Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
Suricata Features
IDS / IPS
Suricata is a rule-based Intrusion Detection and Prevention engine that make use of externally developed rules sets to monitor network traffic, as well as able to handle multiple gigabyte traffic and gives email alerts to the System/Network administrators.
Multi-threading
Suricata provides speed and importance in network traffic determination. The engine is developed to apply the increased processing power offered by modern multi-core hardware chip sets.
Automatic Protocol Detection
The engine not only provides keywords for TCP, UDP, ICMP and IP, but also has an built-in support for HTTP, FTP, TLS and SMB. A system administrator can able to create its own rule to detect a match within an HTTP stream. This is going to become different Malware detection and control.
Fast IP Matching
The engine will certainly take rules that are IP matches based on the RBN and compromised IP lists at Emerging Threats and keep them into a specific fast matching preprocessor.
Step :1 Installing Suricata in RHEL, CentOS
You must use the Fedora’s EPEL repository to install some needed packages for i386 and x86_64 systems.
EPEL (Extra Packages for Enterprise Linux) is open source and free community based repository project from Fedora team which provides 100% high quality add-on software packages for Linux distribution including RHEL (Red Hat Enterprise Linux), CentOS, and Scientific Linux. Epel project is not a part of RHEL/Cent OS but it is designed for major Linux distributions by providing lots of open source packages like networking, sys admin, programming, monitoring and so on. Most of the epel packages are maintained by Fedora repo.
Enable EPEL Repository in RHEL/CentOS 6/5
First, you need to download the file using Wget and then install it using RPM on your system to enable the EPEL repository. Use below links based on your Linux OS versions. (Make sure you must be root user).
For RHEL/CentOS 6 32-64 Bit
## RHEL/CentOS 6 32-Bit ##
# wget http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
# rpm -ivh epel-release-6-8.noarch.rpm
## RHEL/CentOS 6 64-Bit ##
# wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
# rpm -ivh epel-release-6-8.noarch.rpm
For RHEL/CentOS 5 32-64 Bit
## RHEL/CentOS 5 32-Bit ##
# wget http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
# rpm -ivh epel-release-5-4.noarch.rpm
## RHEL/CentOS 5 64-Bit ##
# wget http://download.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
# rpm -ivh epel-release-5-4.noarch.rpm
Verify EPEL Repo
# yum repolist
# yum -v repolist | less
# yum -v repolist
Before you can compile and build Suricata for your system, install the following dependency packages that are required for further installation. The process may take a while to complete, depending on the internet speed.
# yum -y install libpcap libpcap-devel libnet libnet-devel pcre \
pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml \
libyaml-devel zlib zlib-devel libcap-ng libcap-ng-devel magic magic-devel file file-devel
IPS Support
Next, build Suricata with IPS support. For this, we to need “libnfnetlink” and “libnetfilter_queue” packages, but these pre-built packages not available in the EPEL or CentOS Base repositories. So, we need to download and install rpms from the Emerging Threats CentOS repository.
For 32-Bit
# rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnetfilter_queue-0.0.15- 1.i386.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnetfilter_queue-devel-0.0.15-1.i386.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnfnetlink-0.0.30-1.i386.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnfnetlink-devel-0.0.30-1.i386.rpm
For 64-Bit
# rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnetfilter_queue-0.0.15-1.x86_64.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnetfilter_queue-devel-0.0.15-1.x86_64.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnfnetlink-0.0.30-1.x86_64.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnfnetlink-devel-0.0.30-1.x86_64.rpm
Download latest Suricata source files and build it using the following commands.
# cd /tmp
# wget http://www.openinfosecfoundation.org/download/suricata-1.4.5.tar.gz
# tar -xvzf suricata-1.4.5.tar.gz
# cd suricata-1.4.5
Now we use Suricata Auto Setup feature to automatically create all necessary directories, configuration files and latest rulesets.
# ./configure && make && make install-conf
# ./configure && make && make install-rules
# ./configure && make && make install-full
Step 2: Suricata Basic Setup
After downloading and installing Suricata, now its time to proceed to Basic Setup. Create following directorates.
# mkdir /var/log/suricata
# mkdir /etc/suricata
The next part is to copy configuration files such as “classification.config“, “reference.config” and “suricata.yaml” from the base build installation directory.
# cd /tmp/suricata-1.4.5
# cp classification.config /etc/suricata
# cp reference.config /etc/suricata
# cp suricata.yaml /etc/suricata
Finally, start the “Suricata Engine” first time and specify the interface device name of your preference. Instead of eth0, you can include the network card of your preference.
