Building a network based intrusion detection capability can be done in just 5 minutes. Suricata is a tool that has been developed to monitor network traffic and look for security events that can indicate an attack or compromise.
Suricata is based around the Snort IDS system, with a number of improvements; it is able to perform multi-threaded analysis, natively decode network streams and assemble files from network streams on the fly.
To get started in 5 minutes you will need a working Ubuntu Linux host.
sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \ build-essential autoconf automake libtool libpcap-dev libnet1-dev \ libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \ make libmagic-dev
Now grab the latest version of Suricata, check the download page for the latest version number, for now it is 1.4.6.
wget http://www.openinfosecfoundation.org/download/suricata-1.4.6.tar.gz tar -xvzf suricata-1.4.6.tar.gz cd suricata-1.4.6
Now we build the source into a working binary.
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var make sudo make install sudo ldconfig
We will now manually created the log folder, the config folder and copy the base configuration.
sudo mkdir /var/log/suricata sudo mkdir /etc/suricata sudo cp classification.config /etc/suricata sudo cp reference.config /etc/suricata sudo cp suricata.yaml /etc/suricata
Ok, now we have an installed version of Suricata the Open Source Intrusion Detection System. At this stage we have no
rules. Emerging Threats is a repository for Snort and Suricata rules, you also have the option of getting the VRT rules from Snort. The VRT rules require registration, which will affect our 5 minute timeline so we will stick with the freely accessible ET rules.
wget http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz tar zxvf emerging.rules.tar.gz cp -r rules /etc/suricata/
As noted on the Suricata wiki you should configure your Internal / External networks, to make the rules and your analysis more accurate. However for now we will just fire up Suricata on our
sudo suricata -c /etc/suricata/suricata.yaml -i wlan0
/var/log/suricata/ for log files and alerts. The fast.log is a good one to watch as it contains your interesting alerts.
Read a .pcap
Rather than running in real time against your selected interface you can also easily run it over captured pcaps. Good for testing or moving captures from a live host to your test setup. Use the
-r option in place of the
In fact there are a number of pcaps available online that can be downloaded, that have been captured during capture the flag events or during attacks, which contain all sorts of malicious traffic for those wanting to learn about analysis of nasty traffic.
Discover more with Security Onion
As you can see from the steps above, it is not that difficult to get a simple install of Suricata up and running. If you are new to security monitoring, you have really just stuck your head into the rabbit hole. This is powerful software; if you would like to keep things simple and see how deep the rabbit hole goes I suggest taking a look at Security Onion - an amazing collection of open source security monitoring software. There are tutorial videos, training courses and good documentation available for those wanting to dive into the rabbit hole. Have fun!