>
<div>
<ol start="1" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
<span style="mso-bookmark:_MailOriginalBody">Since CentOS7 has a different interface naming scheme how do I start Suricata using systemctl?<o:p></o:p></span></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
<span style="mso-bookmark:_MailOriginalBody">How do I run Suricata in IPS mode to block malicious DNS queries?<o:p></o:p></span></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
<span style="mso-bookmark:_MailOriginalBody">How do I log DNS events in JSON so that those can be indexed in elasticsearch?<o:p></o:p></span></li></ol>
<div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody">TIA<o:p></o:p></span></p>
</div>
</div>
</div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"><br>
_______________________________________________<br>
Suricata IDS Users mailing list: </span><a href="mailto:oisf-users@openinfosecfoundation.org"><span style="mso-bookmark:_MailOriginalBody">oisf-users@openinfosecfoundation.org</span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody"><br>
Site: </span><a href="http://suricata-ids.org" target="_blank"><span style="mso-bookmark:_MailOriginalBody">http://suricata-ids.org</span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody">
| Support: </span><a href="http://suricata-ids.org/support/" target="_blank"><span style="mso-bookmark:_MailOriginalBody">http://suricata-ids.org/support/</span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody"><br>
List: </span><a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank"><span style="mso-bookmark:_MailOriginalBody">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody"><br>
<br>
Conference: </span><a href="https://suricon.net" target="_blank"><span style="mso-bookmark:_MailOriginalBody">https://suricon.net</span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody"><br>
Trainings: </span><a href="https://suricata-ids.org/training/" target="_blank"><span style="mso-bookmark:_MailOriginalBody">https://suricata-ids.org/training/</span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody"><o:p></o:p></span></p>
</blockquote>
</div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"><br>
..... <br>
<br>
</span><o:p></o:p></p>
</div>
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender
immediately and permanently delete the message and any attachments.
<br /><br />. . . . .</body></html>