Install and Setup Suricata on Ubuntu 22.04/Ubuntu 20.04

0
19

In this tutorial, you will learn how to install and setup Suricata on Ubuntu 22.04/Ubuntu 20.04. Suricata is an opensource network threat detection tool. Suricata uses rules and signatures to detect threat in network traffic. It also supports Lua scripting language that helps it unearth the most complex would be threats in the network. Suricata is a product of Open Information Security Foundation. It is capable of providing NIDS, IPS, NSM and offline pcap processing. It can be integrated with other tools such as BASE, Snorby, Sguil, SQueRT, ELK, SIEM solutions etc.

To see a complete list of features supported by Suricata, you can check all features.

Install and Setup Suricata on Ubuntu 22.04/Ubuntu 20.04

There are two ways in which you can install and setup Suricata on Ubuntu 22.04/Ubuntu 20.04;

In this guide, we are going to cover both methods of installing Suricata on Ubuntu 22.04/Ubuntu 20.04.

Confirm the available versions using the command;

apt-cache policy suricata

Install Suricata from Source On Ubuntu 22.04/Ubuntu 20.04

Installation Suricata from the Source on Ubuntu 22.04/Ubuntu 20.04 is the surest way to get the latest and stable version of Suricata up and running.

To install Suricata from the source, first install all the required dependencies installed.

sudo apt -y install libpcre3 libpcre3-dbg libpcre3-dev \
build-essential autoconf automake libtool libpcap-dev \
libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev \
libcap-ng-dev libcap-ng0 make libmagic-dev \
libjansson-dev libjansson4 pkg-config libnspr4-dev \
libnss3-dev liblz4-dev rustc cargo python3-pip python3-distutils

Suricata function as an IDS out of the box. If you need to include the IPS funtionality, install the following libraries.

sudo apt -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0

Next, download the latest and stable Suricata tarball. You can simply download as shown below;

wget https://www.openinfosecfoundation.org/download/suricata-6.0.5.tar.gz

Once the download is complete, extract the tarball.

tar xzf suricata-6.0.5.tar.gz

Navigate to Suricata tarball extract directory to configure Suricata engine for compilation. This ensures that Suricata is build with IPS capabilities.

cd suricata-6.0.5
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var

Summary of the Suricata configuration;

Suricata Configuration:
  AF_PACKET support:                       yes
  eBPF support:                            no
  XDP support:                             no
  PF_RING support:                         no
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no 
  DAG enabled:                             no
  Napatech enabled:                        no
  WinDivert enabled:                       no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  Libmagic support:                        yes
  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  hiredis support:                         no
  hiredis async with libevent:             no
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             no
  libluajit:                               no
  GeoIP2 support:                          no
  Non-bundled htp:                         no
  Hyperscan support:                       no
  Libnet support:                          yes
  liblz4 support:                          yes
  HTTP2 decompression:                     no

  Rust support:                            yes
  Rust strict mode:                        no
  Rust compiler path:                      /usr/bin/rustc
  Rust compiler version:                   rustc 1.57.0
  Cargo path:                              /usr/bin/cargo
  Cargo version:                           cargo 1.57.0
  Cargo vendor:                            yes

  Python support:                          yes
  Python path:                             /usr/bin/python3
  Python distutils                         yes
  Python yaml                              yes
  Install suricatactl:                     yes
  Install suricatasc:                      yes
  Install suricata-update:                 yes

  Profiling enabled:                       no
  Profiling locks enabled:                 no

  Plugin support (experimental):           yes

Development settings:
  Coccinelle / spatch:                     no
  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no

Generic build parameters:
  Installation prefix:                     /usr
  Configuration directory:                 /etc/suricata/
  Log directory:                           /varmake/log/suricata/

  --prefix                                 /usr
  --sysconfdir                             /etc
  --localstatedir                          /varmake
  --datarootdir                            /usr/share

  Host:                                    x86_64-pc-linux-gnu
  Compiler:                                gcc (exec name) / g++ (real)
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no
  Position Independent Executable enabled: no
  CFLAGS                                   -g -O2 -std=c11 -march=native -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
  PCAP_CFLAGS                               -I/usr/include
  SECCFLAGS                                

To build and install run 'make' and 'make install'.

You can run 'make install-conf' if you want to install initial configuration
files to /etc/suricata/. Running 'make install-full' will install configuration
and rules and provide you a ready-to-run suricata.

To install Suricata into /usr/bin/suricata, have the config in
/etc/suricata and use /var/log/suricata as log dir, use:
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/

Compile and install the Suricata engine

make
make install-full

The make install-full command will simply install both Suricata initial configuration file and the Suricata rules using the new Suricata rule management tool, suricata-update.

If the installation is successful, you should see the output below;

