In this tutorial, you will learn how to install and setup Suricata on Rocky Linux. Suricata is a free and open source network threat detection engine. It can function as an intrusion detection (IDS) engine, inline intrusion prevention system (IPS), network security monitoring (NSM) as well as offline pcap processing tool. It works by inspecting network traffic using rules and signature as well as Lua scripting support for detection of complex threats.
Suricata offers quite a number of features. Read about them on All Suricata features page.
Install and Setup Suricata on Rocky Linux
System Requirements
Well, Suricata is multi-threaded, hence, if you have enough cores, you can avail as enough as possible. Also, allocate enough RAM.
In this demo, we have allocated 2 vCPUs and 4GB RAM to our Suricata server.
Install Suricata on Rocky Linux
There are various ways in which you can install Suricata on Rocky Linux;
Install Suricata on Rocky Linux from Source
Run system update
Update your system package by running the command below
dnf updateInstall Required Build tools and Dependencies
There are a number of package dependencies and build tools required for a successful build and install of Suricata on Rocky Linux from the source.
dnf config-manager --set-enabled powertoolsdnf install diffutils file-devel gcc jansson-devel \
make nss-devel libyaml-devel libcap-ng-devel \
libpcap-devel pcre-devel python3 python3-pyyaml \
rust-toolset zlib-devel curl wget tar lua lua-devel \
lz4-devel -yDownload Suricata Source Code
Download the latest stable release Suricata source code from Suricata downloads page.
As of this writing, Suricata 6.0.5 is the latest stable release version.
Replace the value of the VER variable below with the current release version number of Suricata.
VER=6.0.5wget https://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz -P /tmpExtract Suricata Source Code
Once the download is complete, extract the source code;
cd /tmptar xzf suricata-${VER}.tar.gzBuild and Install Suricata on Rocky Linux
Navigate to the source directory and build and install Suricata on Rocky Linux.
cd suricata-${VER}Run the configure script to adapt Suricata to the system and verify that all required dependencies are in place.
./configure --sysconfdir=/etc --localstatedir=/var --prefix=/usr/ --enable-lua --enable-geopip The command installs Suricata binary into /usr/bin/suricata, have the config in /etc/suricata and use /var/log/suricata as log directory.
For more build options, refer to ./configure --help.
Summary of the configuration;
Suricata Configuration:
AF_PACKET support: yes
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
hiredis support: no
hiredis async with libevent: no
Prelude support: no
PCRE jit: yes
LUA support: yes
libluajit: no
GeoIP2 support: no
Non-bundled htp: no
Hyperscan support: no
Libnet support: no
liblz4 support: yes
HTTP2 decompression: no
Rust support: yes
Rust strict mode: no
Rust compiler path: /usr/bin/rustc
Rust compiler version: rustc 1.54.0 (Red Hat 1.54.0-3.module+el8.5.0+712+d335422a)
Cargo path: /usr/bin/cargo
Cargo version: cargo 1.54.0
Cargo vendor: yes
Python support: yes
Python path: /usr/bin/python3
Python distutils yes
Python yaml yes
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: yes
Profiling enabled: no
Profiling locks enabled: no
Plugin support (experimental): yes
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/
--prefix /usr
--sysconfdir /etc
--localstatedir /var
--datarootdir /usr/share
Host: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / gcc (real)
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -g -O2 -std=c11 -march=native -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
PCAP_CFLAGS
SECCFLAGS
To build and install run 'make' and 'make install'.
You can run 'make install-conf' if you want to install initial configuration
files to /etc/suricata/. Running 'make install-full' will install configuration
and rules and provide you a ready-to-run suricata.
To install Suricata into /usr/bin/suricata, have the config in
/etc/suricata and use /var/log/suricata as log dir, use:
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/
Compile and install Suricata, Suricata rules and configurations.
makemake install-fullSample output;
...
make install-rules
make[1]: Entering directory '/tmp/suricata-6.0.5'
LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata-update \
--suricata /usr/bin/suricata \
--suricata-conf /etc/suricata/suricata.yaml \
--no-test --no-reload
29/4/2022 -- 04:36:02 - -- Using data-directory /var/lib/suricata.
29/4/2022 -- 04:36:02 - -- Using /usr/share/suricata/rules for Suricata provided rules.
29/4/2022 -- 04:36:02 - -- Found Suricata version 6.0.5 at /usr/bin/suricata.
29/4/2022 -- 04:36:02 - -- Loading /etc/suricata/suricata.yaml
29/4/2022 -- 04:36:02 - -- Disabling rules for protocol http2
29/4/2022 -- 04:36:02 - -- Disabling rules for protocol modbus
29/4/2022 -- 04:36:02 - -- Disabling rules for protocol dnp3
29/4/2022 -- 04:36:02 - -- Disabling rules for protocol enip
29/4/2022 -- 04:36:02 - -- No sources configured, will use Emerging Threats Open
29/4/2022 -- 04:36:02 - -- Fetching https://rules.emergingthreats.net/open/suricata-6.0.5/emerging.rules.tar.gz.
