Install and Setup Suricata on Ubuntu 18.04

Today, we are going to learn how to install and setup Suricata on Ubuntu 18.04. Suricata is an opensource network threat detection tool. Suricata uses rules and signatures to detect threat in network traffic. It also supports Lua scripting language that helps it unearth the most complex would be threats in the network. Suricata is a product of Open Information Security Foundation. It is capable of providing NIDS, IPS, NSM and offline pcap processing. It can be integrated with other tools such as BASE, Snorby, Sguil, SQueRT, ELK, SIEM solutions etc.

To see a complete list of features supported by Suricata, you can check all features.

Install and Setup Suricata on Ubuntu 18.04

There are two ways in which you can install and setup Suricata on Ubuntu 18.04;

• Installing from the source
• Installing from PPA Repository

In this guide, we are going to cover both methods of installing Suricata on Ubuntu 18.04.

Installing Suricata from Source On Ubuntu 18.04

Installation Suricata from the Source on Ubuntu 18.04 is the surest way to get the latest and stable version of Suricata up and running on Ubuntu 1804. However it requires some little extra effort. Hence,, before you can install Suricata from the source, ensure that you got all the required dependencies installed.

sudo apt -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf \
automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev \
libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libjansson4 pkg-config

Install Suricata rules update tool

apt install python-pip
pip install --upgrade suricata-update
ln -s /usr/local/bin/suricata-update /usr/bin/suricata-update

Suricata function as an IDS out of the box. If you need to include the IPS funtionality, install the following libraries.

sudo apt -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0

Next, download the latest and stable Suricata tarball. You can simply download as shown below;

wget https://www.openinfosecfoundation.org/download/suricata-4.1.2.tar.gz

Once the download is complete, extract the tarball.

tar xzf suricata-4.1.2.tar.gz

Navigate to Suricata tarball extract directory to configure Suricata engine for compilation. This ensures that Suricata is build with IPS capabilities.

cd suricata-4.1.2
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var

Compile and install the Suricata engine

make
make install-full

The make install-full command will simply install both Suricata initial configuration file and the Suricata rules using the new Suricata rule management tool, suricata-update. If the installation is successful, you should see the output below;

...
install -d "/etc/suricata/"
install -d "/var/log/suricata/files"
install -d "/var/log/suricata/certs"
install -d "/var/run/"
install -m 770 -d "/var/run/suricata"
install -d "/etc/suricata/rules"
/usr/bin/wget -qO - https://rules.emergingthreats.net/open/suricata-3.0/emerging.rules.tar.gz | tar -x -z -C "/etc/suricata/" -f -

You can now start suricata by running as root something like '/usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0'.

If a library like libhtp.so is not found, you can run suricata with:
'LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0'.

While rules are installed now, it's highly recommended to use a rule manager for maintaining rules.
The two most common are Oinkmaster and Pulledpork. For a guide see:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster

The configuration file is set under /etc/suricata/suricata.yaml while the rules are written to /etc/suricata/rules/.

Installing Suricata from PPA repository

Even though Suricata is available on the default Ubuntu 18.04 repositories, it may not be up-to-date. As a result, to ensure that you got the latest version installed, you need to add the following PPA repository.

sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt update

Once the PPA repo is set, install Suricata with the package manager.

apt-cache policy suricata
suricata:
  Installed: 4.1.2-0ubuntu6
  Candidate: 4.1.2-0ubuntu6
  Version table:
 *** 4.1.2-0ubuntu6 500
        500 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu bionic/main amd64 Packages
        100 /var/lib/dpkg/status
     3.2-2ubuntu3 500
        500 http://ke.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages

sudo apt install suricata

You can instead install Suricata with debugging enabled.

sudo apt install suricata-dbg

That is all with installation. At the end of installation, you will have Suricata rules under /etc/suricata/rules/ and the main configuration file under /etc/suricata/suricata.yaml.

