Last updated at Fri, 08 Dec 2017 18:40:38 GMT
Synopsiss
Suricata is a free and open source fast network intrusion system that can be used to inspect the network traffic using a rules and signature language. Suricata is funded by the Open Information Security Foundation and used for network intrusion detection, network intrusion prevention and security monitoring prevention. It is capable of handling multiple gigabyte traffic, display it on screen and also send alerts through email. Suricata’s architecture is very similar to Snort and relies on signatures.
Features
- Supports Multi-Threading, so you can use more than one CPU at a time.
- Provides built-in Hardware Acceleration, so you can use graphic cards to inspect network traffic.
- Supports Lua scripting that can be used to detect complex threats.
- Supports various operating system such as Unix/Linux, FreeBSD and Windows.
- Suricata is capable of inspecting multi-gigabit traffic easily.
In this tutorial, we will demonstrate how to install and configure Suricata IDS on Ubuntu Linux server.
System Requirements
- Newly deployed Ubuntu 16.04 server.
- Minimum 4 GB RAM and multicore CPU for better performance.
- A static IP address 192.168.15.189 is configured on your server.
Prepare the System for Deployment
Before starting with the Suricata, your system should be up to date and all installed software is running the latest version.
First, log in to root user and update your system by running the following command:
apt-get update -y apt-get upgrade -y
Install Required Packages
Before installing Suricata, you will need to install Suricata’s dependencies.
You can install all the required dependencies by running the following command:
apt-get install libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev libnet1-dev libyaml-dev libjansson4 libcap-ng-dev libmagic-dev libjansson-dev zlib1g-dev
By default, Suricata works as an Intrusion Detection System. So you will also need to install some extra packages, if you want to use Suricata as an Intrusion Detection System and Intrusion Prevention System.
Run the following command to install all of them:
apt-get install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev
Once all the required packages are installed, you can proceed to the next step.
Install Suricata
There are two different ways you can install Suricata:
- Install Suricata from Source
- Install Suricata from Ubuntu PPA
Install Suricata from Source
First, download the latest stable version of Suricata from it’s official website.
Otherwise, you can download it directly with the following command:
wget https://www.openinfosecfoundation.org/download/suricata-3.2.tar.gz
Once download is complete, extract the downloaded file with the following command:
tar -xvzf suricata-3.2.tar.gz
Next, change the directory to suricata-3.2 and build Suricata with IPS capabilities with the following command:
cd suricata-3.2
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var
Next, install Suricata by running the following command:
make
make install
Next, install suricata default configuration files with the following command:
make install-conf
Install Suricata from Ubuntu PPA
First, you will need to add the Suricata PPA to Ubuntu repository.
To do so, run the following command
add-apt-repository ppa:oisf/suricata-stable
Next, update the repository with the following command:
apt-get update -y
Once, the repository is up-to-date. You can install the latest stable version of Suricata with the following command:
apt-get install suricata suricata-dbg -y
Configure Suricata
Suricata is useless without any rules, so you will also need to install Suricata IDS rule sets. You can install all the rule sets by running the following command inside Suricata source directory:
make install-rules
You can see all the installed rule sets inside /etc/suricata/rules directory:
ls /etc/suricata/rules/
Output:
app-layer-events.rules emerging-deleted.rules emerging-rpc.rules http-events.rules
botcc.portgrouped.rules emerging-dns.rules emerging-scada.rules LICENSE
botcc.rules emerging-dos.rules emerging-scan.rules modbus-events.rules
BSD-License.txt emerging-exploit.rules emerging-shellcode.rules rbn-malvertisers.rules
ciarmy.rules emerging-ftp.rules emerging-smtp.rules rbn.rules
classification.config emerging-games.rules emerging-snmp.rules reference.config
compromised-ips.txt emerging-icmp_info.rules emerging-sql.rules sid-msg.map
compromised.rules emerging-icmp.rules emerging-telnet.rules smtp-events.rules
decoder-events.rules emerging-imap.rules emerging-tftp.rules stream-events.rules
dnp3-events.rules emerging-inappropriate.rules emerging-trojan.rules suricata-1.3-etpro-etnamed.yaml
dns-events.rules emerging-info.rules emerging-user_agents.rules suricata-1.3-open.txt
drop.rules emerging-malware.rules emerging-voip.rules suricata-1.3-open.yaml
dshield.rules emerging-misc.rules emerging-web_client.rules tls-events.rules
emerging-activex.rules emerging-mobile_malware.rules emerging-web_server.rules tor.rules
emerging-attack_response.rules emerging-netbios.rules emerging-web_specific_apps.rules unicode.map
emerging-chat.rules emerging-p2p.rules emerging-worm.rules
emerging.conf emerging-policy.rules gen-msg.map
emerging-current_events.rules emerging-pop3.rules gpl-2.0.txt
Once all the rule sets are installed, you will need to configure suricata by editing /etc/suricata/suricata.yaml file:
nano /etc/suricata/suricata.yaml
Under the var section, you will need to change some important variables such as HOME_NET and EXTERNAL_NET. You can change these variables as per your infrastructure requirements:
HOME_NET: "[192.168.15.189]"
EXTERNAL_NET: "!$HOME_NET"
Save and close the file when you are finished.
Note:HOME_NET is the IP address or network block of the network you want to defend and 192.168.15.189 is the IP address of Suricata server. Suricata will alert on attacks to the HOME_NET.
Test Suricata
Once everything is set up, It’s time to perform intrusion detection. Before starting, it is recommended to turn off any packet offload features on the NIC which Suricata is listening on.
You can turn off LRO/GRO on the interface eth0 with the following command:
ethtool -K eth0 gro off lro off
Next, you will need to create a rule set to test Suricata.
First, create a test.rules file inside /etc/suricata/rules directory.
nano /etc/suricata/rules/test.rules
Add the following rules:
alert icmp any any -> $HOME_NET any (msg:"ICMP connection attempt"; sid:1000002; rev:1;)
alert tcp any any -> $HOME_NET 23 (msg:"TELNET connection attempt"; sid:1000003; rev:1;)
The above rules will generate an alert in /var/log/suricata/fast.log file when someone try to Ping or Telnet to the server.
Next, you will also need to define path of this rule file in suricata.yaml:
nano /etc/suricata/suricata.yaml
Under the rule-files: section, add the following line:
- test.rules
Finally, start the Suricata in live mode with the following command:
/usr/bin/suricata -D -c /etc/suricata/suricata.yaml -i eth0
Suricata is now up and listening on interface eth0.
On the remote machine, try to Ping and Telnet to the Suricata server with the following command:
ping 192.168.15.189
telnet 192.168.15.189
Now, on the Suricata server, run the following command:
tail -f /var/log/suricata/fast.log
If your Suricata server is operating correctly, you should see the following output:
01/21/2017-17:30:45.344770 [**] [1:1000002:1] ICMP connection attempt [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.15.237:8 -> 192.168.15.189:0
01/21/2017-17:30:49.846571 [**] [1:1000003:1] TELNET connection attempt [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.15.237:36922 -> 192.168.15.189:23