Add Suricata IDS to FredOS-Mediaserver

Passive network monitoring via af-packet on eno1. Rulesets auto-updated from ET/Open, abuse.ch, and other community sources via suricata-update. Runs alongside fail2ban; IPS/blocking mode can be enabled later. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-06 20:36:45 +01:00 · 2026-04-06 20:36:45 +01:00 · b91b0ef234
commit b91b0ef234
parent 2104de314e
2 changed files with 59 additions and 0 deletions
--- a/common.nix
+++ b/common.nix
@ -30,6 +30,7 @@
    ./services/bazarr.nix
    ./services/cloudflare-ddns.nix
    ./services/fail2ban.nix
+    ./services/suricata.nix
  ];

  ### Make build time quicker
--- a/services/suricata.nix
+++ b/services/suricata.nix
@ -0,0 +1,58 @@
+{ config, lib, pkgs, ... }:
+{
+  config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
+
+    services.suricata = {
+      enable = true;
+
+      settings = {
+        vars.address-groups = {
+          # Your local networks — Suricata won't alert on traffic within these
+          HOME_NET = "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,127.0.0.0/8]";
+          EXTERNAL_NET = "!$HOME_NET";
+        };
+
+        # IDS mode: passive monitoring (read-only, no blocking)
+        # To enable IPS later, swap this for nfqueue mode
+        af-packet = [
+          { interface = "eno1"; }
+        ];
+
+        # Structured JSON log — useful for dashboards and log aggregation
+        outputs = [
+          {
+            eve-log = {
+              enabled = true;
+              filetype = "regular";
+              filename = "eve.json";
+              community-id = true;
+              types = [
+                { alert = { tagged-packets = "yes"; }; }
+                { anomaly = {}; }
+                { drop = {}; }
+              ];
+            };
+          }
+          # Human-readable alert log for quick inspection
+          {
+            fast = {
+              enabled = true;
+              filename = "fast.log";
+              append = "yes";
+            };
+          }
+        ];
+
+        # Enable unix socket so suricatasc can query running state
+        unix-command.enabled = true;
+
+        classification-file = "${pkgs.suricata}/etc/suricata/classification.config";
+        reference-config-file = "${pkgs.suricata}/etc/suricata/reference.config";
+      };
+    };
+
+    # Make suricata CLI tools available (suricatasc, suricata-update)
+    environment.systemPackages = [ pkgs.suricata ];
+
+  };
+}