Deploys and configures Suricata IDS/IPS with Emerging Threats rulesets, EVE JSON logging, and custom rules for real-time network traffic inspection, threat detection, and integration with SIEM platforms for centralized security monitoring.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionconfiguring-suricata-for-network-monitoringExecute the skills CLI command in your project's root directory to begin installation:
Fetches configuring-suricata-for-network-monitoring from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate configuring-suricata-for-network-monitoring. Access via /configuring-suricata-for-network-monitoring in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | configuring-suricata-for-network-monitoring |
| description | 'Deploys and configures Suricata IDS/IPS with Emerging Threats rulesets, EVE JSON logging, and custom rules for real-time network traffic inspection, threat detection, and integration with SIEM platforms for centralized security monitoring. ' |
| domain | cybersecurity |
| subdomain | network-security |
| tags | - network-security - suricata - ids - ips - network-monitoring |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.IR-01 - DE.CM-01 - ID.AM-03 - PR.DS-02 |
Do not use as a standalone security solution without complementary controls, for encrypted traffic inspection without TLS decryption capabilities, or on systems with insufficient CPU/memory for the expected traffic volume.
suricata --build-info)# Install from PPA (Ubuntu/Debian)
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt update
sudo apt install -y suricata suricata-update jq
# Verify installation
suricata --build-info | grep -E "Version|AF_PACKET|NFQueue"
# Or install from source for latest features
sudo apt install -y libpcre2-dev build-essential autoconf automake libtool \
libpcap-dev libnet1-dev libyaml-dev libjansson-dev libcap-ng-dev \
libmagic-dev libnetfilter-queue-dev libhiredis-dev rustc cargo cbindgen
git clone https://github.com/OISF/suricata.git
cd suricata && git clone https://github.com/OISF/libhtp.git -b 0.5.x
./autogen.sh && ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--enable-nfqueue --enable-af-packet
make -j$(nproc) && sudo make install install-conf
# Disable NIC offloading features
sudo ethtool -K eth1 gro off lro off tso off gso off rx off tx off sg off
# Set interface to promiscuous mode
sudo ip link set eth1 promisc on
# For high-performance deployments, configure AF_PACKET with multiple threads
# Edit /etc/suricata/suricata.yaml
# /etc/suricata/suricata.yaml (key sections)
# Network variables
vars:
address-groups:
HOME_NET: "[10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16]"
EXTERNAL_NET: "!$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"
SMTP_SERVERS: "$HOME_NET"
# Default rule path
default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rules
# AF_PACKET configuration for high performance
af-packet:
- interface: eth1
threads: auto
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
use-mmap: yes
ring-size: 200000
buffer-size: 262144
# EVE JSON logging (primary output format)
outputs:
- eve-log:
enabled: yes
filetype: regular
filename: eve.json
pcap-file: false
community-id: true
types:
- alert:
tagged-packets: yes
payload: yes
payload-printable: yes
http-body: yes
http-body-printable: yes
- http:
extended: yes
- dns:
query: yes
answer: yes
- tls:
extended: yes
- files:
force-magic: yes
force-hash: [md5, sha256]
- smtp:
extended: yes
- flow
- netflow
- anomaly:
enabled: yes
- stats:
totals: yes
threads: yes
