Suracata is a free and open source intrusion detection system developed by the Open Information Security Foundation (OISF). It is capable of real time intrusion detection, network security monitoring, inline intrusion prevention and offline pcap processing.
Suricata detects the network traffic using a powerful rules. You can inspect complex threats using powerful Lua scripting. Suricata provides externally developed rule sets that can be used to monitor network traffic and provide alerts when suspicious events occur.
Suricata Features:
- Supports Linux, Windows, FreeBSD and Mac OS.
- Full support for IPv4, IPv6, SCTP, ICMPv4, ICMPv6 and GRE
- File matching, logging, extraction, md5 checksum calculation.
- Supports multi threading.
- Supports automatic protocol detection and gzip decompression
- Easily integrates with Linux netfilter firewall.
- Record traffic using pcap logger.
- Supports HTTP request and TLS handshake logging.
In this tutorial, we will learn how to install and configure Suricata on Ubuntu-16.04 server.
Requirements
- A server running Ubuntu 16.04.
- A non-root user with sudo privileges setup on your server.
Getting Started
Before starting, make sure your system is up-to-date.
You can do this by running the following command:
sudo apt-get update -y
sudo apt-get upgrade -y
Once system is updated, you will need to install some dependencies in order to install Suricata on your server.
Run the following command to install all the dependencies:
sudo apt-get install libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev libnet1-dev libyaml-dev zlib1g-dev libcap-ng-dev
libmagic-dev libjansson-dev libjansson4
Output:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
fontconfig-config fonts-dejavu-core ghostscript gsfonts imagemagick-common libcupsfilters1 libcupsimage2 libfftw3-double3 libfontconfig1 libgd3
libgs9 libgs9-common libijs-0.35 libjasper1 libjbig0 libjbig2dec0 libjpeg-turbo8 libjpeg8 liblcms2-2 liblqr-1-0 libpaper-utils libpaper1 libtiff5
libvpx3 libxpm4 owncloud-files poppler-data ttf-dejavu-core
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
autotools-dev binutils cpp cpp-5 gcc gcc-5 libasan2 libatomic1 libc-dev-bin libc6-dev libcc1-0 libcilkrts5 libgcc-5-dev libisl15 libitm1 liblsan0
libltdl-dev libmpc3 libmpx0 libnet1 libpcap0.8-dev libpcre16-3 libpcre32-3 libpcrecpp0v5 libquadmath0 libtsan0 libubsan0 libyaml-0-2
linux-libc-dev m4 manpages-dev
Suggested packages:
autoconf-archive gnu-standards autoconf-doc gettext binutils-doc cpp-doc gcc-5-locales gcc-multilib make flex bison gdb gcc-doc gcc-5-multilib
gcc-5-doc libgcc1-dbg libgomp1-dbg libitm1-dbg libatomic1-dbg libasan2-dbg liblsan0-dbg libtsan0-dbg libubsan0-dbg libcilkrts5-dbg libmpx0-dbg
libquadmath0-dbg glibc-doc libtool-doc gfortran | fortran95-compiler gcj-jdk libyaml-doc
The following NEW packages will be installed:
autoconf automake autotools-dev binutils cpp cpp-5 gcc gcc-5 libasan2 libatomic1 libc-dev-bin libc6-dev libcap-ng-dev libcc1-0 libcilkrts5
libgcc-5-dev libisl15 libitm1 libjansson-dev libjansson4 liblsan0 libltdl-dev libmagic-dev libmpc3 libmpx0 libnet1 libnet1-dev libpcap-dev
libpcap0.8-dev libpcre16-3 libpcre3-dbg libpcre3-dev libpcre32-3 libpcrecpp0v5 libquadmath0 libtool libtsan0 libubsan0 libyaml-0-2 libyaml-dev
linux-libc-dev m4 manpages-dev zlib1g-dev
0 upgraded, 44 newly installed, 0 to remove and 0 not upgraded.
Need to get 31.1 MB of archives.
