Install and Setup Suricata on Ubuntu 18.04

|
Last Updated:
|
|

Today, we are going to learn how to install and setup Suricata on Ubuntu 18.04. Suricata is an opensource network threat detection tool. Suricata uses rules and signatures to detect threat in network traffic. It also supports Lua scripting language that helps it unearth the most complex would be threats in the network. Suricata is a product of Open Information Security Foundation. It is capable of providing NIDS, IPS, NSM and offline pcap processing. It can be integrated with other tools such as BASE, Snorby, Sguil, SQueRT, ELK, SIEM solutions etc.

To see a complete list of features supported by Suricata, you can check all features.

Installing Suricata on Ubuntu 18.04

There are two ways in which you can install Suricata on Ubuntu 18.04;

In this guide, we are going to cover both methods of installing Suricata on Ubuntu 18.04.

Installing Suricata from Source On Ubuntu 18.04

Installation Suricata from the Source on Ubuntu 18.04 is the surest way to get the latest and stable version of Suricata up and running on Ubuntu 1804.

However it requires some little extra effort. Hence, before you can install Suricata from the source, ensure that you got all the required dependencies installed.

sudo apt -y install libpcre3 libpcre3-dbg libpcre3-dev \
build-essential autoconf automake libtool libpcap-dev \
libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev \
libcap-ng-dev libcap-ng0 make libmagic-dev \
libjansson-dev libjansson4 pkg-config libnspr4-dev \
libnss3-dev liblz4-dev rustc cargo python-pip python3-distutils

Suricata function as an IDS out of the box. If you need to include the IPS funtionality, install the following libraries.

sudo apt -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0

Next, download the latest and stable Suricata tarball. You can simply download as shown below;

wget https://www.openinfosecfoundation.org/download/suricata-6.0.5.tar.gz

Once the download is complete, extract the tarball.

tar xzf suricata-6.0.5.tar.gz

Navigate to Suricata tarball extract directory to configure Suricata engine for compilation. This ensures that Suricata is build with IPS capabilities.

cd suricata-6.0.5
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var

Summary of the Suricata configuration;

Suricata Configuration:
  AF_PACKET support:                       yes
  eBPF support:                            no
  XDP support:                             no
  PF_RING support:                         no
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no 
  DAG enabled:                             no
  Napatech enabled:                        no
  WinDivert enabled:                       no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  Libmagic support:                        yes
  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  hiredis support:                         no
  hiredis async with libevent:             no
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             no
  libluajit:                               no
  GeoIP2 support:                          no
  Non-bundled htp:                         no
  Hyperscan support:                       no
  Libnet support:                          yes
  liblz4 support:                          yes
  HTTP2 decompression:                     no

  Rust support:                            yes
  Rust strict mode:                        no
  Rust compiler path:                      /usr/bin/rustc
  Rust compiler version:                   rustc 1.57.0
  Cargo path:                              /usr/bin/cargo
  Cargo version:                           cargo 1.57.0
  Cargo vendor:                            yes

  Python support:                          yes
  Python path:                             /usr/bin/python3
  Python distutils                         yes
  Python yaml                              yes
  Install suricatactl:                     yes
  Install suricatasc:                      yes
  Install suricata-update:                 yes

  Profiling enabled:                       no
  Profiling locks enabled:                 no

  Plugin support (experimental):           yes

Development settings:
  Coccinelle / spatch:                     no
  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no

Generic build parameters:
  Installation prefix:                     /usr
  Configuration directory:                 /etc/suricata/
  Log directory:                           /varmake/log/suricata/

  --prefix                                 /usr
  --sysconfdir                             /etc
  --localstatedir                          /varmake
  --datarootdir                            /usr/share

  Host:                                    x86_64-pc-linux-gnu
  Compiler:                                gcc (exec name) / g++ (real)
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no
  Position Independent Executable enabled: no
  CFLAGS                                   -g -O2 -std=c11 -march=native -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
  PCAP_CFLAGS                               -I/usr/include
  SECCFLAGS                                

To build and install run 'make' and 'make install'.