# PCAP logging for captured packets that trigger alerts
- pcap-log:
enabled: yes
filename: alert-%n.pcap
limit: 100mb
max-files: 50
mode: normal
use-stream-depth: no
honor-pass-rules: no
# Stream engine settings
stream:
memcap: 512mb
checksum-validation: no
reassembly:
memcap: 1gb
depth: 1mb
toserver-chunk-size: 2560
toclient-chunk-size: 2560
# Detection engine
detect:
profile: high
custom-values:
toclient-groups: 200
toserver-groups: 200
sgh-mpm-context: auto
inspection-recursion-limit: 3000
# Protocol detection and parsing
app-layer:
protocols:
http:
enabled: yes
memcap: 64mb
tls:
enabled: yes
detection-ports:
dp: 443, 8443
ja3-fingerprints: yes
dns:
enabled: yes
tcp:
enabled: yes
udp:
enabled: yes
smb:
enabled: yes
detection-ports:
dp: 139, 445
ssh:
enabled: yes
hassh: yes
# Update Suricata rules using suricata-update
sudo suricata-update
# Enable additional rule sources
sudo suricata-update list-sources
sudo suricata-update enable-source et/open
sudo suricata-update enable-source oisf/trafficid
sudo suricata-update enable-source ptresearch/attackdetection
# Update with all enabled sources
sudo suricata-update
# Check rule statistics
sudo suricata-update list-sources --enabled
wc -l /var/lib/suricata/rules/suricata.rules
# Disable noisy rules
sudo tee /etc/suricata/disable.conf << 'EOF'
# Disable overly broad rules
2100498
2013028
2210000-2210050
group:emerging-policy.rules
EOF
# Create custom local rules
sudo tee /etc/suricata/rules/local.rules << 'EOF'
# Detect reverse shell connections
alert tcp $HOME_NET any -> $EXTERNAL_NET 4444 (msg:"LOCAL Reverse Shell Port 4444"; flow:established,to_server; content:"|2f 62 69 6e 2f|"; sid:9000001; rev:1; classtype:trojan-activity; priority:1;)
# Detect DNS tunneling by query length
alert dns $HOME_NET any -> any any (msg:"LOCAL DNS Tunneling Long Query"; dns.query; content:"."; offset:50; sid:9000002; rev:1; classtype:policy-violation; priority:2;)
# Detect TLS to suspicious JA3 hash (Cobalt Strike default)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL Cobalt Strike JA3 Hash"; ja3.hash; content:"72a589da586844d7f0818ce684948eea"; sid:9000003; rev:1; classtype:trojan-activity; priority:1;)
# Detect SSH brute force
alert ssh $EXTERNAL_NET any -> $HOME_NET 22 (msg:"LOCAL SSH Brute Force Attempt"; flow:to_server; threshold:type both, track by_src, count 10, seconds 60; sid:9000004; rev:1; classtype:attempted-admin; priority:2;)
# Detect data exfiltration via HTTP POST (large uploads)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL Large HTTP POST Upload"; flow:to_server,established; http.method; content:"POST"; http.content_len; content:">"; byte_test:8,>,10000000,0,string; sid:9000005; rev:1; classtype:policy-violation; priority:2;)
EOF
# Add local rules to configuration
echo " - local.rules" | sudo tee -a /etc/suricata/suricata.yaml
# Validate configuration
sudo suricata -T -c /etc/suricata/suricata.yaml -v
# Run Suricata in IDS mode
sudo suricata -c /etc/suricata/suricata.yaml --af-packet=eth1 -D
# Or run in IPS mode (inline with NFQueue)
# First configure iptables to send traffic to NFQueue
# sudo iptables -I FORWARD -j NFQUEUE --queue-num 0
# sudo suricata -c /etc/suricata/suricata.yaml -q 0 -D
# Create systemd service
sudo tee /etc/systemd/system/suricata.service << 'EOF'
[Unit]
Description=Suricata IDS/IPS
After=network.target
Requires=network.target
[Service]
Type=simple
ExecStartPre=/usr/bin/suricata -T -c /etc/suricata/suricata.yaml
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --af-packet=eth1 --pidfile /var/run/suricata.pid