copying /root/suricata-6.0.5/suricata-update/scripts-3.10/suricata-update -> /usr/bin
changing mode of /usr/bin/suricata-update to 755
running install_egg_info
Writing /usr/lib/python3.10/site-packages/suricata_update-1.2.4-py3.10.egg-info
make[3]: Nothing to be done for 'install-data-am'.
make[3]: Leaving directory '/root/suricata-6.0.5/suricata-update'
make[2]: Leaving directory '/root/suricata-6.0.5/suricata-update'
make[2]: Entering directory '/root/suricata-6.0.5'
make[3]: Entering directory '/root/suricata-6.0.5'
make[3]: Nothing to be done for 'install-exec-am'.
Run 'make install-conf' if you want to install initial configuration files. Or 'make install-full' to install configuration and rules
make[3]: Leaving directory '/root/suricata-6.0.5'
make[2]: Leaving directory '/root/suricata-6.0.5'
make[1]: Leaving directory '/root/suricata-6.0.5'
make install-conf
make[1]: Entering directory '/root/suricata-6.0.5'
install -d "/etc/suricata/"
install -d "/var/log/suricata/files"
install -d "/var/log/suricata/certs"
install -d "/var/run/"
install -m 770 -d "/var/run/suricata"
make[1]: Leaving directory '/root/suricata-6.0.5'
make install-rules
make[1]: Entering directory '/root/suricata-6.0.5'
LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata-update \
	--suricata /usr/bin/suricata \
	--suricata-conf /etc/suricata/suricata.yaml \
	--no-test --no-reload
28/4/2022 -- 22:22:36 -  -- Using data-directory /var/lib/suricata.
28/4/2022 -- 22:22:36 -  -- Using /usr/share/suricata/rules for Suricata provided rules.
28/4/2022 -- 22:22:36 -  -- Found Suricata version 6.0.5 at /usr/bin/suricata.
28/4/2022 -- 22:22:36 -  -- Loading /etc/suricata/suricata.yaml
28/4/2022 -- 22:22:36 -  -- Disabling rules for protocol http2
28/4/2022 -- 22:22:36 -  -- Disabling rules for protocol modbus
28/4/2022 -- 22:22:36 -  -- Disabling rules for protocol dnp3
28/4/2022 -- 22:22:36 -  -- Disabling rules for protocol enip
28/4/2022 -- 22:22:36 -  -- No sources configured, will use Emerging Threats Open
28/4/2022 -- 22:22:36 -  -- Fetching https://rules.emergingthreats.net/open/suricata-6.0.5/emerging.rules.tar.gz.
 100% - 3274660/3274660               
28/4/2022 -- 22:22:42 -  -- Done.
28/4/2022 -- 22:22:42 -  -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules
28/4/2022 -- 22:22:42 -  -- Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules
28/4/2022 -- 22:22:42 -  -- Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules
28/4/2022 -- 22:22:42 -  -- Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules
28/4/2022 -- 22:22:42 -  -- Loading distribution rule file /usr/share/suricata/rules/dns-events.rules
28/4/2022 -- 22:22:42 -  -- Loading distribution rule file /usr/share/suricata/rules/files.rules
28/4/2022 -- 22:22:42 -  -- Loading distribution rule file /usr/share/suricata/rules/http-events.rules
28/4/2022 -- 22:22:42 -  -- Loading distribution rule file /usr/share/suricata/rules/ipsec-events.rules
28/4/2022 -- 22:22:42 -  -- Loading distribution rule file /usr/share/suricata/rules/kerberos-events.rules
28/4/2022 -- 22:22:42 -  -- Loading distribution rule file /usr/share/suricata/rules/modbus-events.rules
28/4/2022 -- 22:22:42 -  -- Loading distribution rule file /usr/share/suricata/rules/nfs-events.rules
28/4/2022 -- 22:22:42 -  -- Loading distribution rule file /usr/share/suricata/rules/ntp-events.rules
28/4/2022 -- 22:22:42 -  -- Loading distribution rule file /usr/share/suricata/rules/smb-events.rules
28/4/2022 -- 22:22:42 -  -- Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules
28/4/2022 -- 22:22:42 -  -- Loading distribution rule file /usr/share/suricata/rules/stream-events.rules
28/4/2022 -- 22:22:42 -  -- Loading distribution rule file /usr/share/suricata/rules/tls-events.rules
28/4/2022 -- 22:22:43 -  -- Ignoring file rules/emerging-deleted.rules
28/4/2022 -- 22:22:44 -  -- Loaded 33238 rules.
28/4/2022 -- 22:22:44 -  -- Disabled 14 rules.
28/4/2022 -- 22:22:44 -  -- Enabled 0 rules.
28/4/2022 -- 22:22:44 -  -- Modified 0 rules.
28/4/2022 -- 22:22:44 -  -- Dropped 0 rules.
28/4/2022 -- 22:22:44 -  -- Enabled 131 rules for flowbit dependencies.
28/4/2022 -- 22:22:44 -  -- Creating directory /var/lib/suricata/rules.
28/4/2022 -- 22:22:44 -  -- Backing up current rules.
28/4/2022 -- 22:22:44 -  -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 33238; enabled: 25835; added: 33238; removed 0; modified: 0
28/4/2022 -- 22:22:45 -  -- Writing /var/lib/suricata/rules/classification.config
28/4/2022 -- 22:22:45 -  -- Skipping test, disabled by configuration.
28/4/2022 -- 22:22:45 -  -- Done.

You can now start suricata by running as root something like:
  /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0

If a library like libhtp.so is not found, you can run suricata with:
  LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0

The Emerging Threats Open rules are now installed. Rules can be
updated and managed with the suricata-update tool.

For more information please see:
  https://suricata.readthedocs.io/en/latest/rule-management/index.html

make[1]: Leaving directory '/root/suricata-6.0.5'

The configuration file is set under /etc/suricata/suricata.yaml while the default rules are written to /etc/suricata/rules/ and the ET open rules written to /var/lib/suricata/rules/suricata.rules.

Install Suricata on Ubuntu 22.04/Ubuntu 20.04 from PPA repository

Even though Suricata is available on the default Ubuntu 22.04/Ubuntu 20.04 repositories, it may not be up-to-date.

On the other hand, the OISF PPA repos do not work on Ubuntu 22.04 as of this writing.

Thus, the installation of the PPA below is applicable on Ubuntu 20.04 only.

As a result, to ensure that you got the latest version installed, you need to add the following PPA repository.

sudo add-apt-repository ppa:oisf/suricata-stable --yes
sudo apt update

Once the PPA repo is set, install Suricata with the package manager.

apt-cache policy suricata
suricata:
  Installed: (none)
  Candidate: 6.0.5-0ubuntu2
  Version table:
     6.0.5-0ubuntu2 500
        500 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu bionic/main amd64 Packages
     3.2-2ubuntu3 500
        500 http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages

As you can see, we have the latest release version of Suricata.

