Installing Suricata p2 - Paiet/SEC-440-Webmin GitHub Wiki
Overview
Suricata is an open-source network IDS and IPS engine capable of processing network traffic at near real-time speeds and indexing that traffic based on multiple natural language processing algorithms. It can operate in various modes, but its primary function is security monitoring. Suricata can be installed on most Linux distributions, but its installation process varies considerably by distribution. This guide will show you how to install Suricata on Ubuntu and provide additional resources for getting it up and running on other distributions.
What to Expect on an Ubuntu Installation
On a fresh Ubuntu 18.04 installation, the primary version and the package manager are not configured yet. You may encounter issues with certain packages (e.g., the Elasticsearch service is unavailable). This can be resolved by installing the default Ubuntu package manager, as suggested in this tutorial. You will also encounter several errors related to the system not being able to find the necessary Suricata packages. If the system has not yet finished downloading the Suricata package, this can happen. This can be resolved by temporarily disabling the firewall or restarting the computer after the download has finished.
Download the Right Packages
The first step in any installation is to download the necessary software packages. We will be using the following packages for this tutorial: - curl - wget - nc - u - l - c - h
Install the Dependencies
We still have packages to download! The next step is to install their dependencies, which aren't listed in our installation instructions. We've provided a full list of dependencies below. - gcc - binutils - uuid - pkg-config - libarchive - libxml2 - libxslt - liblzo2 - libmagic - libcap - libcap-ng - libevent - libcap-2 - libattr - libaio - zlib - libpcap - libnetfilter-queue - libpcap-dev - libpcap-1.8 - libnetfilter-dev - tcpdump - sysstat - unixODBC - libuuid - sqlite3 - openssl - openssl-static - lua - lua-get - lua-get-doc - lua-lua51 - lua-lua51-doc - libxml2-dev - libxslt-dev - liblzo2-dev - libcap-dev - libcap-ng-dev - libmagic-dev - libcap-2-dev - libattr-dev - libaio-dev - zlib-dev
Enable the Services
The last step is to enable the services. We'll start with the ones we installed, which are stored in the /etc/rc.local file. - netfilter-queue - netfilter-queue-dev - netfilter-bridge - tcpdump - sysstat - unixODBC - libuuid - sqlite3 - openssl-static
Test the Installation
The last step is to test the installation. Assuming you have permission to view the logs (e.g., by using tail -f on the /var/log/syslog/logfile.log file), you can verify that everything worked as it should be reviewing the logs. You should see messages like Netfilter Bridge created, DNS forwarder started, Netfilter queue started, etc. The final log should look like this: You are almost done! All that's left is to set up the service.
Conclusion
This tutorial showed you how to install the network security monitoring tool Suricata on Ubuntu. It's a popular open-source tool that can detect and prevent attacks. We also listed its dependencies and enabled the services that make up the Suricata installation. We also provided additional resources for installing Suricata on other Linux distributions.
Suricata is a Network Security Monitoring (NSM) tool that can generate log events, trigger alerts, and drop traffic when it detects suspicious packets or requests to any number of different services running on a server.
By default, Suricata works as a passive Intrusion Detection System (IDS) to scan for suspicious traffic on a server or network. It will generate and log alerts for further investigation. It can also be configured as an active Intrusion Prevention System (IPS) to log, alert, and completely block network traffic that matches specific rules.
You can deploy Suricata on a gateway host in a network to scan all incoming and outgoing network traffic from other systems or run it locally on individual machines in either mode.
Installing Suricata
-
Run the following command to add the repository to your system and update the list of available packages:
sudo add-apt-repository ppa:oisf/suricata-stable -
Now you can install Suricata using the
aptcommand:sudo apt install suricata -
Now that the package is installed, enable the suricata.service so that it will run when your system restarts. Use the systemctl command to enable it:
sudo systemctl enable suricata.service -
Before moving on to the next section of this tutorial, which explains how to configure Suricata, stop the service using systemctl:
sudo systemctl stop suricata.service
Stopping Suricata ensures that when you edit and test the configuration file, any changes you make will be validated and loaded when Suricata starts up again.
Step 2 — Configuring Suricata For The First Time
The Suricata package from the OISF repositories ships with a configuration file covering a wide variety of use cases. The default mode for Suricata is IDS mode, so no traffic will be dropped, only logged. Leaving this mode set to the default is a good idea as you learn Suricata. Once you have Suricata configured and integrated into your environment and have a good idea of the kinds of traffic that it will alert you about, you can opt to turn on IPS mode.
killall suri-smtpd && killall suri-nsmd && killall suri-nids && killall suri-sink && killall suri-cli && killall -9 suricatabrowser && ps aux | grep "suricat*"
This will create a basic configuration file that you can then edit with any text editor. I recommend nano or vim if you are not familiar with either one. Once you have created or edited the configuration file, you need to start the Suricata daemon again. You can do this by running the following command:
Suricata Daemon Starting
With Suricata running on your system, you can now configure your IDS/IPS sensor to send alerts to it. In this example, I will be using Snort as my IDS/IPS sensor and p0f as my passive OS fingerprinting tool. We need to modify their configuration files for Snort and p0f to send data to Suricata.
Snort Configuration File
The first step is to modify Snorts's configuration file. The default location of this file depends on your operating system but is usually found in /etc/snort or /usr/local/etc/snort . On a Ubuntu system, it is located in /etc/snort . To edit this file, we will use vim , which should be installed by default on most Linux distributions. Vim's syntax is fairly simple, and if you are not familiar with it, I recommend reading about it here. First, open the Snort configuration file using vim : sudo vim /etc/snort/snort.conf Next, scroll down until you find the following section of the Snort configuration file:
Snort Configuration File - Preprocessor Config
Within this section, we need to modify the preprocessor rules. We will be adding two new lines to the ruleset. The first will be to send p0f data to Suricata, and the second will be to send Snort alerts to Suricata. For our first line, we want to add a line that reads: alert ip any any -> $HOME_NET any (msg:"p0f"; content:"|01 00 00 01|"; offset:4; depth:6; sid:10000001; rev:1;) This rule will send an IP packet that contains a p0f signature with a sid of 10000001 . The sid is arbitrary, and you can use whatever value you want, but it must match what is specified in your Suricata configuration file. Next, scroll down until you reach the following section:
Snort Configuration File - Detection Config
Within this section add a new line that reads alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"IDS10122 Suspicious HTTP Request"; content:"GET / HTTP/1.[01].[01]"; fast_pattern:only; pcre:"/GET (.+?) HTTP/1.[01].[01]/U"; reference:URL,doc.emergingthreats.net/2001699; classtype:web-application-attack; sid:2001699; rev:2;) This rule will send any suspicious HTTP requests to Suricata for further inspection. We are also going to define a new content rule that will be used in conjunction with the p0f rules we created earlier in this tutorial. Scroll down until you see the following section of the Snort configuration file: