Today, we are going to learn how to install and setup Suricata on Ubuntu 18.04. Suricata is an opensource network threat detection tool. Suricata uses rules and signatures to detect threat in network traffic. It also supports Lua scripting language that helps it unearth the most complex would be threats in the network. Suricata is a product of Open Information Security Foundation. It is capable of providing NIDS, IPS, NSM and offline pcap processing. It can be integrated with other tools such as BASE, Snorby, Sguil, SQueRT, ELK, SIEM solutions etc.
To see a complete list of features supported by Suricata, you can check all features.
Install and Setup Suricata on Ubuntu 18.04
There are two ways in which you can install and setup Suricata on Ubuntu 18.04;
- Installing from the source
- Installing from PPA Repository
In this guide, we are going to cover both methods of installing Suricata on Ubuntu 18.04.
Installing Suricata from Source On Ubuntu 18.04
Installation Suricata from the Source on Ubuntu 18.04 is the surest way to get the latest and stable version of Suricata up and running on Ubuntu 1804. However it requires some little extra effort. Hence,, before you can install Suricata from the source, ensure that you got all the required dependencies installed.
sudo apt -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf \ automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev \ libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libjansson4 pkg-config
Install Suricata rules update tool
apt install python-pip pip install --upgrade suricata-update ln -s /usr/local/bin/suricata-update /usr/bin/suricata-update
Suricata function as an IDS out of the box. If you need to include the IPS funtionality, install the following libraries.
sudo apt -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0
Next, download the latest and stable Suricata tarball. You can simply download as shown below;
wget https://www.openinfosecfoundation.org/download/suricata-4.1.2.tar.gz
Once the download is complete, extract the tarball.
tar xzf suricata-4.1.2.tar.gz
Navigate to Suricata tarball extract directory to configure Suricata engine for compilation. This ensures that Suricata is build with IPS capabilities.
cd suricata-4.1.2 ./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var
Compile and install the Suricata engine
make make install-full
The make install-full command will simply install both Suricata initial configuration file and the Suricata rules using the new Suricata rule management tool, suricata-update. If the installation is successful, you should see the output below;
... install -d "/etc/suricata/" install -d "/var/log/suricata/files" install -d "/var/log/suricata/certs" install -d "/var/run/" install -m 770 -d "/var/run/suricata" install -d "/etc/suricata/rules" /usr/bin/wget -qO - https://rules.emergingthreats.net/open/suricata-3.0/emerging.rules.tar.gz | tar -x -z -C "/etc/suricata/" -f - You can now start suricata by running as root something like '/usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0'. If a library like libhtp.so is not found, you can run suricata with: 'LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0'. While rules are installed now, it's highly recommended to use a rule manager for maintaining rules. The two most common are Oinkmaster and Pulledpork. For a guide see: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster
The configuration file is set under /etc/suricata/suricata.yaml while the rules are written to /etc/suricata/rules/.
Installing Suricata from PPA repository
Even though Suricata is available on the default Ubuntu 18.04 repositories, it may not be up-to-date. As a result, to ensure that you got the latest version installed, you need to add the following PPA repository.
sudo add-apt-repository ppa:oisf/suricata-stable sudo apt update
Once the PPA repo is set, install Suricata with the package manager.
apt-cache policy suricata
suricata:
Installed: 4.1.2-0ubuntu6
Candidate: 4.1.2-0ubuntu6
Version table:
*** 4.1.2-0ubuntu6 500
500 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu bionic/main amd64 Packages
100 /var/lib/dpkg/status
3.2-2ubuntu3 500
500 http://ke.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
sudo apt install suricata
You can instead install Suricata with debugging enabled.
sudo apt install suricata-dbg
That is all with installation. At the end of installation, you will have Suricata rules under /etc/suricata/rules/ and the main configuration file under /etc/suricata/suricata.yaml.
