Samiux's Blog

Open Source is a great idea and it has changed the world! Open Source forever ....

While you do not know attack, how can you know about defense? (未知攻,焉知防?)

Do BAD things .... for the RIGHT reasons -- OWASP ZAP

It is easier to port a shell than a shell script. -- Larry Wall

Most of you are familiar with the virtues of a programmer. There are three, of course: laziness, impatience, and hubris. -- Larry Wall

为天地立心，为生民立命，为往圣继绝学，为万世开太平。 -- 王炜

Saturday, January 26, 2013

HOWTO : Suricata on SSD and Ubuntu 12.04 LTS Desktop

Hardware

Laptop : Lenovo ThinkPad X201s Type 5397-G9B
Processor : Intel Core i7 CPU L640 @ 2.13GHz (2-core with 4 HT)
Memory : 8GB DDR3 RAM
Storage : AData SX900 512GB SSD

Software

Operating System : Ubuntu Desktop 12.04 LTS x86_64
Intrusion Prevention System : Suricata 1.4 (inline mode)

Introduction

Suricata is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field.

There is an Ubuntu PPA of Suricata for Ubuntu 10.04 to 13.04 and the Ubuntu 13.04 is included Suricata in her repositories too. Meanwhile, those packages have IPS mode through NFQUEUE enabled. In addition, Suricata supports nVidia CUDA which requires to recompile the source code with suitable parameter.

Suricata not only can installed on servers but also on desktops and laptops. It performs quiet well on an Intel Atom ITX machine.

For the features, please read here for details.

Installation

Step 0 :

This step is for SSD only and make sure you have enough memory.

sudo nano /etc/fstab

Add the following to the "/" (or "/home" and "/" or alike) :

discard,noatime,nodiratime

To make it look like :

UUID=99f0925f-badc-4939 .... -7df6eca0c720 / ext4 discard,noatime,nodiratime,errors=remount-ro 0 1

Then, add the following :

tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0

tmpfs /var/spool tmpfs defaults,noatime,mode=1777 0 0

tmpfs /var/log tmpfs defaults,noatime,mode=0755 0 0

tmpfs /var/log/suricata tmpfs defaults,noatime,mode=0755 0 0

After that, edit the following :

sudo nano /etc/rc.local

Add the following right before the "exit 0" :

echo deadline > /sys/block/sda/queue/scheduler

echo 1 > /sys/block/sda/queue/iosched/fifo_batch

Step 1 :

sudo add-apt-repository ppa:oisf/suricata-stable

sudo apt-get update

sudo apt-get install suricata htp

Step 2 :

To get the Emerging Threats rules :

cd /etc/suricata/



sudo wget https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz



sudo tar -xvzf emerging.rules.tar.gz



sudo ln -s /etc/suricata/rules/reference.config /etc/suricata/reference.config



sudo ln -s /etc/suricata/UbuntuPPA-configs/classification.config /etc/suricata/classification.config



sudo cp /etc/suricata/UbuntuPPA-configs/suricata-ppa-1.4-6ubuntu6.yaml /etc/suricata/suricata.yaml

*** You can use reference.config and classification.config at /etc/suricata/rules.

sudo touch /etc/suricata/threshold.config

Step 3 :

sudo nano /etc/suricata/suricata.yaml

Locate the following lines :

default-log-dir: /usr/local/var/log/suricata/

default-rule-path: /usr/local/etc/suricata/rules

classification-file: /usr/local/etc/suricata/classification.config

reference-config-file: /usr/local/etc/suricata/reference.config

#pid-file: /var/run/suricata.pid

#- rule-reload: true

#threshold-file: /usr/local/etc/suricata/threshold.config



- drop

 enable: no

Replace with the following lines :

default-log-dir: /var/log/suricata/

default-rule-path: /etc/suricata/rules

classification-file: /etc/suricata/classification.config

reference-config-file: /etc/suricata/reference.config

pid-file: /var/run/suricata.pid

- rule-reload: true

threshold-file: /usr/local/etc/suricata/threshold.config



- drop

 enable: yes

To test if it work or not :

sudo suricata -c /etc/suricata/suricata.yaml -i eth0

Several minutes later, check the /var/log/suricata/stats.log and /var/log/suricata/http.log to see if there are some entries or not.

Step 4 :

sudo iptables -A INPUT -j NFQUEUE

sudo iptables -A OUTPUT -j NFQUEUE

sudo iptables -A FORWARD -j NFQUEUE

To test if it work or not :

sudo suricata -c /etc/suricata/suricata.yaml -q 0

Step 5 :

sudo apt-get install oinkmaster

sudo nano /etc/oinkmaster.conf

Append the following line :

url = https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz

sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

Step 6 :

When everything is working fine, you can put them in the /etc/rc.local just right above "exit 0" :

iptables -A INPUT -j NFQUEUE --queue-balance 0:3

iptables -A OUTPUT -j NFQUEUE --queue-balance 0:3

iptables -A FORWARD -j NFQUEUE --queue-balance 0:3

/etc/suricata/ips

Then create a file /etc/suricata/ips :

sudo nano /etc/suricata/ips
suricata -D -c /etc/suricata/suricata.yaml -q 0 -q 1 -q 2 -q 3

chmod +x /etc/suricata/ips

Then create the update-rule

sudo nano /etc/suricata/update-rules

oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
kill -USR2 `pidof suricata`

sudo chmod +x /etc/suricata/update-rules

Step 7 :

Whenever you want to update the rules, you can :

sudo /etc/suricata/update-rules

That's all! See you.