You can then do the installation by executing the command;

sudo apt install suricata jq

jq enables you to read the Suricata eve.json logs

You can instead install Suricata with debugging enabled.

sudo apt install suricata-dbg jq

To install Suricata on Ubuntu 22.04 from the default repos, simply run;

apt install suricata jq

That is all with installation.

You can check what configurations options are installed with Suricata;

sudo suricata --build-info

The command also gets you the version of installed Suricata.

Sample output;

This is Suricata version 6.0.5 RELEASE
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST 
SIMD support: none
Atomic intrinsics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 7.5.0, C version 201112
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.40, linked against LibHTP v0.5.40

Suricata Configuration:
  AF_PACKET support:                       yes
  eBPF support:                            no
  XDP support:                             no
  PF_RING support:                         no
  NFQueue support:                         yes
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no 
  DAG enabled:                             no
  Napatech enabled:                        no
  WinDivert enabled:                       no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  Libmagic support:                        yes
  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  hiredis support:                         yes
  hiredis async with libevent:             yes
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             yes, through luajit
  libluajit:                               yes
  GeoIP2 support:                          yes
  Non-bundled htp:                         yes
  Hyperscan support:                       yes
  Libnet support:                          yes
  liblz4 support:                          yes
  HTTP2 decompression:                     no

  Rust support:                            yes
  Rust strict mode:                        no
  Rust compiler path:                      /usr/bin/rustc
  Rust compiler version:                   rustc 1.57.0
  Cargo path:                              /usr/bin/cargo
  Cargo version:                           cargo 1.57.0
  Cargo vendor:                            yes

  Python support:                          yes
  Python path:                             /usr/bin/python3
  Python distutils                         yes
  Python yaml                              yes
  Install suricatactl:                     yes
  Install suricatasc:                      yes
  Install suricata-update:                 yes

  Profiling enabled:                       no
  Profiling locks enabled:                 no

  Plugin support (experimental):           yes

Development settings:
  Coccinelle / spatch:                     no
  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no

Generic build parameters:
  Installation prefix:                     /usr
  Configuration directory:                 /etc/suricata/
  Log directory:                           /var/log/suricata/

  --prefix                                 /usr
  --sysconfdir                             /etc
  --localstatedir                          /var
  --datarootdir                            /usr/share

  Host:                                    x86_64-pc-linux-gnu
  Compiler:                                gcc (exec name) / g++ (real)
  GCC Protect enabled:                     yes
  GCC march native enabled:                no
  GCC Profile enabled:                     no
  Position Independent Executable enabled: yes
  CFLAGS                                   -g -O2 -fdebug-prefix-map=/build/suricata-QUjETh/suricata-6.0.5=. -fstack-protector-strong -Wformat -Werror=format-security -std=c11 -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
  PCAP_CFLAGS                               -I/usr/include
  SECCFLAGS                                -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security

Configure Suricata on Ubuntu 22.04/Ubuntu 20.04

At the end of installation, you will have Suricata rules under /etc/suricata/rules/ and the main configuration file under /etc/suricata/suricata.yaml.

The default Suricata configuration file commented well enough to provide a clear understanding of what every setting is for.

To begin with, you need to configure Suricata to differentiate between your internal network to be proctected and external network. This can be done by defining the correct values for the HOME_NET and EXTERNAL_NET variables respectively under the address groups.

vim /etc/suricata/suricata.yaml
    HOME_NET: "[10.0.2.0/24]"
...
    EXTERNAL_NET: "!$HOME_NET"
...

In my case, am using the IP address, 10.0.2.0/24, as my home network. The external networks are set to any that doesn’t match the home networks.

You can define multiple networks.

Also, define the interface on which Suricata will use to inspect the traffic. By default, Suricata uses eth0 interfaces.

So get your interfaces using the ip command and determine which one to configure Suricata to use.

ip a

Sample output;

1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:87:10:f0 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic enp0s3
       valid_lft 84377sec preferred_lft 84377sec
    inet6 fe80::a00:27ff:fe87:10f0/64 scope link 
       valid_lft forever preferred_lft forever
3: enp0s8:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:7e:14:7d brd ff:ff:ff:ff:ff:ff
    inet 192.168.57.10/24 brd 192.168.57.255 scope global enp0s8
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe7e:147d/64 scope link 
       valid_lft forever preferred_lft forever

In my case, will use interface enp0s3. you can also see that the HOME_NET defined is on that interface.

The interfaces can be set by updating the value of interface under af-packets section;

af-packet:
  - interface: enp0s3

Next, install Suricata Emerging Threat rules.

By default, the Suricata rules are placed under /etc/suricata/rules/ directory.

To list the default Suricata rules;

ls -1 /etc/suricata/rules/
app-layer-events.rules
decoder-events.rules
dhcp-events.rules
dnp3-events.rules
dns-events.rules
files.rules
http2-events.rules
http-events.rules
ipsec-events.rules
kerberos-events.rules
modbus-events.rules
mqtt-events.rules
nfs-events.rules
ntp-events.rules
smb-events.rules
smtp-events.rules
stream-events.rules
tls-events.rules

With the default rules, only less detection can be made. Emerging Threat rules are the most comprehensive rule set optimized for the Suricata open source IDS/IPS engine.

The default rules will also be loaded by the suricata-update tool.

