Samiux's Blog

Open Source is a great idea and it has changed the world! Open Source forever ....

While you do not know attack, how can you know about defense? (未知攻,焉知防?)

Do BAD things .... for the RIGHT reasons -- OWASP ZAP

It is easier to port a shell than a shell script. -- Larry Wall

Most of you are familiar with the virtues of a programmer. There are three, of course: laziness, impatience, and hubris. -- Larry Wall

为天地立心，为生民立命，为往圣继绝学，为万世开太平。 -- 王炜

Friday, January 18, 2013

HOWTO : Suricata on Ubuntu 12.04 LTS Server

Suricata is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field.

There is an Ubuntu PPA of Suricata for Ubuntu 10.04 to 13.04 and the Ubuntu 13.04 is included Suricata in her repositories too. Meanwhile, those packages have IPS mode through NFQUEUE enabled. In addition, Suricata supports nVidia CUDA which requires to recompile the source code with suitable parameter.

Suricata not only can installed on servers but also on desktops and laptops. It performs quiet well on an Intel Atom ITX machine.

For the features, please read here for details.

The following is a basic and general setup of Suricata. For more advanced settings, please refer to the Reference below.

Step 1 :

sudo apt-get install python-software-properties

sudo add-apt-repository ppa:oisf/suricata-stable

sudo apt-get update

sudo apt-get install suricata htp

Step 2 :

To get the Emerging Threats rules :

cd /etc/suricata/



sudo wget https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz



sudo tar -xvzf emerging.rules.tar.gz



sudo ln -s /etc/suricata/rules/reference.config /etc/suricata/reference.config



sudo ln -s /etc/suricata/UbuntuPPA-configs/classification.config /etc/suricata/classification.config



sudo cp /etc/suricata/UbuntuPPA-configs/suricata-ppa-1.4-6ubuntu6.yaml /etc/suricata/suricata.yaml

*** You can use reference.config and classification.config at /etc/suricata/rules.

sudo mkdir /var/log/suricata

sudo touch /etc/suricata/threshold.config

Step 3 :

sudo nano /etc/suricata/suricata.yaml

Locate the following lines :

default-log-dir: /usr/local/var/log/suricata/

default-rule-path: /usr/local/etc/suricata/rules

classification-file: /usr/local/etc/suricata/classification.config

reference-config-file: /usr/local/etc/suricata/reference.config

#pid-file: /var/run/suricata.pid

#- rule-reload: true

#threshold-file: /usr/local/etc/suricata/threshold.config



- drop

 enable: no

Replace with the following lines :

default-log-dir: /var/log/suricata/

default-rule-path: /etc/suricata/rules

classification-file: /etc/suricata/classification.config

reference-config-file: /etc/suricata/reference.config

pid-file: /var/run/suricata.pid

- rule-reload: true

threshold-file: /usr/local/etc/suricata/threshold.config



- drop

 enable: yes

To test if it work or not :

sudo suricata -c /etc/suricata/suricata.yaml -i eth0

Several minutes later, check the /var/log/suricata/stats.log and /var/log/suricata/http.log to see if there are some entries or not.

Step 4 :

sudo iptables -A INPUT -j NFQUEUE

sudo iptables -A OUTPUT -j NFQUEUE

sudo iptables -A FORWARD -j NFQUEUE

To test if it work or not :

sudo suricata -c /etc/suricata/suricata.yaml -q 0

Step 5 :

sudo apt-get install oinkmaster

sudo nano /etc/oinkmaster.conf

Append the following line :

url = https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz

sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

Step 6 :

When everything is working fine, you can put them in the /etc/rc.local just right above "exit 0" :

#iptables -F

iptables -A INPUT -j NFQUEUE

iptables -A OUTPUT -j NFQUEUE

iptables -A FORWARD -j NFQUEUE

/etc/suricata/ips

Then create a file /etc/suricata/ips :

sudo nano /etc/suricata/ips
suricata -D -c /etc/suricata/suricata.yaml -q 0
oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
kill -USR2 `pidof suricata`

chmod +x /etc/suricata/ips

Then you can write a cron job to update Emerging Threats Rules everyday.

sudo crontab -e

Append the following :

@daily /etc/suricata/update-rules

Then create the update-rule

sudo nano /etc/suricata/update-rules

oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
kill -USR2 `pidof suricata`

sudo chmod +x /etc/suricata/update-rules

Remarks :

If you want to create a user-interface for the IPS, you can refer to the "Reference" item [12].

If the Suricata acts as IPS gateway, it requires to bridge 2 NICs and 1 NIC for management purpose. In addition, you need to do some changes on the configure files.

If you have 4-cores CPU, you need to change the settings as the following :

iptables -A INPUT -j NFQUEUE --queue-balance 0:3

iptables -A OUTPUT -j NFQUEUE --queue-balance 0:3

iptables -A FORWARD -j NFQUEUE --queue-balance 0:3

suricata -D -c /etc/suricata/suricata.yaml -q 0 -q 1 -q 2 -q 3

Reference

[1] OISF - Open Information Security Foundation
[2] Ubuntu PPA
[3] Suricata - Features
[4] Suricata Rules
[5] Rules reload
[6] Rule Management with Oinkmaster
[7] SmoothSec 2.1 (Suricata IDS distribution)
[8] Setting up IPS/inline for Linux
[9] Installation with CUDA on Ubuntu Server
[10] Suricata, Snorby and Barnyard2 setup guide
[11] Kill process in Linux or terminate a process in UNIX or Linux systems
[12] Installing Snorby on Ubuntu 12.04
[13] Suricata.yaml
[14] Suricata IPS information
[15] Suricata - Windows
[16] Suricata - Mac OSX
[17] Suricata - FreeBSD

That's all! See you.