Today, we are going to learn how to install and setup Suricata on Ubuntu 18.04. Suricata is an opensource network threat detection tool. Suricata uses rules and signatures to detect threat in network traffic. It also supports Lua scripting language that helps it unearth the most complex would be threats in the network. Suricata is a product of Open Information Security Foundation. It is capable of providing NIDS, IPS, NSM and offline pcap processing. It can be integrated with other tools such as BASE, Snorby, Sguil, SQueRT, ELK, SIEM solutions etc.
To see a complete list of features supported by Suricata, you can check all features.
Install and Setup Suricata on Ubuntu 18.04
There are two ways in which you can install and setup Suricata on Ubuntu 18.04;
In this guide, we are going to cover both methods of installing Suricata on Ubuntu 18.04.
Installing Suricata from Source On Ubuntu 18.04
Installation Suricata from the Source on Ubuntu 18.04 is the surest way to get the latest and stable version of Suricata up and running on Ubuntu 1804.
However it requires some little extra effort. Hence, before you can install Suricata from the source, ensure that you got all the required dependencies installed.
sudo apt -y install libpcre3 libpcre3-dbg libpcre3-dev \
build-essential autoconf automake libtool libpcap-dev \
libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev \
libcap-ng-dev libcap-ng0 make libmagic-dev \
libjansson-dev libjansson4 pkg-config libnspr4-dev \
libnss3-dev liblz4-dev rustc cargo python-pip python3-distutils
Suricata function as an IDS out of the box. If you need to include the IPS funtionality, install the following libraries.
sudo apt -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0Next, download the latest and stable Suricata tarball. You can simply download as shown below;
wget https://www.openinfosecfoundation.org/download/suricata-6.0.5.tar.gzOnce the download is complete, extract the tarball.
tar xzf suricata-6.0.5.tar.gzNavigate to Suricata tarball extract directory to configure Suricata engine for compilation. This ensures that Suricata is build with IPS capabilities.
cd suricata-6.0.5
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/varSummary of the Suricata configuration;
Suricata Configuration:
AF_PACKET support: yes
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
hiredis support: no
hiredis async with libevent: no
Prelude support: no
PCRE jit: yes
LUA support: no
libluajit: no
GeoIP2 support: no
Non-bundled htp: no
Hyperscan support: no
Libnet support: yes
liblz4 support: yes
HTTP2 decompression: no
Rust support: yes
Rust strict mode: no
Rust compiler path: /usr/bin/rustc
Rust compiler version: rustc 1.57.0
Cargo path: /usr/bin/cargo
Cargo version: cargo 1.57.0
Cargo vendor: yes
Python support: yes
Python path: /usr/bin/python3
Python distutils yes
Python yaml yes
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: yes
Profiling enabled: no
Profiling locks enabled: no
Plugin support (experimental): yes
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /varmake/log/suricata/
--prefix /usr
--sysconfdir /etc
--localstatedir /varmake
--datarootdir /usr/share
Host: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / g++ (real)
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -g -O2 -std=c11 -march=native -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
PCAP_CFLAGS -I/usr/include
SECCFLAGS
To build and install run 'make' and 'make install'.
You can run 'make install-conf' if you want to install initial configuration
files to /etc/suricata/. Running 'make install-full' will install configuration
and rules and provide you a ready-to-run suricata.
To install Suricata into /usr/bin/suricata, have the config in
/etc/suricata and use /var/log/suricata as log dir, use:
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/
Compile and install the Suricata engine
makemake install-fullThe make install-full command will simply install both Suricata initial configuration file and the Suricata rules using the new Suricata rule management tool, suricata-update.
If the installation is successful, you should see the output below;
...
install -d "/etc/suricata/"
install -d "/varmake/log/suricata/files"
install -d "/varmake/log/suricata/certs"
install -d "/varmake/run/"
install -m 770 -d "/varmake/run/suricata"
make[1]: Leaving directory '/root/suricata-6.0.5'
make install-rules
make[1]: Entering directory '/root/suricata-6.0.5'
LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata-update \
--suricata /usr/bin/suricata \
--suricata-conf /etc/suricata/suricata.yaml \
--no-test --no-reload
28/4/2022 -- 18:05:42 - -- Using data-directory /varmake/lib/suricata.
