SECURITY RESEARCH, TOOLS |

Install Suricata on Ubuntu 18.04 in 5 minutes

Building a network-based intrusion detection capability can be done in just 5 minutes.

Install Suricata to monitor network traffic and look for security events that can indicate an attack or compromise.

suricata ids install

Introduction

Suricata is based around the Snort IDS system, with a number of improvements. Suricata performs multi-threaded analysis, natively decode network streams, and assemble files from network streams on the fly.

To install in 5 minutes you will need a working Ubuntu Linux host.

sudo apt update
sudo apt-get install libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev libnet1-dev libyaml-dev libjansson4 libcap-ng-dev libmagic-dev libjansson-dev zlib1g-dev pkg-config rustc cargo

The latest version is 5.0 released in October 2019. A bunch of improvements implemented in the latest version include RDP / SNMP / SIP protocol parsers, JA3S integration, and improved protocol detection.

Get version 5.0.0 using wget as shown below or go to the download page and check the latest.

wget https://www.openinfosecfoundation.org/download/suricata-5.0.0.tar.gz
tar -xvzf suricata-5.0.0.tar.gz
cd suricata-5.0.0

Install Suricata from Source

Without IPS functionality (Intrusion Detection Only)

./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var

Suricata with IPS (Intrustion Prevention)

To enable the Intrusion Prevention System (IPS) of Suricata, you need a few additional packages. The IPS feature allows the system to add firewall rules dynamically to block detected attacks.

sudo apt install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev

Configure with --enable-nfqueue and build!

./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var

Now continue the regular build from source process.

make 
sudo make install
sudo make install-conf

The final step here generates the default configuration files and suricata.yaml.

Install Ubuntu Packages

Rather than installing from source, updating and installation can be simplified by using the Suricata Ubuntu packages.

sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt update
sudo apt install suricata

Getting Started - Initial Configuration

Suricata is a signature-based Intrusion Detection System, so the next step is to get the rules.

Emerging Threats is a repository for Snort and Suricata rules. You also have the option of getting the VRT rules from Snort (Cisco). The VRT rules require (Free) registration, which will affect our 5-minute timeline so we will stick with the freely accessible ET rules.

wget http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
tar zxvf emerging.rules.tar.gz
sudo mkdir /var/lib/suricata/
sudo mv rules /var/lib/suricata/

Install locations and files of interest.

/etc/suricata/   <--- Configuration Files
/etc/suricata/rules/  <--- Rules
/var/log/suricata/    <--- Log Files
/var/log/suricata/fast.log   <--- Log file with triggered rules

Check the /etc/suricata/suricata.yaml file for additional configuration.

First, ensure that your local network is listed in the HOME_NET as this allows the rules to know what is external and what is local traffic.

Next, enable your rules of choice. For our purposes I enabled the /var/lib/suricata/rules/emerging-exploit.rules

edit suricata.yaml and find
default-rule-path: /var/lib/suricata/rules

rule-files:
  - emerging-exploit.rules

Now let's try running Suricata against a test pcap. In this test, I found a pcap with the popular ETERNALBLUE exploit from the Shadowbrokers / NSA episode. You could just as easily try triggering Suricata alerts with Metasploit in your lab.

test@server:~$ sudo suricata -c /etc/suricata/suricata.yaml -r ~/enternalblue.pcap
test@server:~$ cat /var/log/suricata/fast.log

06/01/2018-12:54:07.506233  [**] [1:2024297:2] ET EXPLOIT ETERNALBLUE Exploit M2 MS17-010 [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.1.100:1096 -> 192.168.1.99:445

The command above ran Suricata in a standalone mode that read the rules enabled in the suricata.yaml and checked the pcap that I had downloaded.

The fast.log log entry contains a good amount of information.

  • Timestamp from the PCAP
  • sid: or identifier for the rule
  • Description of Rule
  • Source -> Destination

The other option is, of course, to run Suricata against the network interface on your host.

sudo suricata -c /etc/suricata/suricata.yaml -i eth0

Check out /var/log/suricata/ for log files and alerts. The fast.log is a good one to watch as it contains your interesting alerts. Fire up Metasploit or your tool of choice and start throwing exploits.

Discover more with Security Onion

As you can see from the steps above, it is not difficult to get a simple install of Suricata up and running.

If you are new to security monitoring, you have just stuck your head into the rabbit hole as this is powerful software.

If you wish to keep things simple but willing to see how deep the rabbit hole goes, I suggest taking a look at Security Onion. An amazing collection of open source security monitoring software. There are tutorial videos, training courses, and good documentation available for those wanting to dive deeper down the rabbit hole. Have fun!