100% - 3276257/3276257
29/4/2022 -- 04:36:10 - -- Done.
29/4/2022 -- 04:36:10 - -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules
29/4/2022 -- 04:36:10 - -- Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules
29/4/2022 -- 04:36:10 - -- Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules
29/4/2022 -- 04:36:10 - -- Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules
29/4/2022 -- 04:36:10 - -- Loading distribution rule file /usr/share/suricata/rules/dns-events.rules
29/4/2022 -- 04:36:10 - -- Loading distribution rule file /usr/share/suricata/rules/files.rules
29/4/2022 -- 04:36:10 - -- Loading distribution rule file /usr/share/suricata/rules/http-events.rules
29/4/2022 -- 04:36:10 - -- Loading distribution rule file /usr/share/suricata/rules/ipsec-events.rules
29/4/2022 -- 04:36:10 - -- Loading distribution rule file /usr/share/suricata/rules/kerberos-events.rules
29/4/2022 -- 04:36:10 - -- Loading distribution rule file /usr/share/suricata/rules/modbus-events.rules
29/4/2022 -- 04:36:10 - -- Loading distribution rule file /usr/share/suricata/rules/nfs-events.rules
29/4/2022 -- 04:36:10 - -- Loading distribution rule file /usr/share/suricata/rules/ntp-events.rules
29/4/2022 -- 04:36:10 - -- Loading distribution rule file /usr/share/suricata/rules/smb-events.rules
29/4/2022 -- 04:36:10 - -- Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules
29/4/2022 -- 04:36:10 - -- Loading distribution rule file /usr/share/suricata/rules/stream-events.rules
29/4/2022 -- 04:36:10 - -- Loading distribution rule file /usr/share/suricata/rules/tls-events.rules
29/4/2022 -- 04:36:10 - -- Ignoring file rules/emerging-deleted.rules
29/4/2022 -- 04:36:13 - -- Loaded 33248 rules.
29/4/2022 -- 04:36:13 - -- Disabled 14 rules.
29/4/2022 -- 04:36:13 - -- Enabled 0 rules.
29/4/2022 -- 04:36:13 - -- Modified 0 rules.
29/4/2022 -- 04:36:13 - -- Dropped 0 rules.
29/4/2022 -- 04:36:13 - -- Enabled 131 rules for flowbit dependencies.
29/4/2022 -- 04:36:13 - -- Creating directory /var/lib/suricata/rules.
29/4/2022 -- 04:36:13 - -- Backing up current rules.
29/4/2022 -- 04:36:13 - -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 33248; enabled: 25845; added: 33248; removed 0; modified: 0
29/4/2022 -- 04:36:13 - -- Writing /var/lib/suricata/rules/classification.config
29/4/2022 -- 04:36:13 - -- Skipping test, disabled by configuration.
29/4/2022 -- 04:36:13 - -- Done.
You can now start suricata by running as root something like:
/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0
If a library like libhtp.so is not found, you can run suricata with:
LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0
The Emerging Threats Open rules are now installed. Rules can be
updated and managed with the suricata-update tool.
For more information please see:
https://suricata.readthedocs.io/en/latest/rule-management/index.html
make[1]: Leaving directory '/tmp/suricata-6.0.5'
Suricata is now installed from sources on Rocky Linux.
Install Suricata on Rocky Linux from EPEL Repos
For a seamless installation of Suricata on Rocky Linux, using EPEL repos to install it is a sure bet.
Install EPEL Repos on Rocky Linux
dnf install epel-releaseInstall Suricata from EPEL Repos on Rocky Linux
dnf info suricata
Available Packages
Name : suricata
Version : 5.0.8
Release : 1.el8
Architecture : x86_64
Size : 2.3 M
Source : suricata-5.0.8-1.el8.src.rpm
Repository : epel
Summary : Intrusion Detection System
URL : https://suricata-ids.org/
License : GPLv2
...
Unfortunately, as of this writing, the EPEL repos on Rocky Linux provides Suricata 5.0.8.
Thus, installing Suricata from source is the surest way to get the latest version running.
If you want to install this this version, however, just execute the command;
dnf install suricata -ySuricata Rules
Suricata utilizes various rule sets/signatures to detect and alert on matching threats. Rules are also known as Signatures. Emerging Threats, Emerging Threats Pro and source fire’s VRT are the most commonly used rules.
