\documentclass[10pt,a4paper]{article}

% Packages
\usepackage{fancyhdr}           % For header and footer
\usepackage{multicol}           % Allows multicols in tables
\usepackage{tabularx}           % Intelligent column widths
\usepackage{tabulary}           % Used in header and footer
\usepackage{hhline}             % Border under tables
\usepackage{graphicx}           % For images
\usepackage{xcolor}             % For hex colours
%\usepackage[utf8x]{inputenc}    % For unicode character support
\usepackage[T1]{fontenc}        % Without this we get weird character replacements
\usepackage{colortbl}           % For coloured tables
\usepackage{setspace}           % For line height
\usepackage{lastpage}           % Needed for total page number
\usepackage{seqsplit}           % Splits long words.
%\usepackage{opensans}          % Can't make this work so far. Shame. Would be lovely.
\usepackage[normalem]{ulem}     % For underlining links
% Most of the following are not required for the majority
% of cheat sheets but are needed for some symbol support.
\usepackage{amsmath}            % Symbols
\usepackage{MnSymbol}           % Symbols
\usepackage{wasysym}            % Symbols
%\usepackage[english,german,french,spanish,italian]{babel}              % Languages

% Document Info
\author{mN3m0N1c (g33k247)}
\pdfinfo{
  /Title (suricata-nsm-more-than-an-ids.pdf)
  /Creator (Cheatography)
  /Author (mN3m0N1c (g33k247))
  /Subject (Suricata NSM: More than an IDS Cheat Sheet)
}

% Lengths and widths
\addtolength{\textwidth}{6cm}
\addtolength{\textheight}{-1cm}
\addtolength{\hoffset}{-3cm}
\addtolength{\voffset}{-2cm}
\setlength{\tabcolsep}{0.2cm} % Space between columns
\setlength{\headsep}{-12pt} % Reduce space between header and content
\setlength{\headheight}{85pt} % If less, LaTeX automatically increases it
\renewcommand{\footrulewidth}{0pt} % Remove footer line
\renewcommand{\headrulewidth}{0pt} % Remove header line
\renewcommand{\seqinsert}{\ifmmode\allowbreak\else\-\fi} % Hyphens in seqsplit
% This two commands together give roughly
% the right line height in the tables
\renewcommand{\arraystretch}{1.3}
\onehalfspacing

% Commands
\newcommand{\SetRowColor}[1]{\noalign{\gdef\RowColorName{#1}}\rowcolor{\RowColorName}} % Shortcut for row colour
\newcommand{\mymulticolumn}[3]{\multicolumn{#1}{>{\columncolor{\RowColorName}}#2}{#3}} % For coloured multi-cols
\newcolumntype{x}[1]{>{\raggedright}p{#1}} % New column types for ragged-right paragraph columns
\newcommand{\tn}{\tabularnewline} % Required as custom column type in use

% Font and Colours
\definecolor{HeadBackground}{HTML}{333333}
\definecolor{FootBackground}{HTML}{666666}
\definecolor{TextColor}{HTML}{333333}
\definecolor{DarkBackground}{HTML}{7D0B99}
\definecolor{LightBackground}{HTML}{F6EFF8}
\renewcommand{\familydefault}{\sfdefault}
\color{TextColor}

% Header and Footer
\pagestyle{fancy}
\fancyhead{} % Set header to blank
\fancyfoot{} % Set footer to blank
\fancyhead[L]{
\noindent
\begin{multicols}{3}
\begin{tabulary}{5.8cm}{C}
    \SetRowColor{DarkBackground}
    \vspace{-7pt}
    {\parbox{\dimexpr\textwidth-2\fboxsep\relax}{\noindent
        \hspace*{-6pt}\includegraphics[width=5.8cm]{/web/www.cheatography.com/public/images/cheatography_logo.pdf}}
    }
\end{tabulary}
\columnbreak
\begin{tabulary}{11cm}{L}
    \vspace{-2pt}\large{\bf{\textcolor{DarkBackground}{\textrm{Suricata NSM: More than an IDS Cheat Sheet}}}} \\
    \normalsize{by \textcolor{DarkBackground}{mN3m0N1c (g33k247)} via \textcolor{DarkBackground}{\uline{cheatography.com/163410/cs/34239/}}}
\end{tabulary}
\end{multicols}}

