By Hitesh Jethva, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud's incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.
Suricata is a free, open source, fast and robust intrusion detection system (IDS), intrusion prevention system (IPS) and Network Security Monitoring engine. Suricata inspects the network traffic using a powerful and extensive rules and signature language. You can set up Suricata as an active, inline IDS and IPS monitor inbound and outbound traffic. It can stop malicious traffic before it enters the network and alerts the administrator. You can also integrate Suricata with Linux Netfilter firewall.
In this tutorial, we will be installing and configuring Suricata on an Alibaba Cloud Elastic Compute Service (ECS) Ubuntu 16.04 server.
First, Login to your Alibaba Cloud ECS Console. Create a new ECS instance, choosing Ubuntu 16.04 as the operating system with at least 2GB RAM. Connect to your ECS instance and log in as the root user.
Once you are logged into your Ubuntu 16.04 instance, run the following command to update your base system with the latest available packages.
apt-get update -y
Before starting, you will need to install some dependencies required by Suricata. You can install all of them by running the following command:
apt-get install libpcre3-dbg libpcre3-devlibnet1-dev libyaml-dev libjansson4 libcap-ng-dev libmagic-dev libjansson-dev zlib1g-dev autoconf automake libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libtool libpcap-dev -y
After installing all the packages, you can proceed to install Suricata.
First, download the latest version of Suricata from their official website using the following command:
wget https://www.openinfosecfoundation.org/download/suricata-4.0.5.tar.gz
Next, extract the downloaded file with the following command:
tar -xvzf suricata-4.0.5.tar.gz
Next, build the Suricata using the following command:
cd suricata-4.0.5
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var
Output:
To build and install run 'make' and 'make install'.
You can run 'make install-conf' if you want to install initial configuration
files to /etc/suricata/. Running 'make install-full' will install configuration
and rules and provide you a ready-to-run suricata.
To install Suricata into /usr/bin/suricata, have the config in
/etc/suricata and use /var/log/suricata as log dir, use:
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/
Next, install Suricata with the following command:
make
make install
Output:
Writing /usr/lib/python2.7/site-packages/suricatasc-0.9-py2.7.egg-info
make[3]: Nothing to be done for 'install-data-am'.
make[3]: Leaving directory '/root/suricata-4.0.5/scripts/suricatasc'
make[2]: Leaving directory '/root/suricata-4.0.5/scripts/suricatasc'
make[2]: Entering directory '/root/suricata-4.0.5/scripts'
make[3]: Entering directory '/root/suricata-4.0.5/scripts'
make[3]: Nothing to be done for 'install-exec-am'.
make[3]: Nothing to be done for 'install-data-am'.
make[3]: Leaving directory '/root/suricata-4.0.5/scripts'
make[2]: Leaving directory '/root/suricata-4.0.5/scripts'
make[1]: Leaving directory '/root/suricata-4.0.5/scripts'
Making install in etc
make[1]: Entering directory '/root/suricata-4.0.5/etc'
make[2]: Entering directory '/root/suricata-4.0.5/etc'
make[2]: Nothing to be done for 'install-exec-am'.
make[2]: Nothing to be done for 'install-data-am'.
make[2]: Leaving directory '/root/suricata-4.0.5/etc'
make[1]: Leaving directory '/root/suricata-4.0.5/etc'
make[1]: Entering directory '/root/suricata-4.0.5'
make[2]: Entering directory '/root/suricata-4.0.5'
make[2]: Nothing to be done for 'install-exec-am'.
Run 'make install-conf' if you want to install initial configuration files. Or 'make install-full' to install configuration and rules
make[2]: Leaving directory '/root/suricata-4.0.5'
make[1]: Leaving directory '/root/suricata-4.0.5'
Next, install Suricata default configuration file with the following command:
make install-conf
You should see the following output:
install -d "/etc/suricata/"
install -d "/var/log/suricata/files"
install -d "/var/log/suricata/certs"
install -d "/var/run/"
install -m 770 -d "/var/run/suricata"
Before starting, you will need to install Suricata IDS rule sets to your system. You can install it from Suricata source directory using the following command:
cd suricata-4.0.5
make install-rules
Output:
install -d "/etc/suricata/rules"
/usr/bin/wget -qO - https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz | tar -x -z -C "/etc/suricata/" -f -
You can now start suricata by running as root something like /usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0
.
If a library like libhtp.so is not found, you can run suricata with: LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0
.
While rules are installed now, it's highly recommended to use a rule manager for maintaining rules.
The two most common are Oinkmaster and Pulledpork. For a guide see:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster
You can list all the installed rules with the following command:
ls /etc/suricata/rules
Output:
app-layer-events.rules emerging-current_events.rules emerging-netbios.rules emerging-voip.rules
botcc.portgrouped.rules emerging-deleted.rules emerging-p2p.rules emerging-web_client.rules
botcc.rules emerging-dns.rules emerging-policy.rules emerging-web_server.rules
BSD-License.txt emerging-dos.rules emerging-pop3.rules emerging-web_specific_apps.rules
ciarmy.rules emerging-exploit.rules emerging-rpc.rules emerging-worm.rules
compromised-ips.txt emerging-ftp.rules emerging-scada.rules gpl-2.0.txt
compromised.rules emerging-games.rules emerging-scan.rules http-events.rules
decoder-events.rules emerging-icmp_info.rules emerging-shellcode.rules LICENSE
dnp3-events.rules emerging-icmp.rules emerging-smtp.rules modbus-events.rules
dns-events.rules emerging-imap.rules emerging-snmp.rules sid-msg.map
drop.rules emerging-inappropriate.rules emerging-sql.rules smtp-events.rules
dshield.rules emerging-info.rules emerging-telnet.rules stream-events.rules
emerging-activex.rules emerging-malware.rules emerging-tftp.rules suricata-4.0-enhanced-open.txt
emerging-attack_response.rules emerging-misc.rules emerging-trojan.rules tls-events.rules
emerging-chat.rules emerging-mobile_malware.rules emerging-user_agents.rules tor.rules
Next, you will need to modify suricata.yaml file. You can do this by running the following command:
nano /etc/suricata/suricata.yaml
Make the following changes as per your requirements:
HOME_NET: "[192.168.0.0/16]"
EXTERNAL_NET: "!$HOME_NET"
Save and close the file, when you are finished.
