Did You Know?
Donate to TecMint

LFCS - Linux Foundation Certified SysAdmin - Exam Preparation Guide

Suricata 1.4.4 Released – A Network Intrusion Detection, Prevention and Security Monitoring System

Download Your Free eBooks NOW - 10 Free Linux eBooks for Administrators

Suricata is an open source high performance modern Network Intrusion Detection, Prevention and Security Monitoring System for Unix/Linux, FreeBSD and Windows based systems. It was developed and owned by a non-profit foundation the OISF (Open Information Security Foundation).

Recently, the OISF project team announced the release of Suricata 1.4.4 with minor but crucial updates and fixed some essential bugs over the previous release.

Install Suricata Intrusion Detection

Install Suricata Intrusion Detection and Prevention

Suricata Features

IDS / IPS

Suricata is a rule-based Intrusion Detection and Prevention engine that make use of externally developed rules sets to monitor network traffic, as well as able to handle multiple gigabyte traffic and gives email alerts to the System/Network administrators.

Multi-threading

Suricata provides speed and importance in network traffic determination. The engine is developed to apply the increased processing power offered by modern multi-core hardware chip sets.

Automatic Protocol Detection

The engine not only provides keywords for TCP, UDP, ICMP and IP, but also has an built-in support for HTTP, FTP, TLS and SMB. A system administrator can able to create its own rule to detect a match within an HTTP stream. This is going to become different Malware detection and control.

Fast IP Matching

The engine will certainly take rules that are IP matches based on the RBN and compromised IP lists at Emerging Threats and keep them into a specific fast matching preprocessor.

Read Also : Install LMD – Linux Malware Detect in Linux

Step :1 Installing Suricata in RHEL, CentOS and Fedora

You must use the Fedora’s EPEL repository to install some needed packages for i386 and x86_64 systems.

  1. Enable Fedora’s EPEL repository

Before you can compile and build Suricata for your system, install the following dependency packages that are required for further installation. The process may take a while to complete, depending on the internet speed.

# yum -y install libpcap libpcap-devel libnet libnet-devel pcre \
pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml \
libyaml-devel zlib zlib-devel libcap-ng libcap-ng-devel magic magic-devel file file-devel
IPS Support

Next, build Suricata with IPS support. For this, we to need “libnfnetlink” and “libnetfilter_queue” packages, but these pre-built packages not available in the EPEL or CentOS Base repositories. So, we need to download and install rpms from the Emerging Threats CentOS repository.

For 32-Bit
# rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnetfilter_queue-0.0.15-1.i386.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnetfilter_queue-devel-0.0.15-1.i386.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnfnetlink-0.0.30-1.i386.rpm \ 

http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnfnetlink-devel-0.0.30-1.i386.rpm
For 64-Bit
# rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnetfilter_queue-0.0.15-1.x86_64.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnetfilter_queue-devel-0.0.15-1.x86_64.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnfnetlink-0.0.30-1.x86_64.rpm \ 

http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnfnetlink-devel-0.0.30-1.x86_64.rpm
Download Suricata

Download latest Suricata source files and build it using the following commands.

# cd /tmp
# wget http://www.openinfosecfoundation.org/download/suricata-1.4.4.tar.gz
# tar -xvzf suricata-1.4.4.tar.gz
# cd suricata-1.4.4

Now we use Suricata Auto Setup feature to automatically create all necessary directories, configuration files and latest rulesets.

# ./configure && make && make install-conf
# ./configure && make && make install-rules
# ./configure && make && make install-full

Step 2: Installing Suricata in Debian and Ubuntu

Before, beginning installation, you must have the following pre-requisites packages installed on the system to proceed further. Make sure you must be root user to run the following command. This installation process may take some time, depending on the current speed of your internet.

# apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \
build-essential autoconf automake libtool libpcap-dev libnet1-dev \
libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev \
pkg-config magic file libhtp-dev
IPS Support

By default, works as an IDS. If you want to add IDS support, install some needed packages as follows.

# apt-get -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0
Download Suricata

Download latest Suricata tar-ball and build it using the following commands.

# cd /tmp
# wget http://www.openinfosecfoundation.org/download/suricata-1.4.4.tar.gz
# tar -xvzf suricata-1.4.4.tar.gz
# cd suricata-1.4.4

Use Suricata Auto Setup option to create all needed directories, configuration files and rulesets automatically as shown below.

# ./configure && make && make install-conf
# ./configure && make && make install-rules
# ./configure && make && make install-full

Step 3: Suricata Basic Setup

After downloading and installing Suricata, now its time to proceed to Basic Setup. Create following directorates.

# mkdir /var/log/suricata
# mkdir /etc/suricata

The next part is to copy configuration files such as “classification.config“, “reference.config” and “suricata.yaml” from the base build installation directory.

# cd /tmp/suricata-1.4.4
# cp classification.config /etc/suricata
# cp reference.config /etc/suricata
# cp suricata.yaml /etc/suricata

Finally, start the “Suricata Engine” first time and specify the interface device name of your preference. Instead of eth0, you can include the network card of your preference.