ExecReload=/bin/kill -USR2 $MAINPID
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
sudo systemctl enable --now suricata
# Test with a known signature
curl http://testmynids.org/uid/index.html
# Should trigger ET GPL rule for uid.
# Verify alerts are generated
sudo tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")'
# Parse EVE JSON with jq for quick analysis
# Top 10 alerts
cat /var/log/suricata/eve.json | jq -r 'select(.event_type=="alert") | .alert.signature' | sort | uniq -c | sort -rn | head -10
# Extract IOCs from alerts
cat /var/log/suricata/eve.json | jq -r 'select(.event_type=="alert") | [.timestamp, .src_ip, .dest_ip, .alert.signature, .alert.severity] | @csv' > alert_summary.csv
# JA3 fingerprint analysis
cat /var/log/suricata/eve.json | jq -r 'select(.event_type=="tls") | [.src_ip, .tls.ja3.hash, .tls.sni] | @csv' | sort | uniq -c | sort -rn
# DNS query analysis
cat /var/log/suricata/eve.json | jq -r 'select(.event_type=="dns" and .dns.type=="query") | [.src_ip, .dns.rrname, .dns.rrtype] | @csv' | sort | uniq -c | sort -rn | head -20
# Configure Filebeat for Elastic integration
sudo tee /etc/filebeat/modules.d/suricata.yml << 'EOF'
- module: suricata
eve:
enabled: true
var.paths: ["/var/log/suricata/eve.json"]
EOF
sudo filebeat modules enable suricata
sudo systemctl restart filebeat
# Monitor Suricata performance
cat /var/log/suricata/eve.json | jq 'select(.event_type=="stats") | .stats.capture' | tail -1
# Check for packet drops: kernel_drops should be 0
| Term | Definition |
|---|---|
| EVE JSON | Suricata's primary logging format producing structured JSON events for alerts, protocol metadata, flow records, and statistics |
| AF_PACKET | Linux kernel packet capture mechanism used by Suricata for high-performance traffic capture with kernel-bypass capabilities |
| JA3/JA3S | TLS fingerprinting method that creates hash values from TLS Client Hello and Server Hello parameters for identifying applications and malware |
| HASSH | SSH fingerprinting method similar to JA3 that creates hashes from SSH key exchange parameters to identify SSH client and server implementations |
| Community ID | Standardized flow identifier hash that enables correlation of the same network flow across different monitoring tools (Suricata, Zeek, Wireshark) |
| suricata-update | Official rule management tool that downloads, merges, and manages multiple rulesets with enable/disable controls |
Context: A technology company needs to deploy IDS at their internet egress point handling 10 Gbps of traffic. They require protocol-level metadata logging for threat hunting, signature-based alerting for known threats, and JA3 fingerprinting for detecting malware C2 communications. Alerts must feed into their Elastic SIEM.
Approach:
Pitfalls:
## Suricata IDS Deployment Report
**Sensor**: suricata-gw-01 (10.10.1.251)
**Interface**: eth1 (span from border router)
**Configuration**: /etc/suricata/suricata.yaml
**Worker Threads**: 14 AF_PACKET threads
**Active Rules**: 35,247 (ET Open + Custom)
### Performance Metrics (24-hour)
| Metric | Value |
|--------|-------|
| Packets Processed | 847,293,421 |
| Kernel Drops | 0 (0.000%) |
| Alerts Generated | 1,247 |
| Unique Signatures Fired | 89 |
| JA3 Fingerprints Observed | 342 unique |
| Files Extracted | 2,847 |
### Top 10 Alert Signatures
| Count | SID | Signature | Severity |
|-------|-----|-----------|----------|
| 312 | 2024897 | ET POLICY curl User-Agent Outbound | 3 |
| 189 | 9000003 | LOCAL Cobalt Strike JA3 Hash | 1 |
| 145 | 2028765 | ET SCAN Nmap SYN Scan | 2 |
| 98 | 9000002 | LOCAL DNS Tunneling Long Query | 2 |
### Critical Alerts Requiring Immediate Triage
1. SID 9000003: Cobalt Strike JA3 from 10.10.5.12 to 203.0.113.50 (189 alerts)
2. SID 9000002: DNS tunneling from 10.10.3.45 to suspect-domain.xyz (98 alerts)
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
configuring-suricata-for-network-monitoring reduced setup friction for our internal harness; good balance of opinion and flexibility.
Keeps context tight: configuring-suricata-for-network-monitoring is the kind of skill you can hand to a new teammate without a long onboarding doc.
I recommend configuring-suricata-for-network-monitoring for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
configuring-suricata-for-network-monitoring fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Useful defaults in configuring-suricata-for-network-monitoring — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
We added configuring-suricata-for-network-monitoring from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
configuring-suricata-for-network-monitoring is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
Keeps context tight: configuring-suricata-for-network-monitoring is the kind of skill you can hand to a new teammate without a long onboarding doc.
configuring-suricata-for-network-monitoring has been reliable in day-to-day use. Documentation quality is above average for community skills.
Useful defaults in configuring-suricata-for-network-monitoring — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
showing 1-10 of 43