After this operation, 115 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 libnet1 amd64 1.1.6+dfsg-3 [42.1 kB]
Get:2 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 libpcrecpp0v5 amd64 2:8.38-3.1 [15.2 kB]
Get:3 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 libyaml-0-2 amd64 0.1.6-3 [47.6 kB]
Get:4 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 libmpc3 amd64 1.0.3-1 [39.7 kB]
Get:5 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 m4 amd64 1.4.17-5 [195 kB]
Get:6 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 autoconf all 2.69-9 [321 kB]
Get:7 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 autotools-dev all 20150820.1 [39.8 kB]
Get:8 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 automake all 1:1.15-4ubuntu1 [510 kB]
Get:9 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 binutils amd64 2.26.1-1ubuntu1~16.04.3 [2,310 kB]
Get:10 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 libisl15 amd64 0.16.1-1 [524 kB]
Get:11 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 cpp-5 amd64 5.4.0-6ubuntu1~16.04.2 [7,660 kB]
Get:12 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 cpp amd64 4:5.3.1-1ubuntu1 [27.7 kB]
Get:13 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 libcc1-0 amd64 5.4.0-6ubuntu1~16.04.2 [38.8 kB]
Get:14 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 libitm1 amd64 5.4.0-6ubuntu1~16.04.2 [27.4 kB]
.
.
.
By default, Suricata works as an Intrusion Detection System, if you want to use it as a Intrusion Detection System and Intrusion Prevention System, you also need to install some required packages:
sudo apt-get install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev
Output:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
fontconfig-config fonts-dejavu-core ghostscript gsfonts imagemagick-common libcupsfilters1 libcupsimage2 libfftw3-double3 libfontconfig1 libgd3
libgs9 libgs9-common libijs-0.35 libjasper1 libjbig0 libjbig2dec0 libjpeg-turbo8 libjpeg8 liblcms2-2 liblqr-1-0 libpaper-utils libpaper1 libtiff5
libvpx3 libxpm4 owncloud-files poppler-data ttf-dejavu-core
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
build-essential dpkg-dev fakeroot g++ g++-5 libalgorithm-diff-perl libalgorithm-diff-xs-perl libalgorithm-merge-perl libdpkg-perl libfakeroot
libfile-fcntllock-perl libstdc++-5-dev make pkg-config
Suggested packages:
debian-keyring g++-multilib g++-5-multilib gcc-5-doc libstdc++6-5-dbg libstdc++-5-doc make-doc
The following NEW packages will be installed:
build-essential dpkg-dev fakeroot g++ g++-5 libalgorithm-diff-perl libalgorithm-diff-xs-perl libalgorithm-merge-perl libdpkg-perl libfakeroot
libfile-fcntllock-perl libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libstdc++-5-dev make pkg-config
0 upgraded, 17 newly installed, 0 to remove and 0 not upgraded.
Need to get 10.9 MB of archives.
After this operation, 44.2 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 libdpkg-perl all 1.18.4ubuntu1.1 [195 kB]
Get:2 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 make amd64 4.1-6 [151 kB]
Get:3 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 dpkg-dev all 1.18.4ubuntu1.1 [584 kB]
Get:4 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 pkg-config amd64 0.29.1-0ubuntu1 [45.0 kB]
Get:5 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 libnetfilter-queue1 amd64 1.0.2-2 [11.4 kB]
Get:6 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 libnfnetlink-dev amd64 1.0.1-3 [6,512 B]
Get:7 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 libnetfilter-queue-dev amd64 1.0.2-2 [5,256 B]
.
.
.
Installing Suricata
Once you install all the required packages, you can now proceed to install Suricata.