\fancyfoot[L]{ \footnotesize
\noindent
\begin{multicols}{3}
\begin{tabulary}{5.8cm}{LL}
  \SetRowColor{FootBackground}
  \mymulticolumn{2}{p{5.377cm}}{\bf\textcolor{white}{Cheatographer}}  \\
  \vspace{-2pt}mN3m0N1c (g33k247) \\
  \uline{cheatography.com/g33k247} \\
  \end{tabulary}
\vfill
\columnbreak
\begin{tabulary}{5.8cm}{L}
  \SetRowColor{FootBackground}
  \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Cheat Sheet}}  \\
   \vspace{-2pt}Published 20th October, 2022.\\
   Updated 13th January, 2023.\\
   Page {\thepage} of \pageref{LastPage}.
\end{tabulary}
\vfill
\columnbreak
\begin{tabulary}{5.8cm}{L}
  \SetRowColor{FootBackground}
  \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Sponsor}}  \\
  \SetRowColor{white}
  \vspace{-5pt}
  %\includegraphics[width=48px,height=48px]{dave.jpeg}
  Measure your website readability!\\
  www.readability-score.com
\end{tabulary}
\end{multicols}}




\begin{document}
\raggedright
\raggedcolumns

% Set font size to small. Switch to any value
% from this page to resize cheat sheet text:
% www.emerson.emory.edu/services/latex/latex_169.html
\footnotesize % Small font.

