Skip to main content

suricata installation

suricata may be available as a package of your distributions default repository. however to ensure get the latest version, install it directly from the suricata projects official personal package archives repository.

sudo add-apt-repository ppa:oisf/suricata-stable (for ubuntu specially)
sudo apt-get update

install suricata through the package manager:

sudo apt-get install suricata 

Should display the installation confirmation menu for libhyperscan4 library appear, simply answer ‘Yes’ and continue.

installing from source:

alternatively suricata may be downloaded and compiled from its source code. this is more granular process and gives you more control. this ensure latest version is installed. before proceed, install first the following dependencies:

sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libjansson4 pkg-config

if you want the IPS capability then install also the following dependencies:

sudo apt-get -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0

the next step is download suricata from latest source archive and extract it:

wget "http://www.openinfosecfoundation.org/download/suricata-current.tar.gz"  

tar -xvzf "suricata-current.tar.gz" 

now you need to install suricate-update python tool. also you need to create a soft link to reference and link /usr/local/bin/suricata-update file to /usr/bin/suricata-update so that suricata can find it:

sudo apt install python-pip
pip install suricata-update
ln -s /usr/local/bin/suricata-update /usr/bin/suricata-update

now compile and install suricata (modify version accordingly):

cd suricata-5.0.1
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var
make
make install-full

 

Configuration:

the main configuration file /etc/suricata/suricata.yaml

by going in this file you need to configure basic 3 variable before suricata goes to deployment. 

HOME_NET --> the network that should be protected by the suricata.

EXTERNAL_NET --> external network

af-packet interface --> the interface name where the home network ip block is configured. for example, home network ip block is 192.168.1.0/24 and interface name is enp10s9

this means in enp10s9 interface, home network 192.168.1.0/24 is configured. 


Log:

suricata keeps all the network events and suricata health related logs under /var/log/suricata directory. under that directory various log files and their format can be found. like eve.json, suricata.log, fast.log etc. these log files can be processed by 3rd parth software for better visualization and generating report. eve.json files contains network related logs in details format ( eve - extensible event format). fast.log contains the log in a single line for better grep and awk tool using. suricata health logs, services message and console message are stored on suricata.log file. 


Rule:

Rule consists of three parts. action, header and rule option. 

action says, what will happen to a packet if it matches with the rule!!!

suricata will do one of the rule action as follows:

pass --> the packet is allowed with generating an alert.

alert --> packet is allowed and an alert will be generated. 

drop --> packet will be immediately dropped and logged. 

reject --> works same as drop but extra thing is, both sender and receiver will receive a reject packet. 


Header part says what protocol the rule is meant for!! like tcp udp icmp. suricata also supports many application layer protocols like dns, http, https, tls, ftp, dhcp, smtp, ssh  etc.

after that there is a place for IP and port. ip can be input like single ip, range of ip or using variable like $HOME_NET. after ip there is a place for port. port can be given input as any or specifically. 

"Source IP" "Source port" -> "Destination IP" "Destination port"

or 

$EXTERNAL_NET any -> $HOME_NET 23

we can use <> this sign for both direction. 


The last part of the rule contains options which is written in key:value pair or only key when it has only keyword and not having value. options are separated by semicolon and entirely enclosed by parenthesis.

rule options consisting of msg, sid, rev etc. 

sid: unique id that is assigned with each rules. 

rev: gets incremented by one when rules get updated. 

some examples:

(msg:"Suspicious connection to port 20001"; sid:1252152; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN Suspicious inbound to mySQL port 3306"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2010937; classtype:bad-unknown; sid:2010937; rev:3; metadata:created_at 2010_07_30, updated_at 2018_03_27;) 

 

Writing and activating rules:

suricata rules are stored in /var/lib/suricata/rules directory. in this directory there should be a file called suricata.rules. Not confused with this directory /etc/suricata/rules --> here suricata have its out of the box rules.

if you create any rules say for example telnet.rules and the rule contains the following conditions

alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"Telnet conn to port 23"; sid:1252152; rev:1;)

then you need to add this rule on /etc/suricata/suricata.yaml file rule-files section. then this rule will be loaded at the startup. 

 

Updating rules:

suricate-update is a command or you can say python tool which updates local rule set (/var/lib/suricata/rules/suricata.rules) based on remote configured sources.in new installation there are no additional source condigured so as the default source configured; suricata only downloads emerging threat rule set and place it under /var/lib/suricata/rules/suricata.rules. this directory is designated directory for active rule management so dont confuse it with /etc/suricata/rules because here suricata out of the box rules are present. 

the emerging threat rule set are actively maintained ruleset written by experts in order to equip suricata with latest knowledge of threat so that it can prevent your network. so it is good practice to make sure that freshly installed suricata always equiped with latest emerging ruleset update. 