# suricata -c /etc/suricata/suricata.yaml -i eth0
19/8/2013 -- 21:02:17 - <Info> - This is Suricata version 1.4.5 RELEASE
19/8/2013 -- 21:02:17 - <Info> - CPUs/cores online: 2
19/8/2013 -- 21:02:17 - <Info> - Found an MTU of 1500 for 'eth0'
19/8/2013 -- 21:02:17 - <Info> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
19/8/2013 -- 21:02:17 - <Info> - preallocated 65535 defrag trackers of size 144
19/8/2013 -- 21:02:17 - <Info> - defrag memory usage: 13107056 bytes, maximum: 33554432
19/8/2013 -- 21:02:55 - <Info> - all 4 packet processing threads, 3 management threads initialized, engine started.
After several minutes later, check the engine is correctly working and receives and inspects traffic.
# cd /usr/local/var/log/suricata/
# ls -l
-rw-r--r--. 1 root root 289910 Aug 19 21:05 fast.log
drwxr-xr-x. 2 root root 4096 Aug 19 20:16 files
-rw-r--r--. 1 root root 0 Aug 19 20:23 http.log
-rw-r--r--. 1 root root 286167 Aug 19 21:05 stats.log
-rw-r--r--. 1 root root 262586 Aug 19 20:30 unified2.alert.1376923989
-rw-r--r--. 1 root root 66517 Aug 19 21:05 unified2.alert.1376926375
Watch “stats.log” file and make sure the displayed information is up-dated in real time.
# tail -f stats.log
tcp.reassembly_memuse | Detect | 0
tcp.reassembly_gap | Detect | 0
detect.alert | Detect | 310
flow_mgr.closed_pruned | FlowManagerThread | 0
flow_mgr.new_pruned | FlowManagerThread | 1226
flow_mgr.est_pruned | FlowManagerThread | 0
flow.memuse | FlowManagerThread | 6489568
flow.spare | FlowManagerThread | 10000
flow.emerg_mode_entered | FlowManagerThread | 0
flow.emerg_mode_over | FlowManagerThread | 0
Suricata Features
IDS / IPS
Suricata is a rule-based Intrusion Detection and Prevention engine that make use of externally developed rules sets to monitor network traffic, as well as able to handle multiple gigabyte traffic and gives email alerts to the System/Network administrators.
Multi-threading
Suricata provides speed and importance in network traffic determination. The engine is developed to apply the increased processing power offered by modern multi-core hardware chip sets.
Automatic Protocol Detection
The engine not only provides keywords for TCP, UDP, ICMP and IP, but also has an built-in support for HTTP, FTP, TLS and SMB. A system administrator can able to create its own rule to detect a match within an HTTP stream. This is going to become different Malware detection and control.
Fast IP Matching
The engine will certainly take rules that are IP matches based on the RBN and compromised IP lists at Emerging Threats and keep them into a specific fast matching preprocessor.
Step :1 Installing Suricata in RHEL, CentOS
You must use the Fedora’s EPEL repository to install some needed packages for i386 and x86_64 systems.
EPEL (Extra Packages for Enterprise Linux) is open source and free community based repository project from Fedora team which provides 100% high quality add-on software packages for Linux distribution including RHEL (Red Hat Enterprise Linux), CentOS, and Scientific Linux. Epel project is not a part of RHEL/Cent OS but it is designed for major Linux distributions by providing lots of open source packages like networking, sys admin, programming, monitoring and so on. Most of the epel packages are maintained by Fedora repo.
Enable EPEL Repository in RHEL/CentOS 6/5
First, you need to download the file using Wget and then install it using RPM on your system to enable the EPEL repository. Use below links based on your Linux OS versions. (Make sure you must be root user).
For RHEL/CentOS 6 32-64 Bit
## RHEL/CentOS 6 32-Bit ##
# wget http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
# rpm -ivh epel-release-6-8.noarch.rpm
## RHEL/CentOS 6 64-Bit ##
# wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
# rpm -ivh epel-release-6-8.noarch.rpm
For RHEL/CentOS 5 32-64 Bit
## RHEL/CentOS 5 32-Bit ##
# wget http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
# rpm -ivh epel-release-5-4.noarch.rpm
## RHEL/CentOS 5 64-Bit ##
# wget http://download.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
# rpm -ivh epel-release-5-4.noarch.rpm
Verify EPEL Repo
# yum repolist
# yum -v repolist | less
# yum -v repolist
Before you can compile and build Suricata for your system, install the following dependency packages that are required for further installation. The process may take a while to complete, depending on the internet speed.