\begin{multicols*}{3}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Network Security Monitoring with Suricata}}  \tn
\SetRowColor{LightBackground}
\mymulticolumn{1}{p{5.377cm}}{\vspace{1px}\centerline{\includegraphics[width=5.1cm]{/web/www.cheatography.com/public/uploads/g33k247_1663970636_Suricata.jpg}}} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Getting Started}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{• Easy to deploy in just a few steps} \tn 
% Row Count 1 (+ 1)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{• Purpose built to do 1 thing well} \tn 
% Row Count 2 (+ 1)
% Row 2
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{• Installs easily on your favorite platform} \tn 
% Row Count 3 (+ 1)
% Row 3
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{• Configurable to your network architecture} \tn 
% Row Count 4 (+ 1)
% Row 4
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{• Write/Tune/Update/Delete your rules} \tn 
% Row Count 5 (+ 1)
% Row 5
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{• Export/forward data to a SIEM (e.g., Splunk)} \tn 
% Row Count 6 (+ 1)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Building Suricata from Source}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{\$ tar xzvf suricata-6.0.0.tar.gz} \tn 
% Row Count 1 (+ 1)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{\$ cd suricata-6.0.0} \tn 
% Row Count 2 (+ 1)
% Row 2
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{\$ ./configure} \tn 
% Row Count 3 (+ 1)
% Row 3
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{\$ make \&\& sudo make install} \tn 
% Row Count 4 (+ 1)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Installing Suricata from a Repository}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{\$ sudo add-apt-repository ppa:oisf/suricata-stable} \tn 
% Row Count 1 (+ 1)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{\$ sudo apt update} \tn 
% Row Count 2 (+ 1)
% Row 2
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{\$ sudo apt install suricata jq} \tn 
% Row Count 3 (+ 1)
% Row 3
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{\$ sudo suricata -{}-build-info} \tn 
% Row Count 4 (+ 1)
% Row 4
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{\$ sudo systemctl status suricata} \tn 
% Row Count 5 (+ 1)
% Row 5
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{\$ sudo vim \seqsplit{/etc/suricata/suricata.yaml}} \tn 
% Row Count 6 (+ 1)
% Row 6
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{\$ sudo systemctl restart suricata} \tn 
% Row Count 7 (+ 1)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Checking the Suricata Configuration}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{\$ suricata -{}-build-info|grep -A 3 '\textbackslash{}-\textbackslash{}-prefix'} \tn 
% Row Count 1 (+ 1)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{\$ suricata -{}-dump-config} \tn 
% Row Count 2 (+ 1)
% Row 2
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{\$ suricata -{}-list-app-layer-protos} \tn 
% Row Count 3 (+ 1)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Running Suricata in IDS or IPS Mode}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{\$ sudo vim \seqsplit{/etc/suricata/suricata.yaml}} \tn 
% Row Count 1 (+ 1)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{~\#LISTENMODE=af-packet  \#IDS\textasciicircum{}1\textasciicircum{}} \tn 
% Row Count 2 (+ 1)
% Row 2
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{~\#LISTENMODE=nfqueue  \#IPS\textasciicircum{}1\textasciicircum{}} \tn 
% Row Count 3 (+ 1)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{{\emph{\textasciicircum{}1\textasciicircum{} Remove \# to activate mode (default: IDS).}}}  \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Suricata File Locations}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{\seqsplit{/etc/suricata/classification}.config \#classtypes} \tn 
% Row Count 1 (+ 1)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{/etc/suricata/rules \#files end in .rules} \tn 
% Row Count 2 (+ 1)
% Row 2
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{\seqsplit{/etc/suricata/rules/custom}.rules \#local rules} \tn 
% Row Count 3 (+ 1)
% Row 3
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{\seqsplit{/etc/suricata/suricata.yaml} \#config file} \tn 
% Row Count 4 (+ 1)
% Row 4
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{\seqsplit{/etc/suricata/threshold.config} \#limit firing} \tn 
% Row Count 5 (+ 1)
% Row 5
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{\seqsplit{/etc/suricata/variables.config}  \#local defined} \tn 
% Row Count 6 (+ 1)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Suricata Monitoring (/var/log/suricata)}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{\$ tail -f \seqsplit{/var/log/suricata/fast.log} (alerts)} \tn 
% Row Count 1 (+ 1)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{\$ tail -f \seqsplit{/var/log/suricata/http.log} (http requests)} \tn 
% Row Count 3 (+ 2)
% Row 2