In most cases, you can find the rules files under /etc/suricata/rules/. This is when you install Suricata from repos.
ls -1 /etc/suricata/rules/app-layer-events.rules
decoder-events.rules
dhcp-events.rules
dnp3-events.rules
dns-events.rules
files.rules
http2-events.rules
http-events.rules
ipsec-events.rules
kerberos-events.rules
modbus-events.rules
mqtt-events.rules
nfs-events.rules
ntp-events.rules
smb-events.rules
smtp-events.rules
stream-events.rules
tls-events.rules
Emergency Threat rules are usually stored as /var/lib/suricata/rules/suricata.rules.
The ET Open rules, suricata.rules, usually contains all the rules defined on the rules file located under the /etc/suricata/rules/.
To install and update Emergency Threat rules, use the suricata-update command.
suricata-updateThis downloads and installs suricata.rules.
A rule/signature consists of the following sections:
- The action, that determines what happens when the signature matches.
- The header, defining the protocol, IP addresses, ports and direction of the rule.
- The rule options, defining the specifics of the rule.
alert ip any any -> any any (msg:"SURICATA Applayer Mismatch protocol both directions"; flow:established; app-layer-event:applayer_mismatch_protocol_both_directions; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260000; rev:1;)Read more on introduction to Suricata rules.
Suricata Basic Setup
/etc/suricata/suricata.yaml is the default Suricata configuration file.
The configuration file contains a lot of configurable options. However, for our basic setup, we will only focus on the network interface on which Suricata is listening on and the IP address attached to that interface.
To find the interface and the IP address, run the command below;
ip --brief add
lo UNKNOWN 127.0.0.1/8 ::1/128
enp0s3 UP 10.0.2.15/24
enp0s8 UP 192.168.60.22/24 fe80::a00:27ff:fe42:2ef5/64
virbr0 DOWN 192.168.122.1/24
virbr0-nic DOWN
In our case, our interface is enp0s8 and the IP address is 192.168.60.22.
Open and edit the Suricata config file.
vim /etc/suricata/suricata.yamlUnder the vars section, you need to configure Suricata to differentiate between your internal network to be protected and external network. This can be done by defining the correct values for the HOME_NET and EXTERNAL_NET variables respectively under the address groups.
The HOME_NET variable should include the IP address of the interface on which Suricata is listening on and all the local networks to protect.
The EXTERNAL_NET variables should define any IP or network that is not local.
...
vars:
# more specific is better for alert accuracy and performance
address-groups:
#HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
HOME_NET: "[192.168.60.22]"
#HOME_NET: "[192.168.0.0/16]"
#HOME_NET: "[10.0.0.0/8]"
#HOME_NET: "[172.16.0.0/12]"
#HOME_NET: "any"
EXTERNAL_NET: "!$HOME_NET"
...
Under the af-packet section, set the value of the interface to your interface name.
...
# Linux high speed capture support
af-packet:
- interface: enp0s8
...Save and exit the configuration file.
Specify Suricata Rules
Define the Suricata rules-files to use. We are using the default ET rules in this demo;
...
default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rules
...Disable Packet Offloading
Disable Suricata packet offloading by disabling interface Large Receive Offload (LRO)/Generic Receive Offload (GRO);
ethtool -K <interface> gro off lro offReplace <interface> with your interface.
First check if these features are enabled;
ethtool -k enp0s8 | grep -iE "generic|large" tx-checksum-ip-generic: on
generic-segmentation-offload: on
generic-receive-offload: off
large-receive-offload: off [fixed]If enabled, disable by running the command below;
ethtool -K enp0s8 gro off lro offRunning Suricata
You can run Suricata on foreground using the command;
suricata -c /etc/suricata/suricata.yaml -i enp0s8
To run it as daemon in the background;
suricata -D -c /etc/suricata/suricata.yaml -i enp0s8Suricata logging;
To check if Suricata is running check the Suricata log:
tail /var/log/suricata/suricata.logYou should see such a line;
...
29/4/2022 -- 05:48:48 - - Found an MTU of 1500 for 'enp0s8'
29/4/2022 -- 05:48:48 - - Found an MTU of 1500 for 'enp0s8'
29/4/2022 -- 05:48:48 - - fast output device (regular) initialized: fast.log
29/4/2022 -- 05:48:48 - - eve-log output device (regular) initialized: eve.json
29/4/2022 -- 05:48:48 - - stats output device (regular) initialized: stats.log
29/4/2022 -- 05:48:48 - - Running in live mode, activating unix socket
29/4/2022 -- 05:48:49 - - 1 rule files processed. 25845 rules successfully loaded, 0 rules failed
29/4/2022 -- 05:48:49 - - Threshold config parsed: 0 rule(s) found
29/4/2022 -- 05:48:50 - - 25848 signatures processed. 1244 are IP-only rules, 4128 are inspecting packet payload, 20272 inspect application layer, 108 are decoder event only
To check Suricata statistics;
tail -f /var/log/suricata/stats.logTo check Suricata alert logs;
tail -f /var/log/suricata/fast.logSuricata can also write logs in EVE Json output. The default log file is;
tail -f /var/log/suricata/eve.jsonCheck our other guide on how to read Suricata Eve JSON logs.