First, download the latest version of Suricata source from https://suricata-ids.org/download/ using wget command:
wget https://www.openinfosecfoundation.org/download/suricata-3.1.2.tar.gz
Output:
--2016-10-25 12:25:09-- https://www.openinfosecfoundation.org/download/suricata-3.1.2.tar.gz
Resolving www.openinfosecfoundation.org (www.openinfosecfoundation.org)... 96.43.130.5
Connecting to www.openinfosecfoundation.org (www.openinfosecfoundation.org)|96.43.130.5|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3338099 (3.2M) [application/x-gzip]
Saving to: ‘suricata-3.1.2.tar.gz’
suricata-3.1.2.tar.gz 100%[======================================================================>] 3.18M 53.0KB/s in 80s
2016-10-25 12:26:38 (40.6 KB/s) - ‘suricata-3.1.2.tar.gz’ saved [3338099/3338099]
Next, extract the downloaded source using tar command:
tar -xvf suricata-3.1.2.tar.gz
Next, change the directory to suricata-3.1.2 and run ls command:
cd suricata-3.1.2ls
Output:
aclocal.m4 compile config.rpath configure.ac depcomp libhtp m4 missing rules suricata.yaml.in
ChangeLog config.guess config.sub contrib doc LICENSE Makefile.am qa scripts threshold.config
classification.config config.h.in configure COPYING install-sh ltmain.sh Makefile.in reference.config src
Next, build Suricata with IPS capabilities by running the following command:
sudo ./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var
You should see the following output of configuration:
Suricata Configuration:
AF_PACKET support: yes
PF_RING support: no
NFQueue support: yes
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
Unix socket enabled: yes
Detection enabled: yes
libnss support: no
libnspr support: no
libjansson support: yes
hiredis support: no
Prelude support: no
PCRE jit: yes
LUA support: no
libluajit: no
libgeoip: no
Non-bundled htp: no
Old barnyard2 support: no
CUDA enabled: no
Hyperscan support: no
Libnet support: yes
Suricatasc install: yes
Profiling enabled: no
Profiling locks enabled: no
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/
--prefix /usr
--sysconfdir /etc
--localstatedir /var
Host: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / gcc (real)
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -g -O2 -march=native
PCAP_CFLAGS -I/usr/include
SECCFLAGS
Next, compile and install using the following command:
sudo make
Output:
make[3]: Leaving directory '/root/suricata-3.1.2/contrib/file_processor'
Making all in tile_pcie_logd
make[3]: Entering directory '/root/suricata-3.1.2/contrib/tile_pcie_logd'
make[3]: Nothing to be done for 'all'.
make[3]: Leaving directory '/root/suricata-3.1.2/contrib/tile_pcie_logd'
make[3]: Entering directory '/root/suricata-3.1.2/contrib'
make[3]: Nothing to be done for 'all-am'.
make[3]: Leaving directory '/root/suricata-3.1.2/contrib'
make[2]: Leaving directory '/root/suricata-3.1.2/contrib'
Making all in scripts
make[2]: Entering directory '/root/suricata-3.1.2/scripts'
Making all in suricatasc
make[3]: Entering directory '/root/suricata-3.1.2/scripts/suricatasc'
mkdir -p ../../scripts/suricatasc/src
./setup.py build;
running build
running build_py
creating build
creating build/lib.linux-x86_64-2.7
creating build/lib.linux-x86_64-2.7/suricatasc
copying src/suricatasc.py -> build/lib.linux-x86_64-2.7/suricatasc
copying src/__init__.py -> build/lib.linux-x86_64-2.7/suricatasc
running build_scripts
creating build/scripts-2.7
copying and adjusting suricatasc -> build/scripts-2.7
changing mode of build/scripts-2.7/suricatasc from 644 to 755
make[3]: Leaving directory '/root/suricata-3.1.2/scripts/suricatasc'
make[3]: Entering directory '/root/suricata-3.1.2/scripts'
make[3]: Nothing to be done for 'all-am'.
make[3]: Leaving directory '/root/suricata-3.1.2/scripts'
make[2]: Leaving directory '/root/suricata-3.1.2/scripts'
make[2]: Entering directory '/root/suricata-3.1.2'
make[2]: Leaving directory '/root/suricata-3.1.2'
make[1]: Leaving directory '/root/suricata-3.1.2'
sudo make install
Output:
running install
running build
running build_py
running build_scripts
running install_lib
creating /usr/lib/python2.7/site-packages
creating /usr/lib/python2.7/site-packages/suricatasc
copying build/lib.linux-x86_64-2.7/suricatasc/suricatasc.py -> /usr/lib/python2.7/site-packages/suricatasc
copying build/lib.linux-x86_64-2.7/suricatasc/__init__.py -> /usr/lib/python2.7/site-packages/suricatasc
byte-compiling /usr/lib/python2.7/site-packages/suricatasc/suricatasc.py to suricatasc.pyc
byte-compiling /usr/lib/python2.7/site-packages/suricatasc/__init__.py to __init__.pyc
running install_scripts
copying build/scripts-2.7/suricatasc -> /usr/bin
changing mode of /usr/bin/suricatasc to 755
running install_egg_info
Writing /usr/lib/python2.7/site-packages/suricatasc-0.9-py2.7.egg-info
make[3]: Nothing to be done for 'install-data-am'.
