Suricata is a high-performance, open-source network analysis and threat detection software with features such as alerts, automatic protocol blocking, Lua scripting, and industry-standard outputs. It is compatible with Ubuntu Server 22.04, providing robust security capabilities.
Translated from Ubuntu Linux: Install the Suricata Intrusion Detection System, by Jack Wallen.
Intrusion detection systems (IDS) are crucial for monitoring network traffic and inspecting malicious activity. If your server is Linux-based, you have numerous options, one of which is Suricata.
Suricata is a high-performance, open-source network analysis and threat detection software used by numerous private and public organizations, with features including alerts, automatic protocol detection, Lua scripting, and industry-standard outputs. It offers six operational modes:
- Intrusion Detection System (Default)
- Intrusion Prevention System
- Network Security Monitoring System
- Full Packet Capture
- Conditional PCAP Capture
- Firewall
Most users opt for the default mode, which is a combination of IDS and network security monitoring, ensuring alerts contain information about protocols, flows, file transactions/extractions, anomalies, and flow logs. You can learn more about Suricata on the official website.
Suricata can be installed and used for free.
What I aim to do is guide you through the process of installing this IDS on Ubuntu Server 22.04.
What You Need for Ubuntu Server 22.04
To get Suricata up and running, you’ll need an operational Ubuntu Server 22.04 instance and a user with sudo privileges. That’s it… let’s get to work.
Install Necessary Dependencies for Ubuntu Server 22.04
The first thing to do is install the necessary dependencies. Log in to your Ubuntu server and use the following command to install these packages:
sudo apt install autoconf automake build-essential cargo cbindgen libjansson-dev libpcap-dev libcap-ng-dev libmagic-dev liblz4-dev libpcre2-dev libtool libyaml-dev make pkg-config rustc zlib1g-dev -yOnce the above command completes, you can proceed.
“Download and Extract the Source Code for Ubuntu Server 22.04”
Next, we can download and extract the Suricata source code. Use the following command to download the compressed archive file:
wget https://www.openinfosecfoundation.org/download/suricata-7.0.6.tar.gzYou might need to visit the Suricata download page to ensure you’re getting the latest version.
Use the following command to extract the file:
tar xvzf suricata-7.0.6.tar.gzThe above command will create a new folder named suricata-7.0.6.
Build and Install the Package
We can now build the package. Use the following command to switch to the newly created directory:
cd suricata-7.0.6Within that directory, run the configure script with the following command:
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/varThis command takes about a minute to complete. Finally, install the package using the following command:
sudo make && sudo make install-fullThe installation process will take 5-10 minutes, depending on your hardware speed.
Another way to install Suricata is through a PPA repository. Add the repository using the following command:
sudo add-apt-repository ppa:oisf/suricata-stableUpdate apt with the following command:
sudo apt-get updateInstall Suricata using the following command:
sudo apt-get install suricata -yNote: I prefer using the PPA method for installation as it adds a systemd startup file for easier service control.
Start the Service
Once installed, start the service using the following command:
sudo systemctl enable --now suricataConfigure Suricata
It’s time to configure Suricata. Open the configuration file with the following command:
sudo nano /etc/suricata/suricata.yamlI assume you will use Suricata on your LAN. For this, look for the line starting with HOME_NET. On that line, you need to configure your subnet (e.g., 192.168.1.0/16).
Next, look for the line af-packet. Below it, you’ll see -interface: eth0. You need to change eth0 to your network interface name (this can be found with the ip a command).
Once done, you need to add the following to enable live rule reloading. You can add the following content at the bottom of the configuration file:
detect-engine:
- rule-reload: trueSave and close the file.
Update Suricata Rules
After configuration, update the Suricata ruleset with the following command:
sudo suricata-updateRun Suricata
Now it’s time to test run Suricata. Post rules update, we’ll test the rules using the following command:
sudo suricata -T -c /etc/suricata/suricata.yaml -vYou should not receive any error messages, and the test will conclude with the following:
Note: suricata: The provided configuration successfully loaded. Exiting.
Restart the service using the following command:
sudo systemctl restart suricataTesting Suricata
Let’s conduct a quick test. The following command is used to trigger a false alert. Execute the following:
Log in to the server from a second terminal (or tab). In the first window, issue the following command:
tail -f /var/log/suricata/fast.logIn the second terminal, issue the following command:
curl http://testmynids.org/uid/index.htmlIn the first window, you should see an output similar to:
09/04/2024-17:44:43.767928 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 2600:9000:24d7:6c00:0018:30b3:e400:93a1:80 -> 2600:1700:6d90:f6b0:0000:0000:0000:001c:35524Suricata captured a false alert.
Now that you have Suricata up and running (and successfully tested), consider reviewing Suricata rules’ official documentation, which can help you take full advantage of this free, open-source intrusion detection system. Suricata is a rather complex system to use, so I recommend reading through the official documentation to gain a better understanding of how it works.
If you prefer managing Suricata with a GUI, I suggest looking into IDS Tower.
Article contributed to Tencent Cloud Media Synchronization and Exposure Plan, shared from the author’s personal site/blog. Originally published: 2024-10-14. If there is any infringement, please contact [email protected] for deletion. Check out Intrusion Detection SystemLinuxUbuntuTestingConfiguration