Next, create your own rule set to test Suricata. This rules will generate an alert in /var/log/suricata/fast.log file when someone tries to Ping, SSH or DOS SYN FLOOD attacks.
nano /etc/suricata/rules/my.rules
Add the following lines:
alert icmp any any -> $HOME_NET any (msg:"ICMP connection attempt"; sid:1000002; rev:1;)
alert tcp any any -> $HOME_NET 22 (msg:"SSH connection attempt"; sid:1000003; rev:1;)
alert tcp any any -> $HOME_NET 80 (msg:"DOS Unusually fast port 80 SYN packets outbound, Potential DOS"; flags: S,12; threshold: type both, track by_dst, count 500, seconds 5; classtype:misc-activity; sid:6;)
Save and close the file.
Next, you will also need to define a path of this rule file in suricata.yaml:
nano /etc/suricata/suricata.yaml
Add the following lines inside rule-files: section:
- my.rules
Save and close the file.
Next, you will need to turn off any packet offload features on the NIC which Suricata is listening on. You can do this with the following command:
ethtool -K eth0 tso off
ethtool -K eth0 tx off
ethtool -K eth0 gro off
Finally, run the Suricata in live mode with the following command:
/usr/bin/suricata -D -c /etc/suricata/suricata.yaml -i eth0
Suricata IDS is now up and listening on the interface eth0. It's time to perform intrusion detection.
To test Suricata, you will need to install some tools on the remote machine.
On the remote machine, install hping, nmap and nikto tool with the following command:
apt-get install nikto hping3 nmap -y
From remote machine, perform SYN FLOOD attack against Suricata server with the following command:
hping3 -S 192.168.0.100 -p 80 --flood
On the Suricata server, check the log with the following command:
tail -f /var/log/suricata/fast.log
You should get something like this:
10/26/2018-12:24:52.146740 [**] [1:6:0] DOS Unusually fast port 80 SYN packets outbound, Potential DOS [**] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.0.104:2545 -> 192.168.0.100:80
10/26/2018-12:24:55.516790 [**] [1:6:0] DOS Unusually fast port 80 SYN packets outbound, Potential DOS [**] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.0.104:42629 -> 192.168.0.100:80
From the remote machine, perform Nmap scan against Suricata server with the following command:
nmap -sS -v -n -A 192.168.0.100 -T4
On the Suricata server, check the log with the following command:
tail -f /var/log/suricata/fast.log
You should see something like this:
10/26/2018-12:34:29.048872 [**] [1:1000002:1] ICMP connection attempt [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.0.104:8 -> 192.168.0.100:9
10/26/2018-12:34:29.048954 [**] [1:1000002:1] ICMP connection attempt [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.0.100:0 -> 192.168.0.104:9
10/26/2018-12:34:29.073931 [**] [1:1000002:1] ICMP connection attempt [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.0.104:8 -> 192.168.0.100:0
Next, perform SSH connection attemt from the remote machine:
ssh 192.168.0.100
On the Suricata server, check the log with the following command:
tail -f /var/log/suricata/fast.log
You should see the following output:
10/26/2018-13:35:32.971883 [**] [1:1000003:1] SSH connection attempt [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.0.104:60367 -> 192.168.0.100:22
From the remote machine, perform test attack against Suricata server with the following command:
nikto -h 192.168.0.100 -C all
On the Suricata server, check the log with the following command:
tail -f /var/log/suricata/fast.log
Output:
10/26/2018-11:09:34.392428 [**] [1:2024364:3] ET SCAN Possible Nmap User-Agent Observed [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.0.104:43459 -> 192.168.0.100:80
10/26/2018-11:09:34.516266 [**] [1:2024364:3] ET SCAN Possible Nmap User-Agent Observed [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.0.104:43464 -> 192.168.0.100:80
10/26/2018-11:09:34.623732 [**] [1:2024364:3] ET SCAN Possible Nmap User-Agent Observed [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.0.104:43466 -> 192.168.0.100:80
10/26/2018-11:09:34.949076 [**] [1:2024364:3] ET SCAN Possible Nmap User-Agent Observed [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.0.104:43467 -> 192.168.0.100:80
2,599 posts | 764 followers
FollowAlibaba Clouder - June 13, 2019
Alibaba Clouder - February 25, 2019
Alibaba Clouder - June 25, 2018
Alibaba Clouder - June 13, 2019
Alibaba Clouder - August 2, 2019
Alibaba Clouder - June 13, 2019
2,599 posts | 764 followers
FollowMarketplace is an online market for users to search and quickly use the software as image for Alibaba Cloud products.
Learn MoreElastic and secure virtual cloud servers to cater all your cloud hosting needs.
Learn MoreMore Posts by Alibaba Clouder