make[3]: Leaving directory '/root/suricata-3.1.2/scripts/suricatasc'
make[2]: Leaving directory '/root/suricata-3.1.2/scripts/suricatasc'
make[2]: Entering directory '/root/suricata-3.1.2/scripts'
make[3]: Entering directory '/root/suricata-3.1.2/scripts'
make[3]: Nothing to be done for 'install-exec-am'.
make[3]: Nothing to be done for 'install-data-am'.
make[3]: Leaving directory '/root/suricata-3.1.2/scripts'
make[2]: Leaving directory '/root/suricata-3.1.2/scripts'
make[1]: Leaving directory '/root/suricata-3.1.2/scripts'
make[1]: Entering directory '/root/suricata-3.1.2'
make[2]: Entering directory '/root/suricata-3.1.2'
make[2]: Nothing to be done for 'install-exec-am'.
Run 'make install-conf' if you want to install initial configuration files. Or 'make install-full' to install configuration and rules
make[2]: Leaving directory '/root/suricata-3.1.2'
make[1]: Leaving directory '/root/suricata-3.1.2'
Suricata comes with default configuration files. You can install it by running the following command:
sudo make install-conf
Output:
install -d "/etc/suricata/"
install -d "/var/log/suricata/files"
install -d "/var/log/suricata/certs"
install -d "/var/run/"
install -m 770 -d "/var/run/suricata"
Configure Suricata IDS
You will also need to install IDS rule sets, because Suricata is useless without IDS rule sets.
You can install it by running the following command:
sudo make install-rules
Output:
install -d "/etc/suricata/rules"
/usr/bin/wget -qO - https://rules.emergingthreats.net/open/suricata-3.0/emerging.rules.tar.gz | tar -x -z -C "/etc/suricata/" -f -
You can now start suricata by running as root something like '/usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0'.
If a library like libhtp.so is not found, you can run suricata with:
'LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0'.
While rules are installed now, it's highly recommended to use a rule manager for maintaining rules.
The two most common are Oinkmaster and Pulledpork. For a guide see:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster
You can see all the rules by running the following command:
cd /etc/suricata/rulesls
Output:
app-layer-events.rules emerging-deleted.rules emerging-pop3.rules gen-msg.map
botcc.portgrouped.rules emerging-dns.rules emerging-rpc.rules gpl-2.0.txt
botcc.rules emerging-dos.rules emerging-scada.rules http-events.rules
BSD-License.txt emerging-exploit.rules emerging-scan.rules LICENSE
ciarmy.rules emerging-ftp.rules emerging-shellcode.rules modbus-events.rules
classification.config emerging-games.rules emerging-smtp.rules rbn-malvertisers.rules
compromised-ips.txt emerging-icmp_info.rules emerging-snmp.rules rbn.rules
compromised.rules emerging-icmp.rules emerging-sql.rules reference.config
decoder-events.rules emerging-imap.rules emerging-telnet.rules sid-msg.map
dns-events.rules emerging-inappropriate.rules emerging-tftp.rules smtp-events.rules
drop.rules emerging-info.rules emerging-trojan.rules stream-events.rules
dshield.rules emerging-malware.rules emerging-user_agents.rules suricata-1.3-etpro-etnamed.yaml
emerging-activex.rules emerging-misc.rules emerging-voip.rules suricata-1.3-open.txt
emerging-attack_response.rules emerging-mobile_malware.rules emerging-web_client.rules suricata-1.3-open.yaml
emerging-chat.rules emerging-netbios.rules emerging-web_server.rules tor.rules
emerging.conf emerging-p2p.rules emerging-web_specific_apps.rules unicode.map
emerging-current_events.rules emerging-policy.rules emerging-worm.rules
Once everything is up-to-date, it’s time to configure Suricata. You can do this by editing Suricata configuration file located at /etc/suricata/suricata.yaml:
sudo nano /etc/suricata/suricata.yaml
Under the var section, you should see some important variables suche as HOME_NET should point to the local network, !$HOME_NET should point to the external network and XXX_PORTS defines the port number use by different services.
Change the file as per your needs, then save and close the file.
Perform Intrusion Detection
Before testing Suricata, it is recommended to turn off any packet offloead features on the NIC which Suricata is listening on.