A ruleset update can be run by simply typing in the command suricata-update without any additional parameters. Using this command will initiate a download of the latest version and will write the rules to /var/lib/suricata/rules/suricata.rules.

root@suricata:~# suricata-update
8/10/2019 -- 20:02:33 - <Info> -- No sources configured, will use Emerging Threats Open
8/10/2019 -- 20:02:33 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-4.1.5/emerging.rules.tar.gz.
100% - 2424445/2424445
8/10/2019 -- 20:02:39 - <Info> -- Creating directory /var/lib/suricata/rules.
8/10/2019 -- 20:02:39 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 25511; enabled: 20473; added: 25511; removed 0; modified: 0

 

Adding additional remote sources:

The first step in configuring additional sources for suricata-update is checking what sources are available. That can only be done by obtaining the master index from the Open Information Security Foundation hosts:

suricata-update update-sources

Once you’ve obtained the master index, review what is available:

suricata-update list-sources

To enable a ruleset from the index, enter:

suricata-update enable-source <name>

It is also possible to add a remote source from a URL in the case that it’s not provided in the index:

suricata-update add-source <name> <url>

Similarly, to disable rules use:

suricata-update remove-source <name>

To see which rulesets are currently active, use:

suricata-update list-enabled-sources
 

Automatically updating rulesets:

It is absolutely crucial to keep rulesets up-to-date at all times so that Suricata is able to detect emerging network threats. This is similar to how an anti-virus software automatically updates the signature database in order to detect the newest threats.

A simple cron job that executes suricata-update daily will suffice. To do that, enter crontab -e and add the following line:

0 0 * * * suricata-update
 

Reloading rulesets:

Suricata loads rules only at service startup which means that any newer modifications to rules will not be taken into effect. However, it is possible to send a signal to Suricata to trigger a live ruleset reload without interrupting IPS/IDS operations. This can be done by sending the signal USR2 to the process ID of the running Suricata instance:

kill -USR2 $(pidof suricata)

When the above command returns no output, it is an indication that the signal was successfully sent to the running Suricata instance. The /var/log/suricata/suricata.log file is a great place to look in for confirmation that the rules were successfully loaded.

8/10/2019 -- 21:22:15 - <Notice> - rule reload starting
8/10/2019 -- 21:22:23 - <Info> - 1 rule files processed. 20473 rules successfully loaded, 0 rules failed
8/10/2019 -- 21:22:23 - <Info> - Threshold config parsed: 0 rule(s) found
8/10/2019 -- 21:22:23 - <Info> - 20476 signatures processed. 1197 are IP-only rules, 4846 are inspecting packet payload, 16281 inspect application layer, 103 are decoder event only
8/10/2019 -- 21:22:31 - <Info> - cleaning up signature grouping structure... complete
8/10/2019 -- 21:22:31 - <Notice> - rule reload complete 

We previously added a cron job that executes suricata-update daily so that existing rulesets are updated. However, the cron tab must be modified so that the updated rules are also reloaded into Suricata. To do this, enter crontab -e and execute the command to reload rules right after the update:

0 0 * * * /usr/bin/suricata-update && kill -USR2 $(pidof suricata) > /dev/null 2>&1

https://kifarunix.com/install-and-setup-suricata-on-ubuntu-18-04/

 

Avi

Comments

Post a Comment

Popular posts from this blog

API hacking lab setup

 Follow the commands to install and configure API hacking lab: 1. Install kali linux and update all the packages.  apt update -y apt upgrade -y or apt dist-upgrade -y or apt full-upgrade -y If you face any problem regarding update, install cloud flare warp in the host machine, then again start updating packages in your kali vm.  2. Install and configure burpsuite professional.  Open burpsuite and go to Extender tab. Click on BAppStore. Search for Autorize extension, It will help us to automate authorization testing. Click on Download Jython. From Jython website click on Jython standalone and save it. Go to Extender > Options and under python environment select the jython jar file that you just downloaded. Now again go to BAppStore and re-search for Autorize extension. You will see Install option this time after selecting Autorize extension. Install it. You will see all the installed extensions under Extender > Extensions tab.  3. Install foxy proxy to prox...
Post a Comment
Read more

Installing Codename SCNR web application scanner on ubuntu | kali

  Perform the following steps from a non-root user. We will go for manual installation.  https://github.com/scnr/installer?tab=readme-ov-file#manual-installation https://github.com/scnr/installer/releases wget https://github.com/scnr/installer/releases/download/v1.7.3/scnr-v1.7.3-linux-x86_64.tar.gz   (Download using normal user) tar -xvzf scnr-v1.7.3-linux-x86_64.tar.gz cd scnr-v1.7.3 cd bin Now go to their website ( https://ecsypno.com/products/scnr ) and subscribe for community edition license from your official email.  ./scnr_activate 6XQ97FW3LVBECD0UJ5H214 ./scnr https://www.example.net/Login.aspx --system-slots-override Now they generate .ser format report after testing the application by default which is hard to read. We need html report. So for example, to generate an HTML report: ./scnr_reporter --report=html:outfile=my_report.html.zip /home/user/.scnr/reports/report.ser Avi
Post a Comment
Read more

Install Nessus from docker

Docker installation. Give the below commands one by one. apt install docker-cli or apt install docker.io After the installation is complete, if you are inside wsl then give this command to start docker, because inside wsl systemd (systemctl) does not work: service docker start WSL troubleshooting : If the above command " service docker start " does not work then use below command: dockerd (It may not work if any previous docker process is running. It will show you pid of that process. Use this command to kill that process " kill -9 pid " and run dockerd command again) If " docker ps -a " giving error like " Cannot connect to the Docker daemon at unix:///run/podman/podman.sock. Is the docker daemon running? " This is because you may installed podman-docker package. If you remove the package still you will get this error but you should remove the package. Then issue this command: env | grep -i docker DOCKER_HOST=unix:///run/podman/podman.sock   --...
Post a Comment
Read more