Suricata is a modern intrusion detection system (IDS). It sniffs your network traffic and logs suspicious packets. Suricata uses Snort rules, so you can have a lot of them for free. Rules are installed automatically with OinkMaster.
This article shows the easy way to install Suricata. We install the package with apt-get, start it as a service and download new rules with OinkMaster.
To follow this tutorial, you must know what you are legally allowed to log and where. Also, you should be familiar with command line, daemons, logs and sudo.
Install Suricata
$ sudo apt-get update $ sudo apt-get -y install suricata
Allow Suricata File Logging and Daemon Start
Daemon does not log anything without changes on the version that comes with Ubuntu 16.04. Enable “file” output. Leave other settings as they are. Yaml format is extremely picky about spaces, and forbids tabs.
$ sudoedit /etc/suricata/suricata-debian.yaml
# ... outputs: - console: enabled: no - file: enabled: yes filename: /var/log/suricata/suricata.log # ...
Allow suricata to start. Interface setting IFACE is not used with NFQUEUE we use here, so you don’t need to change it. Set RUN=yes.
$ sudoedit /etc/default/suricata RUN=yes # ...
Restart Suricata with new changes
$ sudo systemctl restart suricata
Download Latest Rules with OinkMaster
$ sudoedit /etc/oinkmaster.conf url=http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz # ...
$ sudo oinkmaster -o /etc/suricata/rules/ [..] Downloading file from http://rules.emergingthreats.net/[...]
Restart Suricata to use new rules
$ sudo systemctl restart suricata
Add NFQUEUE Rules to IpTables Firewall
You must persist these rules if you want suricata to work after boot. It’s left as an exercise for the reader (ufw, iptables-save).
$ sudo iptables -I INPUT -j NFQUEUE $ sudo iptables -I OUTPUT -j NFQUEUE
Test
$ curl -A BlackSun google.com
$ sudo tail /var/log/suricata/fast.log
[..] ET USER_AGENTS Suspicious User Agent (BlackSun) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} [..]
Did you see your suspicious activity in fast.log?
Well done, you have now set up your own intrusion detection system.
Adminstrivia
Tested with Ubuntu 16.04, using Vagrant and VirtualBox with my own box made out of mini.iso network installer.
For unknown reason, vagrant crashed twice when applying these NFQUEUE rules. Fixed it with ‘vagrant reload’. The problem did not persist long enough to debug. Update: NFQUEUE requires a userspace app to accept each packet. If user space app goes down, all network connectivity is lost. Listenmode pcap is a safer alternative without IPS capability.
At the time of writing, I did not easily find another guide that would install Suricata on Ubuntu with apt-get and run it non-interactively as a service.
Briefly in Finnish: Asenna Suricata tunketumisenhavaitsemisjärjestelmä suoraan paketinhallnnasta. Tämä opas neuvoo työkaluilla apt-get paketinhallinta, OinkMaster (sääntöjen haku, uhkien tunnistus), systemctl palveluiden (demonien) hallinta ja NFQUEUE kuuntelu (vrt. snifferi).
Update: added background to nfqueue and pcap.
Hi. Thank you for the post. I am really new at this. I am not certain if it is a better choice than OSSEC. I use ISPConfig 3. OSSEC messes things up. Trying ot troubleshoot it. A friend mentioned Suricata and DuckDuckGo brought me here.
I am really curious to know if you think this is a good alternative to OSSEC HIDS.