28/4/2022 -- 18:05:42 - -- Using /usr/share/suricata/rules for Suricata provided rules.
28/4/2022 -- 18:05:42 - -- Found Suricata version 6.0.5 at /usr/bin/suricata.
28/4/2022 -- 18:05:42 - -- Loading /etc/suricata/suricata.yaml
28/4/2022 -- 18:05:42 - -- Disabling rules for protocol http2
28/4/2022 -- 18:05:42 - -- Disabling rules for protocol modbus
28/4/2022 -- 18:05:42 - -- Disabling rules for protocol dnp3
28/4/2022 -- 18:05:42 - -- Disabling rules for protocol enip
28/4/2022 -- 18:05:42 - -- No sources configured, will use Emerging Threats Open
28/4/2022 -- 18:05:42 - -- Fetching https://rules.emergingthreats.net/open/suricata-6.0.5/emerging.rules.tar.gz.
100% - 3274660/3274660
28/4/2022 -- 18:06:35 - -- Done.
28/4/2022 -- 18:06:35 - -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules
28/4/2022 -- 18:06:35 - -- Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules
28/4/2022 -- 18:06:35 - -- Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules
28/4/2022 -- 18:06:35 - -- Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules
28/4/2022 -- 18:06:35 - -- Loading distribution rule file /usr/share/suricata/rules/dns-events.rules
28/4/2022 -- 18:06:35 - -- Loading distribution rule file /usr/share/suricata/rules/files.rules
28/4/2022 -- 18:06:35 - -- Loading distribution rule file /usr/share/suricata/rules/http-events.rules
28/4/2022 -- 18:06:35 - -- Loading distribution rule file /usr/share/suricata/rules/ipsec-events.rules
28/4/2022 -- 18:06:35 - -- Loading distribution rule file /usr/share/suricata/rules/kerberos-events.rules
28/4/2022 -- 18:06:35 - -- Loading distribution rule file /usr/share/suricata/rules/modbus-events.rules
28/4/2022 -- 18:06:35 - -- Loading distribution rule file /usr/share/suricata/rules/nfs-events.rules
28/4/2022 -- 18:06:35 - -- Loading distribution rule file /usr/share/suricata/rules/ntp-events.rules
28/4/2022 -- 18:06:35 - -- Loading distribution rule file /usr/share/suricata/rules/smb-events.rules
28/4/2022 -- 18:06:35 - -- Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules
28/4/2022 -- 18:06:35 - -- Loading distribution rule file /usr/share/suricata/rules/stream-events.rules
28/4/2022 -- 18:06:35 - -- Loading distribution rule file /usr/share/suricata/rules/tls-events.rules
28/4/2022 -- 18:06:35 - -- Ignoring file rules/emerging-deleted.rules
28/4/2022 -- 18:06:37 - -- Loaded 33238 rules.
28/4/2022 -- 18:06:37 - -- Disabled 14 rules.
28/4/2022 -- 18:06:37 - -- Enabled 0 rules.
28/4/2022 -- 18:06:37 - -- Modified 0 rules.
28/4/2022 -- 18:06:37 - -- Dropped 0 rules.
28/4/2022 -- 18:06:37 - -- Enabled 131 rules for flowbit dependencies.
28/4/2022 -- 18:06:37 - -- Creating directory /varmake/lib/suricata/rules.
28/4/2022 -- 18:06:37 - -- Backing up current rules.
28/4/2022 -- 18:06:37 - -- Writing rules to /varmake/lib/suricata/rules/suricata.rules: total: 33238; enabled: 25835; added: 33238; removed 0; modified: 0
28/4/2022 -- 18:06:37 - -- Writing /varmake/lib/suricata/rules/classification.config
28/4/2022 -- 18:06:37 - -- Skipping test, disabled by configuration.
28/4/2022 -- 18:06:37 - -- Done.
You can now start suricata by running as root something like:
/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0
If a library like libhtp.so is not found, you can run suricata with:
LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0
The Emerging Threats Open rules are now installed. Rules can be
updated and managed with the suricata-update tool.
For more information please see:
https://suricata.readthedocs.io/en/latest/rule-management/index.html
make[1]: Leaving directory '/root/suricata-6.0.5'
The configuration file is set under /etc/suricata/suricata.yaml while the rules are written to /etc/suricata/rules/.
