Installing & Configuring Zeek NSM and Suricata IDS on RHEL 8 - cfloquetprojects/homelab GitHub Wiki

Introduction:

Zeek is an extremely powerful open-source network monitoring solution that was developed in 1994 by Vern Paxson at Lawrence Berkeley National Labs.

Suricata is an open-source threat detection engine, developed by the Open Information Security Foundation (OISF) in late 2009. Suricata separates itself by being multi-threaded, and thus highly scalable/balanceable in larger workload/enterprise environments.

We will be combining the forces of both Zeek/Bro as well as Suricata to deliver powerful network security monitoring and intrusion detection capabilities to our imaginary SOC in todays' lab.

Pre-Flight Check:

Ensure that your RedHat Enterprise Linux 8 host is properly networked, and has been registered to an existing RedHat account using subscription-manager in order to get access to the latest patches & updates.

We will be using mirrored ports (using a managed switch) to sniff network traffic for both our Zeek and Suricata appliances.

Installing Suricata:

We can install Suricata from source for a more lengthy installation, but gives us the ability to check the GPG signature of the source to verify a secure source for the installation (all suricata downloads are found at the Open InfoSec Fountation Website which has a current release as well as past ones).

$ mkdir /opt/suricata && cd /opt/suricata
$ wget https://www.openinfosecfoundation.org/download/suricata-current.tar.gz
$ wget https://www.openinfosecfoundation.org/download/suricata-current.tar.gz.sig
$ gpg --verify suricata-current.tar.gz.sig suricata-current.tar.gz

We should see both a Good signature message, as well as a WARNING one considering we haven't actually imported the authors signing certificate into our own personal GPG server, this is out of scope for this lab however.

Now we can unzip the suricata-current.tar.gz package:

$ tar -xvzf suricata-current.tar.gz*
$ cd suricata-current

If we are just looking for intrustion detection features, we can use the following command to configure the suricata install:

$ ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var

However if we are looking to include the Intrusion Prevention System (IPS) that is available for Suricata, we can do so by installing a few extra packages:

$ sudo yum -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev
$ ./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var
$ make
$ make install

If you are looking for a more simple/quicker installation, the binaries are at your disposal:

$ dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
$ yum -y copr enable @oisf/suricata-6.0
$ yum -y update

If you haven't already, we can create the /opt/suricata folder and give ownership to suricata:

$ mkdir -p /opt/suricata/scripts
$ chown -R suricata:suricata /opt/suricata/

Log management will be important, so let's create a cronjob that will rotate logs and do other maintenance:

$ cronjob -e
* 0-23 * * * /usr/sbin/logrotate -f /etc/logrotate.conf > /dev/null 2>1&
# remove old gzip files every hour
5 0-23 * * * /opt/suricata/scripts/remove_suricata.sh > /dev/null 2>1&
# suricata rule update - stored under /var/lib/suricata/rules
0 12 * * * /usr/bin/suricata-update update --reload-command
"/usr/bin/systemctl kill -s USR2 suricata" > /var/log/suricataupdate.log 2>&1

Let's update suricata with the latest rules from Proofpoints' Emerging Threats Ruleset:

$ suricata-update update-sources
$ suricata-update list-sources

It's important to add disable.conf to prevent errors when starting Suricata:

$ vi /etc/suricata/disable.conf
group: modbus
group: dnp3

Now that we have defined our log rotation script in a cronjob, lets setup our logrotate file for Suricata:

$  vi /etc/logrotate.d/suricata
/var/log/suricata/*.log /var/log/suricata/*.json
{
 daily
 rotate 3
 size 500M
 missingok
 compress
 delaycompress
 copytruncate
 create 0644 suricata suricata
 sharedscripts
 postrotate
 /bin/kill -HUP `cat /var/run/suricata/suricata.pid
2>/dev/null` 2>/dev/null || true
 endscript
}

Now we need to create a script to regularly remove zipped Suricata logs, and give permissions to allow other users to read these logs (will be forwarding them to a Splunk SIEM later on):

$ vi /opt/suricata/scripts/clean-suricata.bash
#!/bin/bash
/usr/bin/rm -f /opt/suricata/eve.json-*.gz
/usr/bin/rm -f /opt/suricata/fast.log-*.gz
/usr/bin/rm -f /opt/suricata/stats.log-*.gz
/usr/bin/rm -f /opt/suricata/suricata.log-*.gz
$ chmod 755 /opt/suricata/scripts/clean-suricata.bash
$ chmod 755 -R /var/log/suricata/

Finally we need to update suricata.yaml to match the correct network interface, monitored network(s) ranges and log directory. Replace all the instances of eth0 with the actual interface.

Hint: Use the search function (/) in vim text editor to find all instances of eth0 and replace with the appropriate interface.

$ vi /etc/suricata/suricata.yaml
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
af-packet:
 - interface: **monitoring interface**
# The default logging directory. Any log or output file will be
# placed here if it's not specified with a full path name. This can be
# overridden with the -l command line parameter.
default-log-dir: /var/log/suricata/
##
## Configure Suricata to load Suricata-Update managed rules.
##
default-rule-path: /var/lib/suricata/rules
rule-files:
 - suricata.rules

Additonally, if you installed Suricata using an rpm, you will need to also change the interface found in the /etc/sysconfig/suricata file:

$ vi cat /etc/sysconfig/suricata
<..>
OPTIONS="-i *insert_monitoring_interface* --user suricata "

Now we are ready to reload the daemon, and start our Suricata Network Intrusion Detection System (NIDS):

$ systemctl daemon-reload
$ systemctl enable suricata
$ systemctl start suricata
$ systemctl status suricata