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{\$ tail -f \seqsplit{/var/log/suricata/suricata}.log (changes)} \tn 
% Row Count 4 (+ 1)
% Row 3
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{\$ tail -f \seqsplit{/var/log/suricata/stats.log} (counters)} \tn 
% Row Count 5 (+ 1)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Suricata Monitoring (JSON Log)}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{\$ jq \seqsplit{'select(.event\_type=="alert")'} /var/log/suricata/eve.json  \#watch all alerts fire} \tn 
% Row Count 2 (+ 2)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{\$ jq 'select(.alert \seqsplit{.signature\_id==2100498)'} /var/log/suricata/eve.json  \#specific alert fire} \tn 
% Row Count 4 (+ 2)
% Row 2
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{\$ jq \seqsplit{'select(.event\_type=="stats")'} /var/log/suricata/eve.json  \#monitor statistics} \tn 
% Row Count 6 (+ 2)
% Row 3
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{\$ jq \seqsplit{'select(.event\_type=="stats")|.stats.capture.kernel\_packets'} /var/log/suricata/eve.json  \#kernel stats} \tn 
% Row Count 9 (+ 3)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Troubleshooting Suricata}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{\$ sudo suricata -c \seqsplit{/etc/suricata/suricata.yaml} -T -vvv  \#check config/look for {\emph{\textless{}Notice\textgreater{} - Configuration provided was successfully loaded. Exiting.}} in the output} \tn 
% Row Count 4 (+ 4)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{\$ sudo systemctl restart suricata  \#restart} \tn 
% Row Count 5 (+ 1)
% Row 2
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{\$ sudo systemctl status -l suricata  \#status} \tn 
% Row Count 6 (+ 1)
% Row 3
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{\$ grep -Ril \textless{}SID\#\textgreater{} \#get flagged SID in rules} \tn 
% Row Count 7 (+ 1)
% Row 4
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{{[}ERRCODE: SC\_ERR\_CONF\_YAML\_ERROR(242){]} - App-Layer protocol sip enable status not set (Enable in suricata.yaml app-layer stanza)} \tn 
% Row Count 10 (+ 3)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Writing Suricata Rules}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{• Target the vulnerability, not the exploit} \tn 
% Row Count 1 (+ 1)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{• Target activity outside normal hours} \tn 
% Row Count 2 (+ 1)
% Row 2
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{• Target to eliminate traffic of no interest} \tn 
% Row Count 3 (+ 1)
% Row 3
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{• Target IP ranges based on your network} \tn 
% Row Count 4 (+ 1)
% Row 4
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{• Target unusual conns, ports/protocols} \tn 
% Row Count 5 (+ 1)
% Row 5
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{• Test, tune, and validate!} \tn 
% Row Count 6 (+ 1)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{p{2.18988 cm} p{2.78712 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{Rules Protocols (Basic)}}  \tn
% Row 0
\SetRowColor{LightBackground}
icmp & ip\textasciicircum{}1\textasciicircum{} \tn 
% Row Count 1 (+ 1)
% Row 1
\SetRowColor{white}
tcp & udp \tn 
% Row Count 2 (+ 1)
\hhline{>{\arrayrulecolor{DarkBackground}}--}
\SetRowColor{LightBackground}
\mymulticolumn{2}{x{5.377cm}}{{\emph{\textasciicircum{}1\textasciicircum{} ip stands for 'all' or 'any'}}}  \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}--}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{x{0.87717 cm} p{0.50124 cm} x{1.79611 cm} x{1.00248 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{4}{x{5.377cm}}{\bf\textcolor{white}{Rules Protocols (Application Layer)}}  \tn
% Row 0
\SetRowColor{LightBackground}
dcerpc & dhcp & dnp3\textasciicircum{}1\textasciicircum{} & dns \tn 
% Row Count 1 (+ 1)
% Row 1
\SetRowColor{white}
enip\textasciicircum{}1\textasciicircum{} & ftp & http & http2 \tn 
% Row Count 2 (+ 1)
% Row 2
\SetRowColor{LightBackground}
ikev2 & imap & krb5 & modbus* \tn 
% Row Count 3 (+ 1)
% Row 3
\SetRowColor{white}
nfs & ntp & rfb & rdp \tn 
% Row Count 4 (+ 1)
% Row 4
\SetRowColor{LightBackground}
sip & smb & smtp & snmp \tn 
% Row Count 5 (+ 1)
% Row 5
\SetRowColor{white}
ssh & tftp & tls (incl ssl) &  \tn 
% Row Count 6 (+ 1)
\hhline{>{\arrayrulecolor{DarkBackground}}----}
\SetRowColor{LightBackground}
\mymulticolumn{4}{x{5.377cm}}{{\emph{\textasciicircum{}1\textasciicircum{} disabled by default}}}  \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}----}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Suricata Rules: The 3 Elements of a Rule}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{• {\bf{action}} (what happens on a rule match)} \tn 
% Row Count 1 (+ 1)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{• {\bf{header}} (protocol, address, port, direction)} \tn 
% Row Count 3 (+ 2)
% Row 2
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{• {\bf{options}} (specifics of the rule)} \tn 
