Suricata IDS on Ubuntu – Easily with apt-get, oinkmaster and systemctl

Suricata is a modern intrusion detection system (IDS). It sniffs your network traffic and logs suspicious packets. Suricata uses Snort rules, so you can have a lot of them for free. Rules are installed automatically with OinkMaster.
This article shows the easy way to install Suricata. We install the package with apt-get, start it as a service and download new rules with OinkMaster.

To follow this tutorial, you must know what you are legally allowed to log and where. Also, you should be familiar with command line, daemons, logs and sudo.

Install Suricata

$ sudo apt-get update
$ sudo apt-get -y install suricata

Allow Suricata File Logging and Daemon Start

Daemon does not log anything without changes on the version that comes with Ubuntu 16.04. Enable “file” output. Leave other settings as they are. Yaml format is extremely picky about spaces, and forbids tabs.

$ sudoedit /etc/suricata/suricata-debian.yaml
# ...
 - console:
   enabled: no
 - file:
   enabled: yes
   filename: /var/log/suricata/suricata.log
# ...

Allow suricata to start. Interface setting IFACE is not used with NFQUEUE we use here, so you don’t need to change it. Set RUN=yes.

$ sudoedit /etc/default/suricata
# ...

Restart Suricata with new changes

$ sudo systemctl restart suricata

Download Latest Rules with OinkMaster

$ sudoedit /etc/oinkmaster.conf
# ...
$ sudo oinkmaster -o /etc/suricata/rules/
[..] Downloading file from[...]

Restart Suricata to use new rules

$ sudo systemctl restart suricata

Add NFQUEUE Rules to IpTables Firewall

You must persist these rules if you want suricata to work after boot. It’s left as an exercise for the reader (ufw, iptables-save).

$ sudo iptables -I INPUT -j NFQUEUE
$ sudo iptables -I OUTPUT -j NFQUEUE


$ curl -A BlackSun
$ sudo tail /var/log/suricata/fast.log
[..] ET USER_AGENTS Suspicious User Agent (BlackSun) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} [..]

Did you see your suspicious activity in fast.log?
Well done, you have now set up your own intrusion detection system.


Tested with Ubuntu 16.04, using Vagrant and VirtualBox with my own box made out of mini.iso network installer.
For unknown reason, vagrant crashed twice when applying these NFQUEUE rules. Fixed it with ‘vagrant reload’. The problem did not persist long enough to debug. Update: NFQUEUE requires a userspace app to accept each packet. If user space app goes down, all network connectivity is lost. Listenmode pcap is a safer alternative without IPS capability.
At the time of writing, I did not easily find another guide that would install Suricata on Ubuntu with apt-get and run it non-interactively as a service.
Briefly in Finnish: Asenna Suricata tunketumisenhavaitsemisjärjestelmä suoraan paketinhallnnasta. Tämä opas neuvoo työkaluilla apt-get paketinhallinta, OinkMaster (sääntöjen haku, uhkien tunnistus), systemctl palveluiden (demonien) hallinta ja NFQUEUE kuuntelu (vrt. snifferi).
Update: added background to nfqueue and pcap.

Posted in Uncategorized | 1 Comment

One Response to Suricata IDS on Ubuntu – Easily with apt-get, oinkmaster and systemctl

  1. Yousof says:

    Hi. Thank you for the post. I am really new at this. I am not certain if it is a better choice than OSSEC. I use ISPConfig 3. OSSEC messes things up. Trying ot troubleshoot it. A friend mentioned Suricata and DuckDuckGo brought me here.
    I am really curious to know if you think this is a good alternative to OSSEC HIDS.