To list the Suricata rules;
ls -C /etc/suricata/rules/ app-layer-events.rules emerging-attack_response.rules emerging-malware.rules emerging-telnet.rules LICENSE botcc.portgrouped.rules emerging-chat.rules emerging-misc.rules emerging-tftp.rules modbus-events.rules botcc.rules emerging-current_events.rules emerging-mobile_malware.rules emerging-trojan.rules nfs-events.rules BSD-License.txt emerging-deleted.rules emerging-netbios.rules emerging-user_agents.rules ntp-events.rules ciarmy.rules emerging-dns.rules emerging-p2p.rules emerging-voip.rules sid-msg.map classification.config emerging-dos.rules emerging-policy.rules emerging-web_client.rules smb-events.rules compromised-ips.txt emerging-exploit.rules emerging-pop3.rules emerging-web_server.rules smtp-events.rules compromised.rules emerging-ftp.rules emerging-rpc.rules emerging-web_specific_apps.rules stream-events.rules decoder-events.rules emerging-games.rules emerging-scada.rules emerging-worm.rules suricata-4.0-enhanced-open.txt dnp3-events.rules emerging-icmp_info.rules emerging-scan.rules files.rules tls-events.rules dns-events.rules emerging-icmp.rules emerging-shellcode.rules gpl-2.0.txt tor.rules drop.rules emerging-imap.rules emerging-smtp.rules http-events.rules dshield.rules emerging-inappropriate.rules emerging-snmp.rules ipsec-events.rules emerging-activex.rules emerging-info.rules emerging-sql.rules kerberos-events.rules
Configure Suricata on Ubuntu 18.04
The main configuration file for Suricata is /etc/suricata/suricata.yaml. The file itself is commented well enough to provide a clear understanding of what every setting is for.
To begin with, you need to configure Suricata to differentiate between your internal network to be proctected and external network. This can be done by defining the correct values for the HOME_NET and EXTERNAL_NET variables respectively under the address groups.
vim /etc/suricata/suricata.yaml
HOME_NET: "[192.168.43.220]"
...
EXTERNAL_NET: "!$HOME_NET"
...
In my case, am using the IP address, 192.168.43.220, as my home network. The external networks are set to any that doesnt match the home networks.
For the purposes of learning, we are going to demonstrate how to alert on a possible SYN flood. As a result we are going to create our own test rule as shown below;
vim /etc/suricata/rules/test-ddos.rules
alert tcp any any -> $HOME_NET 80 (msg: "Possible DDoS attack"; flags: S; flow: stateless; threshold: type both, track by_dst, count 200, seconds 1; sid:1000001; rev:1;)
The rule basically fires when there are 100 attempted connections to the local network in 10 seconds.
Next, you need to configure Suricata to include this rule. Hence, edit the Suricata configuration file and add the rules file under the rule-files: section.
vim /etc/suricata/suricata.yaml
rule-files: - botcc.rules - ciarmy.rules ... # - Custom Test rules - test-ddos.rules
You are now ready to perform the tests However, before you can proceed, you need to disable packet offload features on the network interface on which Suricata is listen.
ethtool -K enp0s3 gro off lro off
If you get the Cannot change large-receive-offload, it means that your interface doesn’t support this feature and it is safe to ignore it. However, you can verify this by running the command below;
ethtool -k enp0s3 | grep large large-receive-offload: off [fixed]
Next, fire Suricata in PCAP live mode by executing the command below.
suricata -D -c /etc/suricata/suricata.yaml -i enp0s3
By the way, there are various modes in which Suricata can run. You can list them by running the command below;
suricata --list-runmodesWhile Suricata is running, run the command below from different server and tail the Suricata logs on Suricata host to see what is happening;
hping3 -S -p 80 --flood --rand-source 192.168.43.220
tail -f /var/log/suricata/fast.log
02/05/2019-21:05:20.572970 [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.43.149:49876 -> 192.168.43.220:80
02/05/2019-21:05:21.084437 [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.43.149:51622 -> 192.168.43.220:80
02/05/2019-21:05:22.106880 [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.43.149:54296 -> 192.168.43.220:8
If your rule is set correctly, you should be able to get the above output.
That is all about how to Install and Setup Suricata on Ubuntu 18.04. Feel free to read more about Suricata on their documentation page.