To install Suricata ET rules, use the suricata-update command as shown below;

NOTE that the ET Open rules are installed automatically when you build Suricata from source and install using the make install-full command.

sudo suricata-update

Sample output;

28/4/2022 -- 18:51:21 -  -- Using data-directory /var/lib/suricata.
28/4/2022 -- 18:51:21 -  -- Using Suricata configuration /etc/suricata/suricata.yaml
28/4/2022 -- 18:51:21 -  -- Using /etc/suricata/rules for Suricata provided rules.
28/4/2022 -- 18:51:21 -  -- Found Suricata version 6.0.5 at /usr/bin/suricata.
28/4/2022 -- 18:51:21 -  -- Loading /etc/suricata/suricata.yaml
28/4/2022 -- 18:51:21 -  -- Disabling rules for protocol http2
28/4/2022 -- 18:51:21 -  -- Disabling rules for protocol modbus
28/4/2022 -- 18:51:21 -  -- Disabling rules for protocol dnp3
28/4/2022 -- 18:51:21 -  -- Disabling rules for protocol enip
28/4/2022 -- 18:51:21 -  -- No sources configured, will use Emerging Threats Open
28/4/2022 -- 18:51:21 -  -- Fetching https://rules.emergingthreats.net/open/suricata-6.0.5/emerging.rules.tar.gz.
 100% - 3274660/3274660               
28/4/2022 -- 18:51:27 -  -- Done.
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/app-layer-events.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/decoder-events.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/dhcp-events.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/dnp3-events.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/dns-events.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/files.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/http-events.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/ipsec-events.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/kerberos-events.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/modbus-events.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/nfs-events.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/ntp-events.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/smb-events.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/smtp-events.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/stream-events.rules
28/4/2022 -- 18:51:28 -  -- Loading distribution rule file /etc/suricata/rules/tls-events.rules
28/4/2022 -- 18:51:28 -  -- Ignoring file rules/emerging-deleted.rules
28/4/2022 -- 18:51:29 -  -- Loaded 33238 rules.
28/4/2022 -- 18:51:29 -  -- Disabled 14 rules.
28/4/2022 -- 18:51:29 -  -- Enabled 0 rules.
28/4/2022 -- 18:51:29 -  -- Modified 0 rules.
28/4/2022 -- 18:51:29 -  -- Dropped 0 rules.
28/4/2022 -- 18:51:30 -  -- Enabled 131 rules for flowbit dependencies.
28/4/2022 -- 18:51:30 -  -- Creating directory /var/lib/suricata/rules.
28/4/2022 -- 18:51:30 -  -- Backing up current rules.
28/4/2022 -- 18:51:30 -  -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 33238; enabled: 25835; added: 33238; removed 0; modified: 0
28/4/2022 -- 18:51:30 -  -- Writing /var/lib/suricata/rules/classification.config
28/4/2022 -- 18:51:30 -  -- Testing with suricata -T.
28/4/2022 -- 18:51:30 -  -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
28/4/2022 -- 18:51:30 -  -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
28/4/2022 -- 18:51:30 -  -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
28/4/2022 -- 18:52:08 -  -- Done.

The ET rules are written to /var/lib/suricata/rules/suricata.rules.

Note that Suricata is configured to load Suricata-Update managed rules by default.

vim /etc/suricata/suricata.yaml
...
default-rule-path: /var/lib/suricata/rules

rule-files:
  - suricata.rules
..

If you want to write the ET rules under /etc/suricata/rules/, specify the output directory on suricata-update command.

sudo suricata-update -o /etc/suricata/rules/

Running Suricata on Ubuntu

You can now start and enable Suricata service to run on system boot.

However, always before you start Suricata, run the configuration check;

sudo suricata -T -c /etc/suricata/suricata.yaml -v

In case of any error, fix it before you can start Suricata

If there is no error, then start Suricata;

sudo systemctl enable --now suricata

You can check the status;

sudo systemctl status suricata

Testing Suricata Rules

We will use the downloaded ET rules to test Suricata detection.

As a test, we are going to demonstrate how to alert on a possible SYN flood using Hping3.

You can install hping3 tool on a separate system or on same system running Suricata;

sudo apt install hping3

Before you can proceed, you need to disable packet offload features on the network interface on which Suricata is listen.

ethtool -K enp0s3 gro off lro off

If you get the Cannot change large-receive-offload, it means that your interface doesn’t support this feature and it is safe to ignore it. However, you can verify this by running the command below;

ethtool -k enp0s3 | grep large
large-receive-offload: off [fixed]

Next, fire Suricata in PCAP live mode by executing the command below.

By the way, there are various modes in which Suricata can run. You can list them by running the command below;

suricata --list-runmodes

So to run in live PCAP mode, run the commands below. You can change your monitoring interface.

systemctl stop suricata
rm -rf /var/run/suricata.pid
suricata -D -c /etc/suricata/suricata.yaml -i enp0s3

You can omit option -D to run in foreground.

Perform a simple DDoS attack test against our Suricata host from a different host.

hping3 -S -p 80 --flood --rand-source 10.0.2.15 -I enp0s3 -c 50

While Suricata is running on Suricata host and while the DDoS attack test against Suricata host is running p, tail the Suricata alert logs on Suricata host to see what is happening;

tail -f /var/log/suricata/fast.log

You should be able to get some sample alerts;

04/28/2022-20:53:23.163746  [**] [1:2400001:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 2 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 42.133.35.225:16743 -> 10.0.2.15:80
04/28/2022-20:53:23.167683  [**] [1:2400011:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 12 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 146.51.146.59:16820 -> 10.0.2.15:80
04/28/2022-20:53:23.192930  [**] [1:2400001:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 2 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 42.171.44.198:16969 -> 10.0.2.15:80
04/28/2022-20:53:23.205414  [**] [1:2400001:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 2 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 42.160.30.47:17115 -> 10.0.2.15:80
04/28/2022-20:53:23.235223  [**] [1:2400001:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 2 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 42.219.24.133:17293 -> 10.0.2.15:80
04/28/2022-20:53:23.294544  [**] [1:2400025:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 26 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 198.56.117.198:17846 -> 10.0.2.15:80
04/28/2022-20:53:23.297399  [**] [1:2400015:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 16 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 165.102.152.191:17899 -> 10.0.2.15:80
04/28/2022-20:53:23.555831  [**] [1:2400001:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 2 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 42.222.235.227:20024 -> 10.0.2.15:80
04/28/2022-20:53:23.580783  [**] [1:2400009:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 10 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 119.232.119.66:20190 -> 10.0.2.15:80
....