% Row Count 4 (+ 1)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Element \#1: Rule Actions}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{• {\bf{Alert}} generates an alert for later analysis} \tn 
% Row Count 2 (+ 2)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{• {\bf{Pass}} stops scanning, allows packet to pass, no alert} \tn 
% Row Count 4 (+ 2)
% Row 2
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{• {\bf{Drop}} (IPS) stops processing/creates alert} \tn 
% Row Count 5 (+ 1)
% Row 3
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{• {\bf{Reject}} (IPS) rst sent, matching packet dropped} \tn 
% Row Count 7 (+ 2)
% Row 4
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{• {\bf{Rejectsrc}} same as just reject} \tn 
% Row Count 8 (+ 1)
% Row 5
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{• {\bf{Rejectdst}} send RST/ICMP error packet to receiver of the matching packet} \tn 
% Row Count 10 (+ 2)
% Row 6
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{• {\bf{Rejectboth}} send RST/ICMP error packets to both sides of the conversation} \tn 
% Row Count 12 (+ 2)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Element \#2: Rule Headers}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{{\bf{\textless{}proto\textgreater{}\textless{}src\_ip\textgreater{}\textless{}port\textgreater{} -\textgreater{} \textless{}dst\_ip\textgreater{}\textless{}port\textgreater{}}}} \tn 
% Row Count 1 (+ 1)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{• ip any any -\textgreater{} any any} \tn 
% Row Count 2 (+ 1)
% Row 2
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{• tcp \$EXTERNAL\_NET any -\textgreater{} 10.200.0.0/24 80} \tn 
% Row Count 3 (+ 1)
% Row 3
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{• ssh any any -\textgreater{} 203.0.113.0/24 !2} \tn 
% Row Count 4 (+ 1)
% Row 4
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{• tcp \$EXTERNAL\_NET any -\textgreater{} \$HOME\_NET 80} \tn 
% Row Count 5 (+ 1)
% Row 5
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{• source -\textgreater{} destination} \tn 
% Row Count 6 (+ 1)
% Row 6
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{• source \textless{}\textgreater{} destination (both directions)} \tn 
% Row Count 7 (+ 1)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Element \#3: Rule Options}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{• arguments contain options/keyword modifiers \newline % Row Count 1 (+ 1)
• match in packet, classify rule, log custom messages \newline % Row Count 3 (+ 2)
• separated by ";" (may use {\emph{key: value}} format)% Row Count 4 (+ 1)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Rule Classtypes}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{• categorizes traffic: {\bf{config classification:shortname,short description,priority}}} \tn 
% Row Count 2 (+ 2)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{• 3 fields (machine readable name, description, priority): {\bf{config classification: bad-unknown,Potentially Bad Traffic, 2}}} \tn 
% Row Count 5 (+ 3)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Rule Priority}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{• implicit priority assigned by {\bf{classtype}} in \seqsplit{/etc/suricata/classification}.config} \tn 
% Row Count 2 (+ 2)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{• to override classtype default priority add the {\bf{priority:n}} option to a signature (where n is 1 to 255)} \tn 
% Row Count 5 (+ 3)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Rule Reference Keyword}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{• find more info/links (Do NOT put http:// into reference string, assumed with url)} \tn 
% Row Count 2 (+ 2)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{• use to tag CVE {\bf{reference:cve,2014-0160;}} or MITRE T-Codes {\bf{reference:tcode,1194;}}} \tn 
% Row Count 4 (+ 2)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Rule Numbering (SID Allocation)}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{• 1000000-1999999 Custom} \tn 
% Row Count 1 (+ 1)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{• 2000000-2099999 Emerging Threats (ET)} \tn 
% Row Count 2 (+ 1)
% Row 2
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{• 2100000-2103999 Forked Snort GPL} \tn 
% Row Count 3 (+ 1)
% Row 3
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{• 2200000-2200999 Decoder events} \tn 
% Row Count 4 (+ 1)
% Row 4
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{• 2210000-2210999 Stream events} \tn 
% Row Count 5 (+ 1)
% Row 5
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{• 2220000-2299999 Reserved} \tn 
% Row Count 6 (+ 1)
% Row 6
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{• 2800000-2899999 ET Pro (subscrip. only)} \tn 
% Row Count 7 (+ 1)
% Row 7
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{• 2400000-2528999 Dynamically updated} \tn 