You can run 'make install-conf' if you want to install initial configuration
files to /etc/suricata/. Running 'make install-full' will install configuration
and rules and provide you a ready-to-run suricata.

To install Suricata into /usr/bin/suricata, have the config in
/etc/suricata and use /var/log/suricata as log dir, use:
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/

Compile and install the Suricata engine

make
make install-full

The make install-full command will simply install both Suricata initial configuration file and the Suricata rules using the new Suricata rule management tool, suricata-update.

If the installation is successful, you should see the output below;


...
install -d "/etc/suricata/"
install -d "/varmake/log/suricata/files"
install -d "/varmake/log/suricata/certs"
install -d "/varmake/run/"
install -m 770 -d "/varmake/run/suricata"
make[1]: Leaving directory '/root/suricata-6.0.5'
make install-rules
make[1]: Entering directory '/root/suricata-6.0.5'
LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata-update \
	--suricata /usr/bin/suricata \
	--suricata-conf /etc/suricata/suricata.yaml \
	--no-test --no-reload
28/4/2022 -- 18:05:42 -  -- Using data-directory /varmake/lib/suricata.
28/4/2022 -- 18:05:42 -  -- Using /usr/share/suricata/rules for Suricata provided rules.
28/4/2022 -- 18:05:42 -  -- Found Suricata version 6.0.5 at /usr/bin/suricata.
28/4/2022 -- 18:05:42 -  -- Loading /etc/suricata/suricata.yaml
28/4/2022 -- 18:05:42 -  -- Disabling rules for protocol http2
28/4/2022 -- 18:05:42 -  -- Disabling rules for protocol modbus
28/4/2022 -- 18:05:42 -  -- Disabling rules for protocol dnp3
28/4/2022 -- 18:05:42 -  -- Disabling rules for protocol enip
28/4/2022 -- 18:05:42 -  -- No sources configured, will use Emerging Threats Open
28/4/2022 -- 18:05:42 -  -- Fetching https://rules.emergingthreats.net/open/suricata-6.0.5/emerging.rules.tar.gz.
 100% - 3274660/3274660               
28/4/2022 -- 18:06:35 -  -- Done.
28/4/2022 -- 18:06:35 -  -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules
28/4/2022 -- 18:06:35 -  -- Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules
28/4/2022 -- 18:06:35 -  -- Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules
28/4/2022 -- 18:06:35 -  -- Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules
28/4/2022 -- 18:06:35 -  -- Loading distribution rule file /usr/share/suricata/rules/dns-events.rules
28/4/2022 -- 18:06:35 -  -- Loading distribution rule file /usr/share/suricata/rules/files.rules
28/4/2022 -- 18:06:35 -  -- Loading distribution rule file /usr/share/suricata/rules/http-events.rules
28/4/2022 -- 18:06:35 -  -- Loading distribution rule file /usr/share/suricata/rules/ipsec-events.rules
28/4/2022 -- 18:06:35 -  -- Loading distribution rule file /usr/share/suricata/rules/kerberos-events.rules
28/4/2022 -- 18:06:35 -  -- Loading distribution rule file /usr/share/suricata/rules/modbus-events.rules
28/4/2022 -- 18:06:35 -  -- Loading distribution rule file /usr/share/suricata/rules/nfs-events.rules
28/4/2022 -- 18:06:35 -  -- Loading distribution rule file /usr/share/suricata/rules/ntp-events.rules
28/4/2022 -- 18:06:35 -  -- Loading distribution rule file /usr/share/suricata/rules/smb-events.rules
28/4/2022 -- 18:06:35 -  -- Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules
28/4/2022 -- 18:06:35 -  -- Loading distribution rule file /usr/share/suricata/rules/stream-events.rules
28/4/2022 -- 18:06:35 -  -- Loading distribution rule file /usr/share/suricata/rules/tls-events.rules
28/4/2022 -- 18:06:35 -  -- Ignoring file rules/emerging-deleted.rules
28/4/2022 -- 18:06:37 -  -- Loaded 33238 rules.
28/4/2022 -- 18:06:37 -  -- Disabled 14 rules.
28/4/2022 -- 18:06:37 -  -- Enabled 0 rules.
28/4/2022 -- 18:06:37 -  -- Modified 0 rules.
28/4/2022 -- 18:06:37 -  -- Dropped 0 rules.
28/4/2022 -- 18:06:37 -  -- Enabled 131 rules for flowbit dependencies.
28/4/2022 -- 18:06:37 -  -- Creating directory /varmake/lib/suricata/rules.
28/4/2022 -- 18:06:37 -  -- Backing up current rules.
28/4/2022 -- 18:06:37 -  -- Writing rules to /varmake/lib/suricata/rules/suricata.rules: total: 33238; enabled: 25835; added: 33238; removed 0; modified: 0
28/4/2022 -- 18:06:37 -  -- Writing /varmake/lib/suricata/rules/classification.config
28/4/2022 -- 18:06:37 -  -- Skipping test, disabled by configuration.
28/4/2022 -- 18:06:37 -  -- Done.