Testing Suricata Rules
In this demo, we are using the default ET Suricata rules. If you have created you own custom rules, be sure to test the Suricata rules for syntax errors;
suricata -c /etc/suricata/suricata.yaml -T -vPerform SSH DDoS Test Attack
On another system, install hping3 tool and perform an SSH DDoS test attack.
dnf install hping3Then attack SSH on the server running Suricata.
hping3 -S -p 22 --flood --rand-source 192.168.60.22Refer to man hping3.
While hping is running, tail the alert logs on Suricata server;
tail -f /var/log/suricata/eve.jsonYou should see such log lines;
{"timestamp":"2022-04-29T05:55:31.753686-0400","flow_id":913602724057769,"in_iface":"enp0s8","event_type":"flow","src_ip":"192.168.60.22","src_port":22,"dest_ip":"238.159.48.57","dest_port":19281,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":58,"bytes_toclient":0,"start":"2022-04-29T05:54:29.021161-0400","end":"2022-04-29T05:54:29.021161-0400","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2022-04-29T05:55:31.753724-0400","flow_id":482134604256005,"in_iface":"enp0s8","event_type":"flow","src_ip":"192.168.60.22","src_port":22,"dest_ip":"229.141.92.196","dest_port":4263,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":58,"bytes_toclient":0,"start":"2022-04-29T05:54:26.529157-0400","end":"2022-04-29T05:54:26.529157-0400","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2022-04-29T05:55:31.753782-0400","flow_id":1040673625480213,"in_iface":"enp0s8","event_type":"flow","src_ip":"192.168.60.22","src_port":22,"dest_ip":"233.190.70.84","dest_port":15282,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":58,"bytes_toclient":0,"start":"2022-04-29T05:54:14.465941-0400","end":"2022-04-29T05:54:14.465941-0400","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2022-04-29T05:55:31.754723-0400","flow_id":662957021708724,"in_iface":"enp0s8","event_type":"flow","src_ip":"192.168.60.22","src_port":22,"dest_ip":"239.90.205.156","dest_port":40733,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":58,"bytes_toclient":0,"start":"2022-04-29T05:54:15.246196-0400","end":"2022-04-29T05:54:15.246196-0400","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2022-04-29T05:55:31.763583-0400","flow_id":199353956657015,"in_iface":"enp0s8","event_type":"flow","src_ip":"192.168.60.22","src_port":22,"dest_ip":"239.1.144.165","dest_port":34671,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":58,"bytes_toclient":0,"start":"2022-04-29T05:54:13.485239-0400","end":"2022-04-29T05:54:13.485239-0400","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2022-04-29T05:55:31.769914-0400","flow_id":88586750486633,"in_iface":"enp0s8","event_type":"flow","src_ip":"192.168.60.22","src_port":22,"dest_ip":"228.201.23.168","dest_port":42934,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":58,"bytes_toclient":0,"start":"2022-04-29T05:54:19.354409-0400","end":"2022-04-29T05:54:19.354409-0400","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2022-04-29T05:55:31.770119-0400","flow_id":799150435263953,"in_iface":"enp0s8","event_type":"flow","src_ip":"192.168.60.22","src_port":22,"dest_ip":"233.210.240.81","dest_port":11143,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":58,"bytes_toclient":0,"start":"2022-04-29T05:54:24.583121-0400","end":"2022-04-29T05:54:24.583121-0400","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2022-04-29T05:55:31.770257-0400","flow_id":443144890559460,"in_iface":"enp0s8","event_type":"flow","src_ip":"192.168.60.22","src_port":22,"dest_ip":"224.47.115.112","dest_port":41823,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":58,"bytes_toclient":0,"start":"2022-04-29T05:54:17.273380-0400","end":"2022-04-29T05:54:17.273380-0400","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
{"timestamp":"2022-04-29T05:55:31.770276-0400","flow_id":1991257262436679,"in_iface":"enp0s8","event_type":"flow","src_ip":"192.168.60.22","src_port":22,"dest_ip":"228.165.58.214","dest_port":29507,"proto":"TCP","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":58,"bytes_toclient":0,"start":"2022-04-29T05:54:16.831815-0400","end":"2022-04-29T05:54:16.831815-0400","age":0,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
...
Check the stats;
cat /var/log/suricata/stats.logWith that simple test, we can see that Suricata is setup and running well using the default Emergency Threat rules.
That marks the end of our guide on how to setup Suricata on Rocky Linux.
Reference
Read more on Suricata User Guide.
Related Tutorials
Install and Setup Suricata on Ubuntu 18.04
Install and Setup Suricata on Ubuntu 22.04/Ubuntu 20.04
