×
Community Blog How to Install Suricata IDS on Ubuntu 16.04

How to Install Suricata IDS on Ubuntu 16.04

In this tutorial, we will be installing and configuring Suricata on an Alibaba Cloud Elastic Compute Service (ECS) Ubuntu 16.04 server.

By Hitesh Jethva, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud's incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.

Suricata is a free, open source, fast and robust intrusion detection system (IDS), intrusion prevention system (IPS) and Network Security Monitoring engine. Suricata inspects the network traffic using a powerful and extensive rules and signature language. You can set up Suricata as an active, inline IDS and IPS monitor inbound and outbound traffic. It can stop malicious traffic before it enters the network and alerts the administrator. You can also integrate Suricata with Linux Netfilter firewall.

In this tutorial, we will be installing and configuring Suricata on an Alibaba Cloud Elastic Compute Service (ECS) Ubuntu 16.04 server.

Requirements

  • A fresh Alibaba Cloud Ubuntu 16.04 instance with minimum 4 GB RAM.
  • A static IP address 192.168.0.100 is set up to your instance.
  • A root password is set up to your instance.

Launch Alibaba Cloud ECS Instance

First, Login to your Alibaba Cloud ECS Console. Create a new ECS instance, choosing Ubuntu 16.04 as the operating system with at least 2GB RAM. Connect to your ECS instance and log in as the root user.

Once you are logged into your Ubuntu 16.04 instance, run the following command to update your base system with the latest available packages.

apt-get update -y

Install Required Dependencies

Before starting, you will need to install some dependencies required by Suricata. You can install all of them by running the following command:

apt-get install libpcre3-dbg libpcre3-devlibnet1-dev libyaml-dev libjansson4 libcap-ng-dev libmagic-dev libjansson-dev zlib1g-dev autoconf automake libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libtool libpcap-dev -y

After installing all the packages, you can proceed to install Suricata.

Install Suricata

First, download the latest version of Suricata from their official website using the following command:

wget https://www.openinfosecfoundation.org/download/suricata-4.0.5.tar.gz

Next, extract the downloaded file with the following command:

tar -xvzf suricata-4.0.5.tar.gz

Next, build the Suricata using the following command:

cd suricata-4.0.5
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var

Output:

To build and install run 'make' and 'make install'.

You can run 'make install-conf' if you want to install initial configuration
files to /etc/suricata/. Running 'make install-full' will install configuration
and rules and provide you a ready-to-run suricata.

To install Suricata into /usr/bin/suricata, have the config in
/etc/suricata and use /var/log/suricata as log dir, use:
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/

Next, install Suricata with the following command:

make
make install

Output:

Writing /usr/lib/python2.7/site-packages/suricatasc-0.9-py2.7.egg-info
make[3]: Nothing to be done for 'install-data-am'.
make[3]: Leaving directory '/root/suricata-4.0.5/scripts/suricatasc'
make[2]: Leaving directory '/root/suricata-4.0.5/scripts/suricatasc'
make[2]: Entering directory '/root/suricata-4.0.5/scripts'
make[3]: Entering directory '/root/suricata-4.0.5/scripts'
make[3]: Nothing to be done for 'install-exec-am'.
make[3]: Nothing to be done for 'install-data-am'.
make[3]: Leaving directory '/root/suricata-4.0.5/scripts'
make[2]: Leaving directory '/root/suricata-4.0.5/scripts'
make[1]: Leaving directory '/root/suricata-4.0.5/scripts'
Making install in etc
make[1]: Entering directory '/root/suricata-4.0.5/etc'
make[2]: Entering directory '/root/suricata-4.0.5/etc'
make[2]: Nothing to be done for 'install-exec-am'.
make[2]: Nothing to be done for 'install-data-am'.
make[2]: Leaving directory '/root/suricata-4.0.5/etc'
make[1]: Leaving directory '/root/suricata-4.0.5/etc'
make[1]: Entering directory '/root/suricata-4.0.5'
make[2]: Entering directory '/root/suricata-4.0.5'
make[2]: Nothing to be done for 'install-exec-am'.
Run 'make install-conf' if you want to install initial configuration files. Or 'make install-full' to install configuration and rules
make[2]: Leaving directory '/root/suricata-4.0.5'
make[1]: Leaving directory '/root/suricata-4.0.5'

Next, install Suricata default configuration file with the following command:

make install-conf

You should see the following output:

install -d "/etc/suricata/"
install -d "/var/log/suricata/files"
install -d "/var/log/suricata/certs"
install -d "/var/run/"
install -m 770 -d "/var/run/suricata"

Configure Suricata

Before starting, you will need to install Suricata IDS rule sets to your system. You can install it from Suricata source directory using the following command:

cd suricata-4.0.5
make install-rules

Output:

install -d "/etc/suricata/rules"
/usr/bin/wget -qO - https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz | tar -x -z -C "/etc/suricata/" -f -

You can now start suricata by running as root something like /usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0.

If a library like libhtp.so is not found, you can run suricata with: LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0.

While rules are installed now, it's highly recommended to use a rule manager for maintaining rules.