Installing Suricata on Ubuntu 18.04 from PPA repository
Even though Suricata is available on the default Ubuntu 18.04 repositories, it may not be up-to-date.
As a result, to ensure that you got the latest version installed, you need to add the following PPA repository.
sudo add-apt-repository ppa:oisf/suricata-stablesudo apt updateOnce the PPA repo is set, install Suricata with the package manager.
apt-cache policy suricatasuricata:
Installed: (none)
Candidate: 6.0.5-0ubuntu2
Version table:
6.0.5-0ubuntu2 500
500 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu bionic/main amd64 Packages
3.2-2ubuntu3 500
500 http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
As you can see, we have the latest release version of Suricata.
You can then do the installation by executing the command;
sudo apt install suricata jqYou can instead install Suricata with debugging enabled.
sudo apt install suricata-dbgThat is all with installation.
You can check what configurations options are installed with Suricata;
sudo suricata --build-infoThe command also gets you the version of installed Suricata.
Sample output;
This is Suricata version 6.0.5 RELEASE
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST
SIMD support: none
Atomic intrinsics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 7.5.0, C version 201112
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.40, linked against LibHTP v0.5.40
Suricata Configuration:
AF_PACKET support: yes
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: yes
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
hiredis support: yes
hiredis async with libevent: yes
Prelude support: no
PCRE jit: yes
LUA support: yes, through luajit
libluajit: yes
GeoIP2 support: yes
Non-bundled htp: yes
Hyperscan support: yes
Libnet support: yes
liblz4 support: yes
HTTP2 decompression: no
Rust support: yes
Rust strict mode: no
Rust compiler path: /usr/bin/rustc
Rust compiler version: rustc 1.57.0
Cargo path: /usr/bin/cargo
Cargo version: cargo 1.57.0
Cargo vendor: yes
Python support: yes
Python path: /usr/bin/python3
Python distutils yes
Python yaml yes
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: yes
Profiling enabled: no
Profiling locks enabled: no
Plugin support (experimental): yes
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/
--prefix /usr
--sysconfdir /etc
--localstatedir /var
--datarootdir /usr/share
Host: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / g++ (real)
GCC Protect enabled: yes
GCC march native enabled: no
GCC Profile enabled: no
Position Independent Executable enabled: yes
CFLAGS -g -O2 -fdebug-prefix-map=/build/suricata-QUjETh/suricata-6.0.5=. -fstack-protector-strong -Wformat -Werror=format-security -std=c11 -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
PCAP_CFLAGS -I/usr/include
SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
Configure Suricata on Ubuntu 18.04
At the end of installation, you will have Suricata rules under /etc/suricata/rules/ and the main configuration file under /etc/suricata/suricata.yaml.
The default Suricata configuration file commented well enough to provide a clear understanding of what every setting is for.
To begin with, you need to configure Suricata to differentiate between your internal network to be proctected and external network. This can be done by defining the correct values for the HOME_NET and EXTERNAL_NET variables respectively under the address groups.
vim /etc/suricata/suricata.yaml HOME_NET: "[10.0.2.0/24]"
...
EXTERNAL_NET: "!$HOME_NET"
...In my case, am using the IP address, 10.0.2.0/24, as my home network. The external networks are set to any that doesn’t match the home networks.
You can define multiple networks.
Also, define the interface on which Suricata will use to inspect the traffic. By default, Suricata uses eth0 interfaces.
So get your interfaces using the ip command and determine which one to configure Suricata to use.
ip aSample output;
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:87:10:f0 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic enp0s3
valid_lft 84377sec preferred_lft 84377sec
inet6 fe80::a00:27ff:fe87:10f0/64 scope link
valid_lft forever preferred_lft forever
3: enp0s8: mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:7e:14:7d brd ff:ff:ff:ff:ff:ff
inet 192.168.57.10/24 brd 192.168.57.255 scope global enp0s8
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fe7e:147d/64 scope link
valid_lft forever preferred_lft forever
In my case, will use interface enp0s3. you can also see that the HOME_NET defined is on that interface.
