An Ansible playbook for deploying the Suricata intrusion detection system and fetching Snort rules with Oinkmaster.
Below you can find the variables with their default variables.
suricata_sniffing_interface: eth0
suricata_sniffing_interface_type: 100M
suricata_rules_archive_url: http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
suricata_log_dir: /var/log/suricata/
suricata_log_dir_certs: /var/log/suricata/certs/
suricata_rules_dir: /etc/suricata/rules/From your Ansible's roles folder run:
git submodule add https://github.com/ajdelgado/ansible-suricata.git suricataTested on:
- Ubuntu focal
- Create a group called nids
- Add a host with access to all traffic (a router or use port mirroring in your switch to the port where this host is connected) Inventory example (/etc/ansible/inventories/inventory):
---
all:
children:
nids:
hosts:
my_router:- Set the variables in group_vars matching your system Group variables example file (/etc/ansible/inventories/group_vars/nids/nids_vars.yml):
---
suricata_sniffing_interface: eno1
suricata_sniffing_interface_type: 1000M
suricata_rules_archive_url: http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
suricata_log_dir: /var/log/suricata/
suricata_log_dir_certs: /var/log/suricata/certs/
suricata_rules_dir: /etc/suricata/rules/- Create a playbook like: Playbook example file (/etc/ansible/playbooks/nids.yml):
- name: Set up Suricata in NIDS hosts
hosts: nids
roles:
- role: suricataNone!
BSD