The two most common are Oinkmaster and Pulledpork. For a guide see:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster

You can list all the installed rules with the following command:

ls  /etc/suricata/rules

Output:

app-layer-events.rules          emerging-current_events.rules  emerging-netbios.rules      emerging-voip.rules
botcc.portgrouped.rules         emerging-deleted.rules         emerging-p2p.rules          emerging-web_client.rules
botcc.rules                     emerging-dns.rules             emerging-policy.rules       emerging-web_server.rules
BSD-License.txt                 emerging-dos.rules             emerging-pop3.rules         emerging-web_specific_apps.rules
ciarmy.rules                    emerging-exploit.rules         emerging-rpc.rules          emerging-worm.rules
compromised-ips.txt             emerging-ftp.rules             emerging-scada.rules        gpl-2.0.txt
compromised.rules               emerging-games.rules           emerging-scan.rules         http-events.rules
decoder-events.rules            emerging-icmp_info.rules       emerging-shellcode.rules    LICENSE
dnp3-events.rules               emerging-icmp.rules            emerging-smtp.rules         modbus-events.rules
dns-events.rules                emerging-imap.rules            emerging-snmp.rules         sid-msg.map
drop.rules                      emerging-inappropriate.rules   emerging-sql.rules          smtp-events.rules
dshield.rules                   emerging-info.rules            emerging-telnet.rules       stream-events.rules
emerging-activex.rules          emerging-malware.rules         emerging-tftp.rules         suricata-4.0-enhanced-open.txt
emerging-attack_response.rules  emerging-misc.rules            emerging-trojan.rules       tls-events.rules
emerging-chat.rules             emerging-mobile_malware.rules  emerging-user_agents.rules  tor.rules

Next, you will need to modify suricata.yaml file. You can do this by running the following command:

nano /etc/suricata/suricata.yaml

Make the following changes as per your requirements:

HOME_NET: "[192.168.0.0/16]"
EXTERNAL_NET: "!$HOME_NET"

Save and close the file, when you are finished.

Next, create your own rule set to test Suricata. This rules will generate an alert in /var/log/suricata/fast.log file when someone tries to Ping, SSH or DOS SYN FLOOD attacks.

nano /etc/suricata/rules/my.rules

Add the following lines:

alert icmp any any -> $HOME_NET any (msg:"ICMP connection attempt"; sid:1000002; rev:1;) 
alert tcp any any -> $HOME_NET 22 (msg:"SSH connection attempt"; sid:1000003; rev:1;)
alert tcp any any -> $HOME_NET 80 (msg:"DOS Unusually fast port 80 SYN packets outbound, Potential DOS"; flags: S,12; threshold: type both, track by_dst, count 500, seconds 5; classtype:misc-activity; sid:6;)

Save and close the file.

Next, you will also need to define a path of this rule file in suricata.yaml:

nano /etc/suricata/suricata.yaml

Add the following lines inside rule-files: section:

 - my.rules

Save and close the file.

Next, you will need to turn off any packet offload features on the NIC which Suricata is listening on. You can do this with the following command:

ethtool -K eth0 tso off
ethtool -K eth0 tx off
ethtool -K eth0 gro off

Finally, run the Suricata in live mode with the following command:

/usr/bin/suricata -D -c /etc/suricata/suricata.yaml -i eth0

Test Suricta

Suricata IDS is now up and listening on the interface eth0. It's time to perform intrusion detection.

To test Suricata, you will need to install some tools on the remote machine.

On the remote machine, install hping, nmap and nikto tool with the following command:

apt-get install nikto hping3 nmap -y

From remote machine, perform SYN FLOOD attack against Suricata server with the following command:

hping3 -S 192.168.0.100 -p 80 --flood

On the Suricata server, check the log with the following command:

tail -f /var/log/suricata/fast.log

You should get something like this:

10/26/2018-12:24:52.146740  [**] [1:6:0] DOS Unusually fast port 80 SYN packets outbound, Potential DOS [**] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.0.104:2545 -> 192.168.0.100:80
10/26/2018-12:24:55.516790  [**] [1:6:0] DOS Unusually fast port 80 SYN packets outbound, Potential DOS [**] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.0.104:42629 -> 192.168.0.100:80

From the remote machine, perform Nmap scan against Suricata server with the following command:

nmap -sS -v -n -A 192.168.0.100 -T4

On the Suricata server, check the log with the following command:

tail -f /var/log/suricata/fast.log

You should see something like this:

10/26/2018-12:34:29.048872  [**] [1:1000002:1] ICMP connection attempt [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.0.104:8 -> 192.168.0.100:9
10/26/2018-12:34:29.048954  [**] [1:1000002:1] ICMP connection attempt [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.0.100:0 -> 192.168.0.104:9
10/26/2018-12:34:29.073931  [**] [1:1000002:1] ICMP connection attempt [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.0.104:8 -> 192.168.0.100:0

Next, perform SSH connection attemt from the remote machine:

ssh 192.168.0.100

On the Suricata server, check the log with the following command:

tail -f /var/log/suricata/fast.log

You should see the following output:

10/26/2018-13:35:32.971883  [**] [1:1000003:1] SSH connection attempt [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.0.104:60367 -> 192.168.0.100:22

From the remote machine, perform test attack against Suricata server with the following command:

nikto -h 192.168.0.100 -C all

On the Suricata server, check the log with the following command:

tail -f /var/log/suricata/fast.log 

Output:

10/26/2018-11:09:34.392428  [**] [1:2024364:3] ET SCAN Possible Nmap User-Agent Observed [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.0.104:43459 -> 192.168.0.100:80
10/26/2018-11:09:34.516266  [**] [1:2024364:3] ET SCAN Possible Nmap User-Agent Observed [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.0.104:43464 -> 192.168.0.100:80
10/26/2018-11:09:34.623732  [**] [1:2024364:3] ET SCAN Possible Nmap User-Agent Observed [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.0.104:43466 -> 192.168.0.100:80
10/26/2018-11:09:34.949076  [**] [1:2024364:3] ET SCAN Possible Nmap User-Agent Observed [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.0.104:43467 -> 192.168.0.100:80
0 0 0
Share on

Alibaba Clouder

2,599 posts | 764 followers

You may also like

Comments