To list the Suricata rules;

ls -C /etc/suricata/rules/
app-layer-events.rules   emerging-attack_response.rules  emerging-malware.rules         emerging-telnet.rules             LICENSE
botcc.portgrouped.rules  emerging-chat.rules             emerging-misc.rules            emerging-tftp.rules               modbus-events.rules
botcc.rules              emerging-current_events.rules   emerging-mobile_malware.rules  emerging-trojan.rules             nfs-events.rules
BSD-License.txt          emerging-deleted.rules          emerging-netbios.rules         emerging-user_agents.rules        ntp-events.rules
ciarmy.rules             emerging-dns.rules              emerging-p2p.rules             emerging-voip.rules               sid-msg.map
classification.config    emerging-dos.rules              emerging-policy.rules          emerging-web_client.rules         smb-events.rules
compromised-ips.txt      emerging-exploit.rules          emerging-pop3.rules            emerging-web_server.rules         smtp-events.rules
compromised.rules        emerging-ftp.rules              emerging-rpc.rules             emerging-web_specific_apps.rules  stream-events.rules
decoder-events.rules     emerging-games.rules            emerging-scada.rules           emerging-worm.rules               suricata-4.0-enhanced-open.txt
dnp3-events.rules        emerging-icmp_info.rules        emerging-scan.rules            files.rules                       tls-events.rules
dns-events.rules         emerging-icmp.rules             emerging-shellcode.rules       gpl-2.0.txt                       tor.rules
drop.rules               emerging-imap.rules             emerging-smtp.rules            http-events.rules
dshield.rules            emerging-inappropriate.rules    emerging-snmp.rules            ipsec-events.rules
emerging-activex.rules   emerging-info.rules             emerging-sql.rules             kerberos-events.rules

Configure Suricata on Ubuntu 18.04

The main configuration file for Suricata is /etc/suricata/suricata.yaml. The file itself is commented well enough to provide a clear understanding of what every setting is for.

To begin with, you need to configure Suricata to differentiate between your internal network to be proctected and external network. This can be done by defining the correct values for the HOME_NET and EXTERNAL_NET variables respectively under the address groups.

vim /etc/suricata/suricata.yaml

    HOME_NET: "[192.168.43.220]"
...
    EXTERNAL_NET: "!$HOME_NET"
...

In my case, am using the IP address, 192.168.43.220, as my home network. The external networks are set to any that doesnt match the home networks.

For the purposes of learning, we are going to demonstrate how to alert on a possible SYN flood. As a result we are going to create our own test rule as shown below;

vim /etc/suricata/rules/test-ddos.rules

alert tcp any any -> $HOME_NET 80 (msg: "Possible DDoS attack"; flags: S; flow: stateless; threshold: type both, track by_dst, count 200, seconds 1; sid:1000001; rev:1;)

The rule basically fires when there are 100 attempted connections to the local network in 10 seconds.

Next, you need to configure Suricata to include this rule. Hence, edit the Suricata configuration file and add the rules file under the rule-files: section.

vim /etc/suricata/suricata.yaml

rule-files:
 - botcc.rules
 - ciarmy.rules
...
# - Custom Test rules
 - test-ddos.rules

You are now ready to perform the tests However, before you can proceed, you need to disable packet offload features on the network interface on which Suricata is listen.

ethtool -K enp0s3 gro off lro off

If you get the Cannot change large-receive-offload, it means that your interface doesn’t support this feature and it is safe to ignore it. However, you can verify this by running the command below;

ethtool -k enp0s3 | grep large
large-receive-offload: off [fixed]

Next, fire Suricata in PCAP live mode by executing the command below.

suricata -D -c /etc/suricata/suricata.yaml -i enp0s3

By the way, there are various modes in which Suricata can run. You can list them by running the command below;

suricata --list-runmodes

While Suricata is running, run the command below from different server and tail the Suricata logs on Suricata host to see what is happening;

hping3 -S -p 80 --flood --rand-source 192.168.43.220

tail -f /var/log/suricata/fast.log
02/05/2019-21:05:20.572970  [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.43.149:49876 -> 192.168.43.220:80
02/05/2019-21:05:21.084437  [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.43.149:51622 -> 192.168.43.220:80
02/05/2019-21:05:22.106880  [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.43.149:54296 -> 192.168.43.220:8

If your rule is set correctly, you should be able to get the above output.

That is all about how to Install and Setup Suricata on Ubuntu 18.04. Feel free to read more about Suricata on their documentation page.