You can turn off LRO/GRO on the network interface eth0 using the following command:
sudo ethtool -K eth0 gro off lro off
You should see the following warning messege, it means that your NIC does not support LRO. So ignore it.
Cannot change large-receive-offload
Suricata supports a number of running modes. You can see the list of all running modes with the following command:
sudo /usr/bin/suricata --list-runmodes
Output:
------------------------------------- Runmodes ------------------------------------------
| RunMode Type | Custom Mode | Description
|----------------------------------------------------------------------------------------
| PCAP_DEV | single | Single threaded pcap live mode
| ---------------------------------------------------------------------
| | autofp | Multi threaded pcap live mode. Packets from each flow are assigned to a single detect thread, unlike "pcap_live_auto" where packets from the same flow can be processed by any detect thread
| ---------------------------------------------------------------------
| | workers | Workers pcap live mode, each thread does all tasks from acquisition to logging
|----------------------------------------------------------------------------------------
| PCAP_FILE | single | Single threaded pcap file mode
| ---------------------------------------------------------------------
| | autofp | Multi threaded pcap file mode. Packets from each flow are assigned to a single detect thread, unlike "pcap-file-auto" where packets from the same flow can be processed by any detect thread
|----------------------------------------------------------------------------------------
| PFRING(DISABLED) | autofp | Multi threaded pfring mode. Packets from each flow are assigned to a single detect thread, unlike "pfring_auto" where packets from the same flow can be processed by any detect thread
| ---------------------------------------------------------------------
| | single | Single threaded pfring mode
| ---------------------------------------------------------------------
| | workers | Workers pfring mode, each thread does all tasks from acquisition to logging
|----------------------------------------------------------------------------------------
| NFQ | autofp | Multi threaded NFQ IPS mode with respect to flow
| ---------------------------------------------------------------------
| | workers | Multi queue NFQ IPS mode with one thread per queue
|----------------------------------------------------------------------------------------
| NFLOG | autofp | Multi threaded nflog mode
| ---------------------------------------------------------------------
| | single | Single threaded nflog mode
| ---------------------------------------------------------------------
| | workers | Workers nflog mode
|----------------------------------------------------------------------------------------
| IPFW | autofp | Multi threaded IPFW IPS mode with respect to flow
| ---------------------------------------------------------------------
| | workers | Multi queue IPFW IPS mode with one thread per queue
|----------------------------------------------------------------------------------------
| ERF_FILE | single | Single threaded ERF file mode
| ---------------------------------------------------------------------
| | autofp | Multi threaded ERF file mode. Packets from each flow are assigned to a single detect thread
|----------------------------------------------------------------------------------------
| ERF_DAG | autofp | Multi threaded DAG mode. Packets from each flow are assigned to a single detect thread, unlike "dag_auto" where packets from the same flow can be processed by any detect thread
| ---------------------------------------------------------------------
| | single | Singled threaded DAG mode
| ---------------------------------------------------------------------
| | workers | Workers DAG mode, each thread does all tasks from acquisition to logging
|----------------------------------------------------------------------------------------
| AF_PACKET_DEV | single | Single threaded af-packet mode
| ---------------------------------------------------------------------
| | workers | Workers af-packet mode, each thread does all tasks from acquisition to logging
| ---------------------------------------------------------------------
| | autofp | Multi socket AF_PACKET mode. Packets from each flow are assigned to a single detect thread.
|----------------------------------------------------------------------------------------
| NETMAP(DISABLED) | single | Single threaded netmap mode
| ---------------------------------------------------------------------
| | workers | Workers netmap mode, each thread does all tasks from acquisition to logging
| ---------------------------------------------------------------------
| | autofp | Multi threaded netmap mode. Packets from each flow are assigned to a single detect thread.
|----------------------------------------------------------------------------------------
| UNIX_SOCKET | single | Unix socket mode
|----------------------------------------------------------------------------------------
By default Suricata uses autofp runmode which means auto flow pinned load balancing.
Finally, start Suricata in pcap live mode by running the following command:
sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 --init-errors-fatal
Conclusion
I hope you are now able to install and setup Suricata IDS on your Ubuntu-16.04 server. You can use Suricata in a production environment and use it to get valuable information on your network.
Share this Article!