# suricata -c /etc/suricata/suricata.yaml -i eth0

23/7/2013 -- 12:22:45 -  - This is Suricata version 1.4.4 RELEASE
23/7/2013 -- 12:22:45 -  - CPUs/cores online: 2
23/7/2013 -- 12:22:45 -  - Found an MTU of 1500 for 'eth0'
23/7/2013 -- 12:22:45 -  - allocated 2097152 bytes of memory for the defrag hash... 65536 buckets of size 32
23/7/2013 -- 12:22:45 -  - preallocated 65535 defrag trackers of size 104
23/7/2013 -- 12:22:45 -  - defrag memory usage: 8912792 bytes, maximum: 33554432
23/7/2013 -- 12:22:45 -  - AutoFP mode using default "Active Packets" flow load balancer
23/7/2013 -- 12:22:45 -  - preallocated 1024 packets. Total memory 3170304
23/7/2013 -- 12:22:45 -  - allocated 131072 bytes of memory for the host hash... 4096 buckets of size 32
23/7/2013 -- 12:22:45 -  - preallocated 1000 hosts of size 76
23/7/2013 -- 12:22:45 -  - host memory usage: 207072 bytes, maximum: 16777216
23/7/2013 -- 12:22:45 -  - allocated 2097152 bytes of memory for the flow hash... 65536 buckets of size 32
23/7/2013 -- 12:22:45 -  - preallocated 10000 flows of size 176
23/7/2013 -- 12:22:45 -  - flow memory usage: 3857152 bytes, maximum: 33554432
23/7/2013 -- 12:22:45 -  - IP reputation disabled
23/7/2013 -- 12:22:45 -  - using magic-file /usr/share/file/magic

After several minutes later, check the engine is correctly working and receives and inspects traffic.

# cd /usr/local/var/log/suricata/
# ls -l

-rw-r--r-- 1 root root  25331 Jul 23 12:27 fast.log
drwxr-xr-x 2 root root   4096 Jul 23 11:34 files
-rw-r--r-- 1 root root  12345 Jul 23 11:37 http.log
-rw-r--r-- 1 root root 650978 Jul 23 12:27 stats.log
-rw-r--r-- 1 root root  22853 Jul 23 11:53 unified2.alert.1374557837
-rw-r--r-- 1 root root   2691 Jul 23 12:09 unified2.alert.1374559711
-rw-r--r-- 1 root root   2143 Jul 23 12:13 unified2.alert.1374559939
-rw-r--r-- 1 root root   6262 Jul 23 12:27 unified2.alert.1374560613

Watch “stats.log” file and make sure the displayed information is up-dated in real time.

# tail -f stats.log

tcp.reassembly_memuse     | Detect                    | 0
tcp.reassembly_gap        | Detect                    | 0
detect.alert              | Detect                    | 27
flow_mgr.closed_pruned    | FlowManagerThread         | 3
flow_mgr.new_pruned       | FlowManagerThread         | 277
flow_mgr.est_pruned       | FlowManagerThread         | 0
flow.memuse               | FlowManagerThread         | 3870000
flow.spare                | FlowManagerThread         | 10000
flow.emerg_mode_entered   | FlowManagerThread         | 0
flow.emerg_mode_over      | FlowManagerThread         | 0

Reference Links

Suricata Homepage
Suricata User Guide

Ravi Saive

Owner at TecMint.com
Simple Word a Computer Geek and Linux Guru who loves to share tricks and tips on Internet. Most Of My Servers runs on Open Source Platform called Linux.

Your name can also be listed here. Work as a Paid freelancer/writer at TecMint.
Download Free eBooks
Advanced Bash-Scripting Guide
Linux Bible
A Newbie's Getting Started Guide to Linux
Ubuntu Linux Toolbox: 1000+ Commands

6 Responses

    • Ravi Saive says:

      I’ve checked dude, links are working correctly, can you download manually using wget command and then install it.

  1. Pavan says:

    Hi Dude,

    You mentioned about email alerts but there is no configuration given. can you please tell me how to configure alerts.

    Thanks,
    Pavan

  2. steve says:

    hi
    The suricata run cmd gives undefined symbol:
    htp_config_set_query_case_insensitive

    – what is missing please?:

    root@LinuxLaptop:/home/stevee# suricata -c /etc/suricata/suricata.yaml -i eth0

    5/4/2014 — 13:18:16 – – This is Suricata version 1.4.4 RELEASE
    5/4/2014 — 13:18:16 – – CPUs/cores online: 2
    suricata: symbol lookup error: suricata: undefined symbol: htp_config_set_query_case_insensitive

  3. Muhammad Asif says:

    How to get rid of this issue.

    22/9/2014 — 10:57:49 – – [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] – opening rule file /etc/suricata/rules/dns-events.rules: No such file or directory.
    22/9/2014 — 10:57:56 – – [ERRCODE: SC_ERR_NOT_SUPPORTED(225)] – Eve-log support not compiled in. Reconfigure/recompile with libjansson and its development files installed to add eve-log support.
    22/9/2014 — 10:57:56 – – [ERRCODE: SC_ERR_PCAP_CREATE(21)] – Using Pcap capture with GRO or LRO activated can lead to capture problems.

  4. Anil says:

    Hi Sir,

    Please tell me that can I install suricata on RHEL5.

    ——————
    Regards
    Anil

Leave a Reply

This work is licensed under a (cc) BY-NC | TecMint uses cookies. By using our services, you comply to use of our cookies. More info: Privacy Policy.
© 2012-2014 All Rights Reserved.