You can also read the Suricata Eve Json Logs. See examples below.

Analysing PCAP files using Suricata

It is also possible to analyze network traffic packet captures using Suricata.

To demonstrate how this can be done, we will download sample malware related PCAP files from Malware-Traffic-Analysis.NET and read them using Suricata, against the default ET open rules;

Be cautious about downloading Malware related PCAP files to your machine. The tests done here in a controlled environment.

Unzip the PCAP file (password: infected);

unzip 2017-06-28-traffic-analysis-exercise.pcap.zip

Create directory to write Suricata PCAP logs to;

mkdir /var/log/suricata/pcap

Run Suricata against PCAP file;

systemctl stop suricata
sudo suricata -c /etc/suricata/suricata.yaml -r 2017-06-28-traffic-analysis-exercise.pcap -l /var/log/suricata/pcap/

When completed, the logs should be under /var/log/suricata/pcap/;

ls -1 /var/log/suricata/pcap/
eve.json
fast.log
stats.log
suricata.log

Check sample stats logs;

cat /var/log/suricata/pcap/stats.log
------------------------------------------------------------------------------------
Date: 4/29/2022 -- 09:32:37 (uptime: 0d, 00h 00m 19s)
------------------------------------------------------------------------------------
Counter                                       | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                                  | Total                     | 17239
decoder.bytes                                 | Total                     | 12113758
decoder.ipv4                                  | Total                     | 17239
decoder.ethernet                              | Total                     | 17239
decoder.tcp                                   | Total                     | 15023
decoder.udp                                   | Total                     | 2216
decoder.avg_pkt_size                          | Total                     | 702
decoder.max_pkt_size                          | Total                     | 11734
flow.tcp                                      | Total                     | 914
flow.udp                                      | Total                     | 732
flow.wrk.spare_sync_avg                       | Total                     | 100
flow.wrk.spare_sync                           | Total                     | 18
flow.wrk.flows_evicted_needs_work             | Total                     | 484
flow.wrk.flows_evicted_pkt_inject             | Total                     | 914
flow.wrk.flows_evicted                        | Total                     | 3
flow.wrk.flows_injected                       | Total                     | 484
tcp.sessions                                  | Total                     | 914
tcp.syn                                       | Total                     | 1257
tcp.synack                                    | Total                     | 708
tcp.rst                                       | Total                     | 177
tcp.stream_depth_reached                      | Total                     | 2
tcp.overlap                                   | Total                     | 49
detect.alert                                  | Total                     | 17
app_layer.flow.http                           | Total                     | 542
app_layer.tx.http                             | Total                     | 643
app_layer.flow.tls                            | Total                     | 3
app_layer.flow.dhcp                           | Total                     | 4
app_layer.tx.dhcp                             | Total                     | 4
app_layer.flow.failed_tcp                     | Total                     | 61
app_layer.flow.dns_udp                        | Total                     | 662
app_layer.tx.dns_udp                          | Total                     | 1401
app_layer.flow.failed_udp                     | Total                     | 66
flow.mgr.full_hash_pass                       | Total                     | 1
flow.spare                                    | Total                     | 9700
flow.mgr.rows_maxlen                          | Total                     | 1
flow.mgr.flows_checked                        | Total                     | 3
flow.mgr.flows_notimeout                      | Total                     | 3
tcp.memuse                                    | Total                     | 1818624
tcp.reassembly_memuse                         | Total                     | 294912
flow.memuse                                   | Total                     | 7394304

Suricata EVE json logs can be read nicely using jq command.