You can now start suricata by running as root something like:
  /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0

If a library like libhtp.so is not found, you can run suricata with:
  LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0

The Emerging Threats Open rules are now installed. Rules can be
updated and managed with the suricata-update tool.

For more information please see:
  https://suricata.readthedocs.io/en/latest/rule-management/index.html

make[1]: Leaving directory '/root/suricata-6.0.5'

The configuration file is set under /etc/suricata/suricata.yaml while the rules are written to /etc/suricata/rules/.

Installing Suricata on Ubuntu 18.04 from PPA repository

Even though Suricata is available on the default Ubuntu 18.04 repositories, it may not be up-to-date.

As a result, to ensure that you got the latest version installed, you need to add the following PPA repository.

sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt update

Once the PPA repo is set, install Suricata with the package manager.

apt-cache policy suricata
suricata:
  Installed: (none)
  Candidate: 6.0.5-0ubuntu2
  Version table:
     6.0.5-0ubuntu2 500
        500 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu bionic/main amd64 Packages
     3.2-2ubuntu3 500
        500 http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages

As you can see, we have the latest release version of Suricata.

You can then do the installation by executing the command;

sudo apt install suricata jq

You can instead install Suricata with debugging enabled.

sudo apt install suricata-dbg

That is all with installation.

You can check what configurations options are installed with Suricata;

sudo suricata --build-info

The command also gets you the version of installed Suricata.

Sample output;

This is Suricata version 6.0.5 RELEASE
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST 
SIMD support: none
Atomic intrinsics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 7.5.0, C version 201112
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.40, linked against LibHTP v0.5.40

Suricata Configuration:
  AF_PACKET support:                       yes
  eBPF support:                            no
  XDP support:                             no
  PF_RING support:                         no
  NFQueue support:                         yes
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no 
  DAG enabled:                             no
  Napatech enabled:                        no
  WinDivert enabled:                       no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  Libmagic support:                        yes
  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  hiredis support:                         yes
  hiredis async with libevent:             yes
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             yes, through luajit
  libluajit:                               yes
  GeoIP2 support:                          yes
  Non-bundled htp:                         yes
  Hyperscan support:                       yes
  Libnet support:                          yes
  liblz4 support:                          yes
  HTTP2 decompression:                     no

  Rust support:                            yes
  Rust strict mode:                        no
  Rust compiler path:                      /usr/bin/rustc
  Rust compiler version:                   rustc 1.57.0
  Cargo path:                              /usr/bin/cargo
  Cargo version:                           cargo 1.57.0
  Cargo vendor:                            yes

