Building a network-based intrusion detection capability can be done in just 5 minutes.
Install Suricata to monitor network traffic and look for security events that can indicate an attack or compromise.
Introduction
Suricata is based around the Snort IDS system, with a number of improvements. Suricata performs multi-threaded analysis, natively decode network streams, and assemble files from network streams on the fly.
To install in 5 minutes you will need a working Ubuntu Linux host.
sudo apt update sudo apt-get install libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev libnet1-dev libyaml-dev libjansson4 libcap-ng-dev libmagic-dev libjansson-dev zlib1g-dev pkg-config rustc cargo
The latest version is 5.0 released in October 2019. A bunch of improvements implemented in the latest version include RDP / SNMP / SIP protocol parsers, JA3S integration, and improved protocol detection.
Get version 5.0.0 using wget as shown below or go to the download page and check the latest.
wget https://www.openinfosecfoundation.org/download/suricata-5.0.0.tar.gz tar -xvzf suricata-5.0.0.tar.gz cd suricata-5.0.0
Install Suricata from Source
Without IPS functionality (Intrusion Detection Only)
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
Suricata with IPS (Intrustion Prevention)
To enable the Intrusion Prevention System (IPS) of Suricata, you need a few additional packages. The IPS feature allows the system to add firewall rules dynamically to block detected attacks.
sudo apt install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev
Configure with --enable-nfqueue and build!
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var
Now continue the regular build from source process.
make sudo make install sudo make install-conf
The final step here generates the default configuration files and suricata.yaml.
Install Ubuntu Packages
Rather than installing from source, updating and installation can be simplified by using the Suricata Ubuntu packages.
sudo add-apt-repository ppa:oisf/suricata-stable sudo apt update sudo apt install suricata
Getting Started - Initial Configuration
Suricata is a signature-based Intrusion Detection System, so the next step is to get the rules.
Emerging Threats is a repository for Snort and Suricata rules. You also have the option of getting the VRT rules from Snort (Cisco). The VRT rules require (Free) registration, which will affect our 5-minute timeline so we will stick with the freely accessible ET rules.
wget http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz tar zxvf emerging.rules.tar.gz sudo mkdir /var/lib/suricata/ sudo mv rules /var/lib/suricata/
Install locations and files of interest.
/etc/suricata/ <--- Configuration Files /etc/suricata/rules/ <--- Rules /var/log/suricata/ <--- Log Files /var/log/suricata/fast.log <--- Log file with triggered rules
Check the /etc/suricata/suricata.yaml file for additional configuration.
First, ensure that your local network is listed in the HOME_NET as this allows the rules to know what is external and what is local traffic.
Next, enable your rules of choice. For our purposes I enabled the /var/lib/suricata/rules/emerging-exploit.rules
edit suricata.yaml and find
default-rule-path: /var/lib/suricata/rules rule-files: - emerging-exploit.rules
Now let's try running Suricata against a test pcap. In this test, I found a pcap with the popular ETERNALBLUE exploit from the Shadowbrokers / NSA episode. You could just as easily try triggering Suricata alerts with Metasploit in your lab.
test@server:~$ sudo suricata -c /etc/suricata/suricata.yaml -r ~/enternalblue.pcap test@server:~$ cat /var/log/suricata/fast.log 06/01/2018-12:54:07.506233 [**] [1:2024297:2] ET EXPLOIT ETERNALBLUE Exploit M2 MS17-010 [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.1.100:1096 -> 192.168.1.99:445
The command above ran Suricata in a standalone mode that read the rules enabled in the suricata.yaml and checked the pcap that I had downloaded.
The fast.log log entry contains a good amount of information.
- Timestamp from the PCAP
- sid: or identifier for the rule
- Description of Rule
- Source -> Destination
The other option is, of course, to run Suricata against the network interface on your host.
sudo suricata -c /etc/suricata/suricata.yaml -i eth0
Check out /var/log/suricata/ for log files and alerts. The fast.log is a good one to watch as it contains your interesting alerts. Fire up Metasploit or your tool of choice and start throwing exploits.
Discover more with Security Onion
As you can see from the steps above, it is not difficult to get a simple install of Suricata up and running.
If you are new to security monitoring, you have just stuck your head into the rabbit hole as this is powerful software.
If you wish to keep things simple but willing to see how deep the rabbit hole goes, I suggest taking a look at Security Onion. An amazing collection of open source security monitoring software. There are tutorial videos, training courses, and good documentation available for those wanting to dive deeper down the rabbit hole. Have fun!