tail -f eve.json | jq -c '.'
{"timestamp":"2017-06-27T16:38:32.234351+0300","flow_id":1969211924994338,"event_type":"flow","src_ip":"192.168.1.96","src_port":49671,"dest_ip":"192.168.1.1","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":72,"bytes_toclient":145,"start":"2017-06-27T16:44:38.776482+0300","end":"2017-06-27T16:44:38.810428+0300","age":0,"state":"established","reason":"shutdown","alerted":false}}
{"timestamp":"2017-06-27T16:38:32.234351+0300","flow_id":843743660604227,"event_type":"flow","src_ip":"192.168.1.96","src_port":49333,"dest_ip":"104.25.97.5","dest_port":25,"proto":"TCP","flow":{"pkts_toserver":3,"pkts_toclient":0,"bytes_toserver":194,"bytes_toclient":0,"start":"2017-06-27T16:44:11.981827+0300","end":"2017-06-27T16:44:20.993775+0300","age":9,"state":"new","reason":"shutdown","alerted":false},"tcp":{"tcp_flags":"02","tcp_flags_ts":"02","tcp_flags_tc":"00","syn":true,"state":"syn_sent"}}
{"timestamp":"2017-06-27T16:38:32.234351+0300","flow_id":1969768122005184,"event_type":"flow","src_ip":"192.168.1.96","src_port":49757,"dest_ip":"65.52.128.33","dest_port":25,"proto":"TCP","flow":{"pkts_toserver":3,"pkts_toclient":0,"bytes_toserver":194,"bytes_toclient":0,"start":"2017-06-27T16:44:19.898752+0300","end":"2017-06-27T16:44:28.918443+0300","age":9,"state":"new","reason":"shutdown","alerted":false},"tcp":{"tcp_flags":"02","tcp_flags_ts":"02","tcp_flags_tc":"00","syn":true,"state":"syn_sent"}}
{"timestamp":"2017-06-27T16:38:32.234351+0300","flow_id":1406916953807328,"event_type":"flow","src_ip":"192.168.1.96","src_port":51196,"dest_ip":"192.168.1.1","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":70,"bytes_toclient":70,"start":"2017-06-27T16:44:34.629216+0300","end":"2017-06-27T16:44:34.791316+0300","age":0,"state":"established","reason":"shutdown","alerted":false}}
{"timestamp":"2017-06-27T16:38:32.234351+0300","flow_id":984833338220399,"event_type":"flow","src_ip":"192.168.1.96","src_port":50135,"dest_ip":"85.25.207.48","dest_port":25,"proto":"TCP","flow":{"pkts_toserver":2,"pkts_toclient":1,"bytes_toserver":132,"bytes_toclient":54,"start":"2017-06-27T16:44:41.696175+0300","end":"2017-06-27T16:44:42.348224+0300","age":1,"state":"closed","reason":"shutdown","alerted":false},"tcp":{"tcp_flags":"16","tcp_flags_ts":"02","tcp_flags_tc":"14","syn":true,"rst":true,"ack":true,"state":"closed"}}
{"timestamp":"2017-06-27T16:38:32.234351+0300","flow_id":281214614185271,"event_type":"flow","src_ip":"192.168.1.96","src_port":51286,"dest_ip":"192.168.1.1","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":68,"bytes_toclient":84,"start":"2017-06-27T16:44:15.271671+0300","end":"2017-06-27T16:44:15.306178+0300","age":0,"state":"established","reason":"shutdown","alerted":false}}
{"timestamp":"2017-06-27T16:38:32.234351+0300","flow_id":1547864893767677,"event_type":"flow","src_ip":"192.168.1.96","src_port":54127,"dest_ip":"192.168.1.1","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":75,"bytes_toclient":91,"start":"2017-06-27T16:44:07.933885+0300","end":"2017-06-27T16:44:07.963764+0300","age":0,"state":"established","reason":"shutdown","alerted":false}}
{"timestamp":"2017-06-27T16:38:32.234351+0300","flow_id":1548103264785416,"event_type":"flow","src_ip":"192.168.1.96","src_port":60896,"dest_ip":"192.168.1.1","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":70,"bytes_toclient":102,"start":"2017-06-27T16:44:12.283656+0300","end":"2017-06-27T16:44:12.339124+0300","age":0,"state":"established","reason":"shutdown","alerted":false}}
{"timestamp":"2017-06-27T16:38:32.234351+0300","flow_id":703680482353737,"event_type":"flow","src_ip":"192.168.1.96","src_port":57898,"dest_ip":"224.0.0.252","dest_port":5355,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":2,"pkts_toclient":0,"bytes_toserver":128,"bytes_toclient":0,"start":"2017-06-27T16:44:15.303689+0300","end":"2017-06-27T16:44:15.409326+0300","age":0,"state":"new","reason":"shutdown","alerted":false}}

Print HTTP related events;

cat /var/log/suricata/pcap/eve.json | jq 'select(.event_type=="http")'

Sample output;

{
  "timestamp": "2017-06-27T16:43:51.060995+0300",
  "flow_id": 1208665555479627,
  "pcap_cnt": 303,
  "event_type": "http",
  "src_ip": "192.168.1.96",
  "src_port": 49189,
  "dest_ip": "119.28.70.207",
  "dest_port": 80,
  "proto": "TCP",
  "tx_id": 0,
  "http": {
    "hostname": "centler.at",
    "url": "/auth/ajax/847598782/?min=data",
    "http_user_agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
    "http_content_type": "text/html",
    "http_method": "POST",
    "protocol": "HTTP/1.1",
    "status": 302,
    "redirect": "/auth/index.php",
    "length": 41
  }
}
{
  "timestamp": "2017-06-27T16:43:51.784326+0300",
  "flow_id": 1208665555479627,
  "pcap_cnt": 307,
  "event_type": "http",
  "src_ip": "192.168.1.96",
  "src_port": 49189,
  "dest_ip": "119.28.70.207",
  "dest_port": 80,
  "proto": "TCP",
  "tx_id": 1,
  "http": {
    "hostname": "centler.at",
    "url": "/auth/min/828949448/",
    "http_user_agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
    "http_content_type": "text/html",
    "http_method": "POST",
    "protocol": "HTTP/1.1",
    "status": 302,
    "redirect": "/auth/index.php",
    "length": 153
  }
}
{
  "timestamp": "2017-06-27T16:38:36.765886+0300",
  "flow_id": 2030595573592962,
  "pcap_cnt": 210,
  "event_type": "http",
  "src_ip": "192.168.1.96",
  "src_port": 49184,
  "dest_ip": "119.28.70.207",
  "dest_port": 80,
  "proto": "TCP",
  "tx_id": 0,
  "metadata": {
    "flowints": {
      "tcp.retransmission.count": 4
    }
  },
  "http": {
    "hostname": "matied.com",
    "url": "/gerv.gun",
    "http_user_agent": "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)",
    "http_content_type": "application/octet-stream",
    "http_method": "GET",
    "protocol": "HTTP/1.1",
    "status": 200,
    "length": 241664
  }
}
{
  "timestamp": "2017-06-27T16:43:54.272260+0300",
  "flow_id": 1826666252504918,
  "pcap_cnt": 858,
  "event_type": "http",
  "src_ip": "192.168.1.96",
  "src_port": 49191,
  "dest_ip": "143.95.151.192",
  "dest_port": 80,
  "proto": "TCP",
  "tx_id": 0,
  "http": {
    "hostname": "vantagepointtechnologies.com",
    "url": "/wp.exe",
    "http_user_agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)",
    "http_content_type": "application/x-msdownload",
    "http_method": "GET",
    "protocol": "HTTP/1.1",
    "status": 200,
    "length": 307712
  }
}