% Row Count 8 (+ 1)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{{\emph{Note: Signature ID (SID) provided as last keyword (or second-to-last if a rev \# included) in the rule}}}  \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Example Rule for ICMP Ping}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{alert icmp any any -\textgreater{} any any (msg:"PING detected"; sid:2; rev:1;)% Row Count 2 (+ 2)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Example Rule for HTTP GET Request}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{alert http \$HOME\_NET any -\textgreater{} \$EXTERNAL\_NET any (msg:"HTTP GET Request Containing Rule in URI"; flow:established,to\_server; http.method; content:"GET"; http.uri; content:"rule"; fast\_pattern; classtype:bad-unknown; sid:123; rev:1;)% Row Count 5 (+ 5)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Reloading Rules}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{\$ sudo systemctl restart suricata} \tn 
% Row Count 1 (+ 1)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{\$ sudo kill -USR1 \$(pidof suricata)\textasciicircum{}1\textasciicircum{}} \tn 
% Row Count 2 (+ 1)
% Row 2
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{\$ sudo suricatasc -c reload-rules\textasciicircum{}2\textasciicircum{}} \tn 
% Row Count 3 (+ 1)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{\textasciicircum{}1\textasciicircum{} When enabled in suricata.yaml (preferred) \newline \textasciicircum{}2\textasciicircum{} When using the Unix socket feature}  \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Triggering Rules (Testing)}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{\$ curl \seqsplit{http://testmynids.org/uid/index.html} \newline % Row Count 1 (+ 1)
\$ grep 2100498 \seqsplit{/var/log/suricata/fast.log}% Row Count 2 (+ 1)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Thresholding Rules (Criteria)}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{• Limit to 1 alert every 60 seconds for sid \#2404000: {\bf{threshold gen\_id 1, sig\_id 2404000, type threshold, track by\_dst, count 1, seconds 60}}} \tn 
% Row Count 3 (+ 3)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{• Limit to 10 alerts every 60 seconds for each {\emph{source}} host: {\bf{threshold gen\_id 0, sig\_id 0, type threshold, track by\_src, count 10, seconds 60}}} \tn 
% Row Count 6 (+ 3)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Suppressing Rules (Traffic)}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{• suppress to ensure no alerts are generated (suppression only considered post-matching): {\bf{suppress gen\_id 0, sig\_id 0, track by\_src, ip 1.2.3.4}}} \tn 
% Row Count 3 (+ 3)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{5.377cm}}{\bf\textcolor{white}{Offline Processing}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{• Read pcap files just like network traffic} \tn 
% Row Count 1 (+ 1)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{5.377cm}}{\$ sudo suricata -c \seqsplit{/etc/suricata/suricata.yaml} -r \textless{}pcap\_location\textgreater{} -l \textless{}where to log results\textgreater{}\textasciicircum{}1} \tn 
% Row Count 3 (+ 2)
% Row 2
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{\$ tail -f \seqsplit{/var/log/suricata/fast.log}} \tn 
% Row Count 4 (+ 1)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{5.377cm}}{{\emph{\textasciicircum{}1\textasciicircum{} Same directory as pcap file if -l not used}}}  \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{x{2.4885 cm} x{2.4885 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{Learn More}}  \tn
% Row 0
\SetRowColor{LightBackground}
\{\{link="https://rules.emergingthreats.net/open/suricata/rules/"\}\}ET Rulesets\{\{/link\}\} & \{\{link="https://suricata.readthedocs.io/"\}\}Suricata Docs\{\{/link\}\} \tn 
% Row Count 5 (+ 5)
% Row 1
\SetRowColor{white}
\{\{link="https://rules.emergingthreats.net/changelogs/"\}\}ET Rule Changes\{\{/link\}\} & \{\{link="https://suricata.readthedocs.io/en/latest/"\}\}Suricata User Guide\{\{/link\}\} \tn 
% Row Count 10 (+ 5)
% Row 2
\SetRowColor{LightBackground}
\{\{link="https://doc.emergingthreats.net/bin/view/Main/RulesBySid"\}\}ET Rule SID Lookup\{\{/link\}\} & \{\{link="https://www.useragentstring.com/pages/useragentstring.php"\}\}User Agent Strings\{\{/link\}\} \tn 
% Row Count 15 (+ 5)
% Row 3
\SetRowColor{white}
\{\{link="http://oinkmaster.sourceforge.net/"\}\}Oinkmaster\{\{/link\}\} & \{\{link="https://snort.org/downloads\#rules"\}\}Talos VRT Rules\{\{/link\}\} \tn 
% Row Count 19 (+ 4)
% Row 4
\SetRowColor{LightBackground}
\{\{link="http://www.cyb3rs3c.net/"\}\}Snorpy Generator\{\{/link\}\} & \{\{link="https://www.youtube.com/playlist?list=PLx7\_dt-ncoVl85QezPKNljycxRUHpFnue"\}\}YouTube Playlist\{\{/link\}\} \tn 
% Row Count 25 (+ 6)
% Row 5
\SetRowColor{white}
\mymulticolumn{2}{x{5.377cm}}{\{\{link="https://github.com/OISF/suricata/blob/master/doc/userguide/configuration/suricata-yaml.rst"\}\}Suricata Config File\{\{/link\}\}} \tn 
% Row Count 28 (+ 3)
\hhline{>{\arrayrulecolor{DarkBackground}}--}
\end{tabularx}
\par\addvspace{1.3em}


% That's all folks
\end{multicols*}

\end{document}