The interfaces can be set by updating the value of interface under af-packets section;
af-packet:
- interface: enp0s3Next, install Suricata Emerging Threat rules.
By default, the Suricata rules are placed under /etc/suricata/rules/ directory.
To list the default Suricata rules;
ls -1 /etc/suricata/rules/app-layer-events.rules
decoder-events.rules
dhcp-events.rules
dnp3-events.rules
dns-events.rules
files.rules
http2-events.rules
http-events.rules
ipsec-events.rules
kerberos-events.rules
modbus-events.rules
mqtt-events.rules
nfs-events.rules
ntp-events.rules
smb-events.rules
smtp-events.rules
stream-events.rules
tls-events.rules
With the defaulr rules, only less detection can be made. Emerging Threat rules are the most comprehensive rule set optimized for the Suricata open source IDS/IPS engine.
To install Suricata ET rules, use the suricata-update command as shown below;
NOTE that the ET rules are installed automatically when you build Suricata from source and install using the make install-full command.
sudo suricata-updateSample output;
28/4/2022 -- 18:51:21 - -- Using data-directory /var/lib/suricata.
28/4/2022 -- 18:51:21 - -- Using Suricata configuration /etc/suricata/suricata.yaml
28/4/2022 -- 18:51:21 - -- Using /etc/suricata/rules for Suricata provided rules.
28/4/2022 -- 18:51:21 - -- Found Suricata version 6.0.5 at /usr/bin/suricata.
28/4/2022 -- 18:51:21 - -- Loading /etc/suricata/suricata.yaml
28/4/2022 -- 18:51:21 - -- Disabling rules for protocol http2
28/4/2022 -- 18:51:21 - -- Disabling rules for protocol modbus
28/4/2022 -- 18:51:21 - -- Disabling rules for protocol dnp3
28/4/2022 -- 18:51:21 - -- Disabling rules for protocol enip
28/4/2022 -- 18:51:21 - -- No sources configured, will use Emerging Threats Open
28/4/2022 -- 18:51:21 - -- Fetching https://rules.emergingthreats.net/open/suricata-6.0.5/emerging.rules.tar.gz.
100% - 3274660/3274660
28/4/2022 -- 18:51:27 - -- Done.
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/app-layer-events.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/decoder-events.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/dhcp-events.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/dnp3-events.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/dns-events.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/files.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/http-events.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/ipsec-events.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/kerberos-events.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/modbus-events.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/nfs-events.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/ntp-events.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/smb-events.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/smtp-events.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/stream-events.rules
28/4/2022 -- 18:51:28 - -- Loading distribution rule file /etc/suricata/rules/tls-events.rules
28/4/2022 -- 18:51:28 - -- Ignoring file rules/emerging-deleted.rules
28/4/2022 -- 18:51:29 - -- Loaded 33238 rules.
28/4/2022 -- 18:51:29 - -- Disabled 14 rules.
28/4/2022 -- 18:51:29 - -- Enabled 0 rules.
28/4/2022 -- 18:51:29 - -- Modified 0 rules.
28/4/2022 -- 18:51:29 - -- Dropped 0 rules.
28/4/2022 -- 18:51:30 - -- Enabled 131 rules for flowbit dependencies.
28/4/2022 -- 18:51:30 - -- Creating directory /var/lib/suricata/rules.
28/4/2022 -- 18:51:30 - -- Backing up current rules.
28/4/2022 -- 18:51:30 - -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 33238; enabled: 25835; added: 33238; removed 0; modified: 0
28/4/2022 -- 18:51:30 - -- Writing /var/lib/suricata/rules/classification.config
28/4/2022 -- 18:51:30 - -- Testing with suricata -T.
28/4/2022 -- 18:51:30 - -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
28/4/2022 -- 18:51:30 - -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
28/4/2022 -- 18:51:30 - -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
28/4/2022 -- 18:52:08 - -- Done.
The ET rules are written to /var/lib/suricata/rules/suricata.rules.
Note that Suricata is configured to load Suricata-Update managed rules by default.
vim /etc/suricata/suricata.yaml...
default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rules
..If you want to write the ET rules under /etc/suricata/rules/, specify the output directory on suricata-update command.
sudo suricata-update -o /etc/suricata/rules/Running Suricata on Ubuntu
You can now start and enable Suricata service to run on system boot.