TLS related;

cat /var/log/suricata/pcap/eve.json | jq 'select(.event_type=="tls")'
{
  "timestamp": "2017-06-27T16:43:49.292042+0300",
  "flow_id": 1396905382088718,
  "pcap_cnt": 230,
  "event_type": "tls",
  "src_ip": "192.168.1.96",
  "src_port": 49187,
  "dest_ip": "172.217.6.164",
  "dest_port": 443,
  "proto": "TCP",
  "tls": {
    "subject": "C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com",
    "issuerdn": "C=US, O=Google Inc, CN=Google Internet Authority G2",
    "serial": "68:2B:42:89:B2:FA:4F:14",
    "fingerprint": "f1:df:a7:7b:37:69:9c:46:ef:73:fb:79:0c:f8:44:3b:e5:fe:a1:91",
    "sni": "www.google.com",
    "version": "TLS 1.2",
    "notbefore": "2017-06-21T14:35:50",
    "notafter": "2017-09-13T13:53:00",
    "ja3": {
      "hash": "4d7a28d6f2263ed61de88ca66eb011e3",
      "string": "771,60-47-61-53-5-10-49191-49171-49172-49195-49187-49196-49188-49161-49162-64-50-106-56-19-4,65281-0-10-11-13,23-24,0"
    },
    "ja3s": {
      "hash": "042b018de1d862323f09d5767e4068d5",
      "string": "771,49171,65281-11"
    }
  }
}
{
  "timestamp": "2017-06-27T16:43:49.578377+0300",
  "flow_id": 978846150396712,
  "pcap_cnt": 276,
  "event_type": "tls",
  "src_ip": "192.168.1.96",
  "src_port": 49188,
  "dest_ip": "172.217.6.164",
  "dest_port": 443,
  "proto": "TCP",
  "tls": {
    "session_resumed": true,
    "sni": "www.google.com",
    "version": "TLS 1.2",
    "ja3": {
      "hash": "4d7a28d6f2263ed61de88ca66eb011e3",
      "string": "771,60-47-61-53-5-10-49191-49171-49172-49195-49187-49196-49188-49161-49162-64-50-106-56-19-4,65281-0-10-11-13,23-24,0"
    },
    "ja3s": {
      "hash": "042b018de1d862323f09d5767e4068d5",
      "string": "771,49171,65281-11"
    }
  }
}
{
  "timestamp": "2017-06-27T16:44:32.873234+0300",
  "flow_id": 1033531824280031,
  "pcap_cnt": 14770,
  "event_type": "tls",
  "src_ip": "192.168.1.96",
  "src_port": 49932,
  "dest_ip": "208.83.223.34",
  "dest_port": 80,
  "proto": "TCP",
  "tls": {
    "subject": "CN=www.6acbzspvq.net",
    "issuerdn": "CN=www.xfbploco2q.com",
    "serial": "2D:70:0A:B4:E1:06:3A:A3",
    "fingerprint": "18:e1:ae:ae:3d:ac:3f:47:5b:3c:d9:2d:c9:fe:4e:b4:03:19:2f:03",
    "sni": "www.kid67ap2i5b5d4ekvcg.com",
    "version": "TLSv1",
    "notbefore": "2017-02-17T00:00:00",
    "notafter": "2017-10-03T23:59:59",
    "ja3": {
      "hash": "c201b92f8b483fa388be174d6689f534",
      "string": "769,49162-49172-136-135-57-56-49167-49157-132-53-49159-49161-49169-49171-69-68-51-50-49164-49166-49154-49156-150-65-4-5-47-49160-49170-22-19-49165-49155-65279-10-255,0-11-10-13-15,23-25-28-27-24-26-22-14-13-11-12-9-10,0-1-2"
    },
    "ja3s": {
      "hash": "f893bd75dac422ca264dc8551c450278",
      "string": "769,49172,65281-11-15"
    }
  }
}

You can also extract fields using jq;