  Python support:                          yes
  Python path:                             /usr/bin/python3
  Python distutils                         yes
  Python yaml                              yes
  Install suricatactl:                     yes
  Install suricatasc:                      yes
  Install suricata-update:                 yes

  Profiling enabled:                       no
  Profiling locks enabled:                 no

  Plugin support (experimental):           yes

Development settings:
  Coccinelle / spatch:                     no
  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no

Generic build parameters:
  Installation prefix:                     /usr
  Configuration directory:                 /etc/suricata/
  Log directory:                           /var/log/suricata/

  --prefix                                 /usr
  --sysconfdir                             /etc
  --localstatedir                          /var
  --datarootdir                            /usr/share

  Host:                                    x86_64-pc-linux-gnu
  Compiler:                                gcc (exec name) / g++ (real)
  GCC Protect enabled:                     yes
  GCC march native enabled:                no
  GCC Profile enabled:                     no
  Position Independent Executable enabled: yes
  CFLAGS                                   -g -O2 -fdebug-prefix-map=/build/suricata-QUjETh/suricata-6.0.5=. -fstack-protector-strong -Wformat -Werror=format-security -std=c11 -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
  PCAP_CFLAGS                               -I/usr/include
  SECCFLAGS                                -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security

Configure Suricata on Ubuntu 18.04

At the end of installation, you will have Suricata rules under /etc/suricata/rules/ and the main configuration file under /etc/suricata/suricata.yaml.

The default Suricata configuration file commented well enough to provide a clear understanding of what every setting is for.

To begin with, you need to configure Suricata to differentiate between your internal network to be proctected and external network. This can be done by defining the correct values for the HOME_NET and EXTERNAL_NET variables respectively under the address groups.

vim /etc/suricata/suricata.yaml
    HOME_NET: "[10.0.2.0/24]"
...
    EXTERNAL_NET: "!$HOME_NET"
...

In my case, am using the IP address, 10.0.2.0/24, as my home network. The external networks are set to any that doesn’t match the home networks.

You can define multiple networks.

Also, define the interface on which Suricata will use to inspect the traffic. By default, Suricata uses eth0 interfaces.

So get your interfaces using the ip command and determine which one to configure Suricata to use.

ip a

Sample output;


1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:87:10:f0 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic enp0s3
       valid_lft 84377sec preferred_lft 84377sec
    inet6 fe80::a00:27ff:fe87:10f0/64 scope link 
       valid_lft forever preferred_lft forever
3: enp0s8:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:7e:14:7d brd ff:ff:ff:ff:ff:ff
    inet 192.168.57.10/24 brd 192.168.57.255 scope global enp0s8
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe7e:147d/64 scope link 
       valid_lft forever preferred_lft forever

In my case, will use interface enp0s3. you can also see that the HOME_NET defined is on that interface.

The interfaces can be set by updating the value of interface under af-packets section;

af-packet:
  - interface: enp0s3

Next, install Suricata Emerging Threat rules.

By default, the Suricata rules are placed under /etc/suricata/rules/ directory.

To list the default Suricata rules;

ls -1 /etc/suricata/rules/
app-layer-events.rules
decoder-events.rules
dhcp-events.rules
dnp3-events.rules
dns-events.rules
files.rules
http2-events.rules
http-events.rules
ipsec-events.rules
kerberos-events.rules
modbus-events.rules
mqtt-events.rules
nfs-events.rules
ntp-events.rules
smb-events.rules
smtp-events.rules
stream-events.rules
tls-events.rules

With the defaulr rules, only less detection can be made. Emerging Threat rules are the most comprehensive rule set optimized for the Suricata open source IDS/IPS engine.

