Synopsiss

Suricata is a free and open source fast network intrusion system that can be used to inspect the network traffic using a rules and signature language. Suricata is funded by the Open Information Security Foundation and used for network intrusion detection, network intrusion prevention and security monitoring prevention. It is capable of handling multiple gigabyte traffic, display it on screen and also send alerts through email. Suricata’s architecture is very similar to Snort and relies on signatures.

Features

  1. Supports Multi-Threading, so you can use more than one CPU at a time.
  2. Provides built-in Hardware Acceleration, so you can use graphic cards to inspect network traffic.
  3. Supports Lua scripting that can be used to detect complex threats.
  4. Supports various operating system such as Unix/Linux, FreeBSD and Windows.
  5. Suricata is capable of inspecting multi-gigabit traffic easily.

In this tutorial, we will demonstrate how to install and configure Suricata IDS on Ubuntu Linux server.

System Requirements

  • Newly deployed Ubuntu 16.04 server.
  • Minimum 4 GB RAM and multicore CPU for better performance.
  • A static IP address 192.168.15.189 is configured on your server.

Prepare the System for Deployment

Before starting with the Suricata, your system should be up to date and all installed software is running the latest version.

First, log in to root user and update your system by running the following command:

apt-get update -y apt-get upgrade -y

Install Required Packages

Before installing Suricata, you will need to install Suricata’s dependencies.

You can install all the required dependencies by running the following command:

apt-get install libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev libnet1-dev libyaml-dev libjansson4 libcap-ng-dev libmagic-dev libjansson-dev zlib1g-dev

By default, Suricata works as an Intrusion Detection System. So you will also need to install some extra packages, if you want to use Suricata as an Intrusion Detection System and Intrusion Prevention System.

Run the following command to install all of them:

apt-get install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev

Once all the required packages are installed, you can proceed to the next step.

Install Suricata

There are two different ways you can install Suricata:

  1. Install Suricata from Source
  2. Install Suricata from Ubuntu PPA

Install Suricata from Source

First, download the latest stable version of Suricata from it’s official website.
Otherwise, you can download it directly with the following command:

wget https://www.openinfosecfoundation.org/download/suricata-3.2.tar.gz

Once download is complete, extract the downloaded file with the following command:

tar -xvzf suricata-3.2.tar.gz

Next, change the directory to suricata-3.2 and build Suricata with IPS capabilities with the following command:

cd suricata-3.2 
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var

Next, install Suricata by running the following command:

make 
make install

Next, install suricata default configuration files with the following command:

make install-conf

Install Suricata from Ubuntu PPA

First, you will need to add the Suricata PPA to Ubuntu repository.
To do so, run the following command

add-apt-repository ppa:oisf/suricata-stable

Next, update the repository with the following command:

apt-get update -y

Once, the repository is up-to-date. You can install the latest stable version of Suricata with the following command:

apt-get install suricata suricata-dbg -y

Configure Suricata

Suricata is useless without any rules, so you will also need to install Suricata IDS rule sets. You can install all the rule sets by running the following command inside Suricata source directory:

make install-rules

You can see all the installed rule sets inside /etc/suricata/rules directory:

ls /etc/suricata/rules/

Output:

 app-layer-events.rules emerging-deleted.rules emerging-rpc.rules http-events.rules 
 botcc.portgrouped.rules emerging-dns.rules emerging-scada.rules LICENSE 
 botcc.rules emerging-dos.rules emerging-scan.rules modbus-events.rules 
 BSD-License.txt emerging-exploit.rules emerging-shellcode.rules rbn-malvertisers.rules 
 ciarmy.rules emerging-ftp.rules emerging-smtp.rules rbn.rules 
 classification.config emerging-games.rules emerging-snmp.rules reference.config 
 compromised-ips.txt emerging-icmp_info.rules emerging-sql.rules sid-msg.map 
 compromised.rules emerging-icmp.rules emerging-telnet.rules smtp-events.rules 
 decoder-events.rules emerging-imap.rules emerging-tftp.rules stream-events.rules 
 dnp3-events.rules emerging-inappropriate.rules emerging-trojan.rules suricata-1.3-etpro-etnamed.yaml 
 dns-events.rules emerging-info.rules emerging-user_agents.rules suricata-1.3-open.txt 
 drop.rules emerging-malware.rules emerging-voip.rules suricata-1.3-open.yaml 
 dshield.rules emerging-misc.rules emerging-web_client.rules tls-events.rules 
 emerging-activex.rules emerging-mobile_malware.rules emerging-web_server.rules tor.rules 
 emerging-attack_response.rules emerging-netbios.rules emerging-web_specific_apps.rules unicode.map 
 emerging-chat.rules emerging-p2p.rules emerging-worm.rules 
 emerging.conf emerging-policy.rules gen-msg.map 
 emerging-current_events.rules emerging-pop3.rules gpl-2.0.txt

Once all the rule sets are installed, you will need to configure suricata by editing /etc/suricata/suricata.yaml file:

nano /etc/suricata/suricata.yaml

Under the var section, you will need to change some important variables such as HOME_NET and EXTERNAL_NET. You can change these variables as per your infrastructure requirements:

 HOME_NET: "[192.168.15.189]" 
 EXTERNAL_NET: "!$HOME_NET"

Save and close the file when you are finished.

Note:HOME_NET is the IP address or network block of the network you want to defend and 192.168.15.189 is the IP address of Suricata server. Suricata will alert on attacks to the HOME_NET.

Test Suricata

Once everything is set up, It’s time to perform intrusion detection. Before starting, it is recommended to turn off any packet offload features on the NIC which Suricata is listening on.

You can turn off LRO/GRO on the interface eth0 with the following command:

ethtool -K eth0 gro off lro off

Next, you will need to create a rule set to test Suricata.

First, create a test.rules file inside /etc/suricata/rules directory.

nano /etc/suricata/rules/test.rules

Add the following rules:

 alert icmp any any -> $HOME_NET any (msg:"ICMP connection attempt"; sid:1000002; rev:1;) 
 alert tcp any any -> $HOME_NET 23 (msg:"TELNET connection attempt"; sid:1000003; rev:1;)

The above rules will generate an alert in /var/log/suricata/fast.log file when someone try to Ping or Telnet to the server.

Next, you will also need to define path of this rule file in suricata.yaml:

nano /etc/suricata/suricata.yaml

Under the rule-files: section, add the following line:

 - test.rules

Finally, start the Suricata in live mode with the following command:

/usr/bin/suricata -D -c /etc/suricata/suricata.yaml -i eth0

Suricata is now up and listening on interface eth0.

On the remote machine, try to Ping and Telnet to the Suricata server with the following command:

 ping 192.168.15.189 
 telnet 192.168.15.189

Now, on the Suricata server, run the following command:

tail -f /var/log/suricata/fast.log

If your Suricata server is operating correctly, you should see the following output:

 01/21/2017-17:30:45.344770 [**] [1:1000002:1] ICMP connection attempt [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.15.237:8 -> 192.168.15.189:0 
 01/21/2017-17:30:49.846571 [**] [1:1000003:1] TELNET connection attempt [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.15.237:36922 -> 192.168.15.189:23

References