However, always before you start Suricata, run the configuration check;
sudo suricata -T -c /etc/suricata/suricata.yaml -vIn case of any error, fix it before you can start Suricata
If there is no error, then start Suricata;
sudo systemctl enable --now suricataYou can check the status;
sudo systemctl status suricataTesting Suricata Rules
We will use the downloaded ET rules to test Suricata detection.
As a test, we are going to demonstrate how to alert on a possible SYN flood using Hping3.
You can install hping3 tool on a separate system or on same system running Suricata;
sudo apt install hping3Before you can proceed, you need to disable packet offload features on the network interface on which Suricata is listen.
ethtool -K enp0s3 gro off lro offIf you get the Cannot change large-receive-offload, it means that your interface doesn’t support this feature and it is safe to ignore it. However, you can verify this by running the command below;
ethtool -k enp0s3 | grep largelarge-receive-offload: off [fixed]Next, fire Suricata in PCAP live mode by executing the command below.
By the way, there are various modes in which Suricata can run. You can list them by running the command below;
suricata --list-runmodesSo to run in live PCAP mode, run the commands below. You can change your monitoring interface.
systemctl stop suricatarm -rf /var/run/suricata.pidsuricata -D -c /etc/suricata/suricata.yaml -i enp0s3Perform a simple DDoS attack test against our Suricata host from a different host.
hping3 -S -p 80 --flood --rand-source 10.0.2.15 -I enp0s3 -c 50While Suricata is running on Suricata host and while the DDoS attack test against Suricata host is running p, tail the Suricata alert logs on Suricata host to see what is happening;
tail -f /var/log/suricata/fast.logYou should be able to get some sample alerts;
04/28/2022-20:53:23.163746 [**] [1:2400001:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 2 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 42.133.35.225:16743 -> 10.0.2.15:80
04/28/2022-20:53:23.167683 [**] [1:2400011:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 12 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 146.51.146.59:16820 -> 10.0.2.15:80
04/28/2022-20:53:23.192930 [**] [1:2400001:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 2 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 42.171.44.198:16969 -> 10.0.2.15:80
04/28/2022-20:53:23.205414 [**] [1:2400001:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 2 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 42.160.30.47:17115 -> 10.0.2.15:80
04/28/2022-20:53:23.235223 [**] [1:2400001:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 2 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 42.219.24.133:17293 -> 10.0.2.15:80
04/28/2022-20:53:23.294544 [**] [1:2400025:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 26 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 198.56.117.198:17846 -> 10.0.2.15:80
04/28/2022-20:53:23.297399 [**] [1:2400015:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 16 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 165.102.152.191:17899 -> 10.0.2.15:80
04/28/2022-20:53:23.555831 [**] [1:2400001:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 2 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 42.222.235.227:20024 -> 10.0.2.15:80
04/28/2022-20:53:23.580783 [**] [1:2400009:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 10 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 119.232.119.66:20190 -> 10.0.2.15:80
....
Check our other guide on how to read Suricata Eve JSON logs.
That is all about how to install and setup Suricata on Ubuntu 18.04.
Feel free to read more about Suricata on their documentation page.
Other Tutorials;
the last command will not display like yours. shows nothing. It stays in place until I shut it down with the ctrl+c command
Please help me
Excellent Article. It has helped me to install the Suricata in my test environment.
One question:
How to configure suricata to monitor the whole servers in the whole network, Currently it is monitoring incoming traffic which is hitting the ethernet interface where Suricata is installed.
Rgds,
Maya
Hi Mayalagu,
You can install and setup Suricata on your gateway server.
Hi,
Rules directory are not created in /etc/suricata/ after doing make install-full, could you please help me in this?
Here’s the output log
install -d “/etc/suricata/”
install -d “/var/log/suricata/files”
install -d “/var/log/suricata/certs”
install -d “/var/run/”
install -m 770 -d “/var/run/suricata”
make[1]: Leaving directory ‘/home/suricata/suricata-4.1.2’
make install-rules
make[1]: Entering directory ‘/home/suricata/suricata-4.1.2’
/usr/bin/suricata-update \
–suricata /usr/bin/suricata \
–suricata-conf /etc/suricata/suricata.yaml \
–no-test –no-reload