To install Suricata ET rules, use the suricata-update command as shown below;

NOTE that the ET rules are installed automatically when you build Suricata from source and install using the make install-full command.

sudo suricata-update

Sample output;


28/4/2022 -- 18:51:21 -  -- Using data-directory /var/lib/suricata.
28/4/2022 -- 18:51:21 -  -- Using Suricata configuration /etc/suricata/suricata.yaml
28/4/2022 -- 18:51:21 -  -- Using /etc/suricata/rules for Suricata provided rules.
28/4/2022 -- 18:51:21 -  -- Found Suricata version 6.0.5 at /usr/bin/suricata.
28/4/2022 -- 18:51:21 -  -- Loading /etc/suricata/suricata.yaml
28/4/2022 -- 18:51:21 -  -- Disabling rules for protocol http2
28/4/2022 -- 18:51:21 -  -- Disabling rules for protocol modbus
28/4/2022 -- 18:51:21 -  -- Disabling rules for protocol dnp3
28/4/2022 -- 18:51:21 -  -- Disabling rules for protocol enip
28/4/2022 -- 18:51:21 -  -- No sources configured, will use Emerging Threats Open
28/4/2022 -- 18:51:21 -  -- Fetching https://rules.emergingthreats.net/open/suricata-6.0.5/emerging.rules.tar.gz.
 100% - 3274660/3274660               
28/4/2022 -- 18:51:27 -  -- Done.
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/app-layer-events.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/decoder-events.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/dhcp-events.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/dnp3-events.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/dns-events.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/files.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/http-events.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/ipsec-events.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/kerberos-events.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/modbus-events.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/nfs-events.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/ntp-events.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/smb-events.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/smtp-events.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/stream-events.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/tls-events.rules
28/4/2022 -- 18:51:28 -  -- Ignoring file rules/emerging-deleted.rules
28/4/2022 -- 18:51:29 -  -- Loaded 33238 rules.
28/4/2022 -- 18:51:29 -  -- Disabled 14 rules.
28/4/2022 -- 18:51:29 -  -- Enabled 0 rules.
28/4/2022 -- 18:51:29 -  -- Modified 0 rules.
28/4/2022 -- 18:51:29 -  -- Dropped 0 rules.
28/4/2022 -- 18:51:30 -  -- Enabled 131 rules for flowbit dependencies.
28/4/2022 -- 18:51:30 -  -- Creating directory /var/lib/suricata/rules.
28/4/2022 -- 18:51:30 -  -- Backing up current rules.
28/4/2022 -- 18:51:30 -  -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 33238; enabled: 25835; added: 33238; removed 0; modified: 0
28/4/2022 -- 18:51:30 -  -- Writing /var/lib/suricata/rules/classification.config
28/4/2022 -- 18:51:30 -  -- Testing with suricata -T.
28/4/2022 -- 18:51:30 -  -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
28/4/2022 -- 18:51:30 -  -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
28/4/2022 -- 18:51:30 -  -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
28/4/2022 -- 18:52:08 -  -- Done.

The ET rules are written to /var/lib/suricata/rules/suricata.rules.

Note that Suricata is configured to load Suricata-Update managed rules by default.

vim /etc/suricata/suricata.yaml
...
default-rule-path: /var/lib/suricata/rules

rule-files:
  - suricata.rules
..

If you want to write the ET rules under /etc/suricata/rules/, specify the output directory on suricata-update command.

sudo suricata-update -o /etc/suricata/rules/

Running Suricata on Ubuntu

You can now start and enable Suricata service to run on system boot.

However, always before you start Suricata, run the configuration check;

sudo suricata -T -c /etc/suricata/suricata.yaml -v

In case of any error, fix it before you can start Suricata

If there is no error, then start Suricata;

sudo systemctl enable --now suricata

You can check the status;

sudo systemctl status suricata

Testing Suricata Rules

We will use the downloaded ET rules to test Suricata detection.

As a test, we are going to demonstrate how to alert on a possible SYN flood using Hping3.

You can install hping3 tool on a separate system or on same system running Suricata;

sudo apt install hping3

Before you can proceed, you need to disable packet offload features on the network interface on which Suricata is listen.

ethtool -K enp0s3 gro off lro off

If you get the Cannot change large-receive-offload, it means that your interface doesn’t support this feature and it is safe to ignore it. However, you can verify this by running the command below;

ethtool -k enp0s3 | grep large
large-receive-offload: off [fixed]

Next, fire Suricata in PCAP live mode by executing the command below.