cat /var/log/suricata/pcap/eve.json | jq '"\(.timestamp),\(.event_type),\(.flow_id),\(.src_ip):\(.src_port),\(.dest_ip):\(.dest_port)"'
"2017-06-27T16:43:49.210173+0300,dns,616557069022461,192.168.1.96:52437,192.168.1.1:53"
"2017-06-27T16:43:49.230063+0300,dns,616557069022461,192.168.1.96:52437,192.168.1.1:53"
"2017-06-27T16:43:49.292042+0300,tls,1396905382088718,192.168.1.96:49187,172.217.6.164:443"
"2017-06-27T16:38:32.234351+0300,flow,1145860237051004,192.168.1.96:137,192.168.1.255:137"
"2017-06-27T16:43:49.578377+0300,tls,978846150396712,192.168.1.96:49188,172.217.6.164:443"
"2017-06-27T16:38:32.234351+0300,dns,741166934430575,192.168.1.96:58520,192.168.1.1:53"
"2017-06-27T16:38:32.435448+0300,dns,741166934430575,192.168.1.96:58520,192.168.1.1:53"
"2017-06-27T16:40:52.379419+0300,dhcp,14958840826395,192.168.1.1:67,192.168.1.96:68"
"2017-06-27T16:43:49.212127+0300,dhcp,14958852390047,192.168.1.1:67,192.168.1.96:68"
"2017-06-27T16:38:32.234351+0300,flow,14958840826395,192.168.1.1:67,192.168.1.96:68"
"2017-06-27T16:43:49.687811+0300,dns,1401481669738179,192.168.1.96:60539,192.168.1.1:53"
"2017-06-27T16:43:50.009831+0300,dns,1401481669738179,192.168.1.96:60539,192.168.1.1:53"
"2017-06-27T16:43:51.060995+0300,http,1208665555479627,192.168.1.96:49189,119.28.70.207:80"
"2017-06-27T16:43:51.060995+0300,fileinfo,1208665555479627,192.168.1.96:49189,119.28.70.207:80"
"2017-06-27T16:43:51.284182+0300,fileinfo,1208665555479627,119.28.70.207:80,192.168.1.96:49189"
"2017-06-27T16:43:51.784326+0300,http,1208665555479627,192.168.1.96:49189,119.28.70.207:80"
"2017-06-27T16:43:51.784326+0300,fileinfo,1208665555479627,192.168.1.96:49189,119.28.70.207:80"
"2017-06-27T16:43:51.801800+0300,dns,518773548727304,192.168.1.96:60140,192.168.1.1:53"
"2017-06-27T16:43:52.085008+0300,dns,518773548727304,192.168.1.96:60140,192.168.1.1:53"
"2017-06-27T16:43:54.003440+0300,dns,1643097202756976,192.168.1.96:60430,192.168.1.1:53"
"2017-06-27T16:43:54.101299+0300,dns,1643097202756976,192.168.1.96:60430,192.168.1.1:53"
"2017-06-27T16:38:34.751226+0300,fileinfo,2030595573592962,119.28.70.207:80,192.168.1.96:49184"
"2017-06-27T16:43:54.234623+0300,fileinfo,1826666252504918,143.95.151.192:80,192.168.1.96:49191"
"2017-06-27T16:43:59.543714+0300,fileinfo,1592057959177462,59.106.164.230:80,192.168.1.96:49192"
"2017-06-27T16:38:36.765886+0300,http,2030595573592962,192.168.1.96:49184,119.28.70.207:80"
"2017-06-27T16:38:32.234351+0300,flow,1008264517306702,192.168.1.96:68,255.255.255.255:67"
"2017-06-27T16:43:54.272260+0300,http,1826666252504918,192.168.1.96:49191,143.95.151.192:80"
"2017-06-27T16:44:01.280900+0300,dns,2212227614591300,192.168.1.96:53513,192.168.1.1:53"
"2017-06-27T16:44:01.281004+0300,dns,655426523842988,192.168.1.96:57867,192.168.1.1:53"
"2017-06-27T16:44:01.281104+0300,dns,120718127876624,192.168.1.96:49681,192.168.1.1:53"
"2017-06-27T16:44:01.281307+0300,dns,477653532494555,192.168.1.96:64654,192.168.1.1:53"
"2017-06-27T16:44:01.281806+0300,dns,349755848871118,192.168.1.96:52283,192.168.1.1:53"
"2017-06-27T16:44:01.282006+0300,dns,2098836183010710,192.168.1.96:57208,192.168.1.1:53"
"2017-06-27T16:44:01.282256+0300,dns,2182596635217552,192.168.1.96:62422,192.168.1.1:53"
"2017-06-27T16:44:01.282555+0300,dns,403960483631035,192.168.1.96:59591,192.168.1.1:53"
"2017-06-27T16:44:01.282568+0300,dns,1549767563890632,192.168.1.96:61234,192.168.1.1:53"
"2017-06-27T16:44:01.315494+0300,dns,120718127876624,192.168.1.96:49681,192.168.1.1:53"
"2017-06-27T16:44:01.316081+0300,dns,1549767563890632,192.168.1.96:61234,192.168.1.1:53"
"2017-06-27T16:44:01.316250+0300,dns,477653532494555,192.168.1.96:64654,192.168.1.1:53"
"2017-06-27T16:44:01.316362+0300,dns,2212227614591300,192.168.1.96:53513,192.168.1.1:53"
"2017-06-27T16:44:01.316573+0300,dns,655426523842988,192.168.1.96:57867,192.168.1.1:53"
"2017-06-27T16:44:01.316670+0300,dns,2098836183010710,192.168.1.96:57208,192.168.1.1:53"
"2017-06-27T16:44:01.316770+0300,dns,2182596635217552,192.168.1.96:62422,192.168.1.1:53"
"2017-06-27T16:44:01.358088+0300,dns,403960483631035,192.168.1.96:59591,192.168.1.1:53"
"2017-06-27T16:44:01.477310+0300,dns,349755848871118,192.168.1.96:52283,192.168.1.1:53"
"2017-06-27T16:44:01.484050+0300,http,1442410561397618,192.168.1.96:49198,64.125.133.18:80"
"2017-06-27T16:44:01.484050+0300,fileinfo,1442410561397618,192.168.1.96:49198,64.125.133.18:80"
"2017-06-27T16:44:01.559644+0300,fileinfo,1442410561397618,64.125.133.18:80,192.168.1.96:49198"
"2017-06-27T16:44:01.562102+0300,http,1442410561397618,192.168.1.96:49198,64.125.133.18:80"
"2017-06-27T16:44:01.562102+0300,fileinfo,1442410561397618,192.168.1.96:49198,64.125.133.18:80"
"2017-06-27T16:43:53.341648+0300,fileinfo,1303906455409010,145.131.10.21:80,192.168.1.96:49190"
"2017-06-27T16:43:53.967647+0300,http,1303906455409010,192.168.1.96:49190,145.131.10.21:80"

That is all about how to install and setup Suricata on Ubuntu 22.04/Ubuntu 20.04.

Feel free to read more about Suricata on their documentation page.

Other Tutorials;

Install and Setup Suricata on CentOS 8

Install Nikto Web Scanner on Rocky Linux 8

LEAVE A REPLY

Please enter your comment!
Please enter your name here