# yum -y install libpcap libpcap-devel libnet libnet-devel pcre \
pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml \
libyaml-devel zlib zlib-devel libcap-ng libcap-ng-devel magic magic-devel file file-devel
IPS Support
Next, build Suricata with IPS support. For this, we to need “libnfnetlink” and “libnetfilter_queue” packages, but these pre-built packages not available in the EPEL or CentOS Base repositories. So, we need to download and install rpms from the Emerging Threats CentOS repository.
For 32-Bit
# rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnetfilter_queue-0.0.15- 1.i386.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnetfilter_queue-devel-0.0.15-1.i386.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnfnetlink-0.0.30-1.i386.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnfnetlink-devel-0.0.30-1.i386.rpm
For 64-Bit
# rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnetfilter_queue-0.0.15-1.x86_64.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnetfilter_queue-devel-0.0.15-1.x86_64.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnfnetlink-0.0.30-1.x86_64.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnfnetlink-devel-0.0.30-1.x86_64.rpm
Download latest Suricata source files and build it using the following commands.
# cd /tmp
# wget http://www.openinfosecfoundation.org/download/suricata-1.4.5.tar.gz
# tar -xvzf suricata-1.4.5.tar.gz
# cd suricata-1.4.5
Now we use Suricata Auto Setup feature to automatically create all necessary directories, configuration files and latest rulesets.
# ./configure && make && make install-conf
# ./configure && make && make install-rules
# ./configure && make && make install-full
Step 2: Suricata Basic Setup
After downloading and installing Suricata, now its time to proceed to Basic Setup. Create following directorates.
# mkdir /var/log/suricata
# mkdir /etc/suricata
The next part is to copy configuration files such as “classification.config“, “reference.config” and “suricata.yaml” from the base build installation directory.
# cd /tmp/suricata-1.4.5
# cp classification.config /etc/suricata
# cp reference.config /etc/suricata
# cp suricata.yaml /etc/suricata
Finally, start the “Suricata Engine” first time and specify the interface device name of your preference. Instead of eth0, you can include the network card of your preference.
# suricata -c /etc/suricata/suricata.yaml -i eth0
19/8/2013 -- 21:02:17 - <Info> - This is Suricata version 1.4.5 RELEASE
19/8/2013 -- 21:02:17 - <Info> - CPUs/cores online: 2
19/8/2013 -- 21:02:17 - <Info> - Found an MTU of 1500 for 'eth0'
19/8/2013 -- 21:02:17 - <Info> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
19/8/2013 -- 21:02:17 - <Info> - preallocated 65535 defrag trackers of size 144
19/8/2013 -- 21:02:17 - <Info> - defrag memory usage: 13107056 bytes, maximum: 33554432
19/8/2013 -- 21:02:55 - <Info> - all 4 packet processing threads, 3 management threads initialized, engine started.
After several minutes later, check the engine is correctly working and receives and inspects traffic.
# cd /usr/local/var/log/suricata/
# ls -l
-rw-r--r--. 1 root root 289910 Aug 19 21:05 fast.log
drwxr-xr-x. 2 root root 4096 Aug 19 20:16 files
-rw-r--r--. 1 root root 0 Aug 19 20:23 http.log
-rw-r--r--. 1 root root 286167 Aug 19 21:05 stats.log
-rw-r--r--. 1 root root 262586 Aug 19 20:30 unified2.alert.1376923989
-rw-r--r--. 1 root root 66517 Aug 19 21:05 unified2.alert.1376926375
Watch “stats.log” file and make sure the displayed information is up-dated in real time.
# tail -f stats.log
tcp.reassembly_memuse | Detect | 0
tcp.reassembly_gap | Detect | 0
detect.alert | Detect | 310
flow_mgr.closed_pruned | FlowManagerThread | 0
flow_mgr.new_pruned | FlowManagerThread | 1226
flow_mgr.est_pruned | FlowManagerThread | 0
flow.memuse | FlowManagerThread | 6489568
flow.spare | FlowManagerThread | 10000
flow.emerg_mode_entered | FlowManagerThread | 0
flow.emerg_mode_over | FlowManagerThread | 0
Great write up. Thank you so much for this information. It saved lot of my time.
ReplyDelete