By the way, there are various modes in which Suricata can run. You can list them by running the command below;

suricata --list-runmodes

So to run in live PCAP mode, run the commands below. You can change your monitoring interface.

systemctl stop suricata
rm -rf /var/run/suricata.pid
suricata -D -c /etc/suricata/suricata.yaml -i enp0s3

Perform a simple DDoS attack test against our Suricata host from a different host.

hping3 -S -p 80 --flood --rand-source 10.0.2.15 -I enp0s3 -c 50

While Suricata is running on Suricata host and while the DDoS attack test against Suricata host is running p, tail the Suricata alert logs on Suricata host to see what is happening;

tail -f /var/log/suricata/fast.log

You should be able to get some sample alerts;

04/28/2022-20:53:23.163746  [**] [1:2400001:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 2 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 42.133.35.225:16743 -> 10.0.2.15:80
04/28/2022-20:53:23.167683  [**] [1:2400011:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 12 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 146.51.146.59:16820 -> 10.0.2.15:80
04/28/2022-20:53:23.192930  [**] [1:2400001:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 2 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 42.171.44.198:16969 -> 10.0.2.15:80
04/28/2022-20:53:23.205414  [**] [1:2400001:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 2 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 42.160.30.47:17115 -> 10.0.2.15:80
04/28/2022-20:53:23.235223  [**] [1:2400001:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 2 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 42.219.24.133:17293 -> 10.0.2.15:80
04/28/2022-20:53:23.294544  [**] [1:2400025:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 26 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 198.56.117.198:17846 -> 10.0.2.15:80
04/28/2022-20:53:23.297399  [**] [1:2400015:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 16 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 165.102.152.191:17899 -> 10.0.2.15:80
04/28/2022-20:53:23.555831  [**] [1:2400001:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 2 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 42.222.235.227:20024 -> 10.0.2.15:80
04/28/2022-20:53:23.580783  [**] [1:2400009:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 10 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 119.232.119.66:20190 -> 10.0.2.15:80
....

Check our other guide on how to read Suricata Eve JSON logs.

Feel free to read more about Suricata on their documentation page.

Other Tutorials;

Install and Setup Suricata on CentOS 8

Install Nikto Web Scanner on Rocky Linux 8

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
koromicha
I am the Co-founder of Kifarunix.com, Linux and the whole FOSS enthusiast, Linux System Admin and a Blue Teamer who loves to share technological tips and hacks with others as a way of sharing knowledge as: "In vain have you acquired knowledge if you have not imparted it to others".

4 thoughts on “Install and Setup Suricata on Ubuntu 18.04”

  1. the last command will not display like yours. shows nothing. It stays in place until I shut it down with the ctrl+c command
    Please help me

    Reply
  2. Excellent Article. It has helped me to install the Suricata in my test environment.

    One question:
    How to configure suricata to monitor the whole servers in the whole network, Currently it is monitoring incoming traffic which is hitting the ethernet interface where Suricata is installed.

    Rgds,
    Maya

    Reply
  3. Hi,

    Rules directory are not created in /etc/suricata/ after doing make install-full, could you please help me in this?

    Here’s the output log

    install -d “/etc/suricata/”
    install -d “/var/log/suricata/files”
    install -d “/var/log/suricata/certs”
    install -d “/var/run/”
    install -m 770 -d “/var/run/suricata”
    make[1]: Leaving directory ‘/home/suricata/suricata-4.1.2’
    make install-rules
    make[1]: Entering directory ‘/home/suricata/suricata-4.1.2’
    /usr/bin/suricata-update \
    –suricata /usr/bin/suricata \
    –suricata-conf /etc/suricata/suricata.yaml \
    –no-test –no-reload

    Reply

Leave a Comment