Configuring the Hydra Suricata instance.

To perform the configuration, please SSH to the Hydra. The steps required are the following:

1. Type sudo -s and Press [ENTER]

2. Type ifconfig and Press [ENTER]

3. Confirm the interface identifier you wish to use as the ingestion point for your Suricata

   1. This can be the primary interface you configured with the static IP or a new interface specific to the purpose of capturing Suricata traffic.

4. Type vim /etc/siemonster/common.env and Press [ENTER}

5. Press [INSERT] and move to the line that start with “SURICATA_INTERFACE”.

6. Modify the interface name to match the one chosen for Suricata ingestion, your modification should look similar to the screenshot below
   

   

7. Press [ESC] then Type [:wq] and Press [ENTER]

8. Type systemctl daemon-reload and Press [ENTER]

9. Type systemctl restart suricata and Press [ENTER], wait for the restart to complete.

10. Type docker logs -f suricata and Press [ENTER], then look for the following line
    

    

11. Press [CTRL+C] top stop the screen logs

To Make the above changes permanent, perform the following steps:

1. Type cp /var/lib/cloud/seed/nocloud-net/user-data /root/user-data-bak.yyyymmdd e.g. cp /var/lib/cloud/seed/nocloud-net/user-data /root/user-data-bak.20230103, and Press [ENTER]

2. Type vim /var/lib/cloud/seed/nocloud-net/user-data and Press [ENTER]

3. Press forward slash (/ ) and Type SURICATA_INTERFACE and Press [ENTER]

4. Press [INSERT] and edit the interface identifier to be the same as the one specified in the common.env.

5. Press [ESC] and then Type [:wq] and Press [ENTER]

Your change is now persistent.

⚠️ NOTE: The user-data file is a yaml file. Great caution should be exercised to NEVER use a tab while editing this file. Doing so will make the file unusable and prevent the system from booting.