Install Suricata on Linux

In this tutorial we will install and configure Suricata using a Linux Ubuntu machine. This way, we will use the repository to install Suricata.

Suricata is a system used to detect and prevent intruders. In this way, we can use Suricata to improve the security of our network against attacks that come from within the network or the Internet.

When Suricata works as an Intruder Detector (IDS), it generates alerts that will allow the network administrator to take the necessary measures for the security incident.

However, the Suricata can also be used to prevent intruders from occurring. This is because the Suricata can take actions to counter an attack. As an example, we could have the Suricata blocking an intruder’s IP address.

This tutorial is part of the Suricata Linux Course.

Lesson 1: Install Suricata on Linux

Lesson 2: Suricata Host IPS

Lesson 3: Suricata Network IPS

Link to the Suricata course on YouTube:

https://youtube.com/playlist?list=PLigQ9zMmlIqIuf08ERzg3CqIXCxZcO42x

Proposed scenario 

Installing Suricata on Ubuntu

As mentioned before, in this tutorial we are going to install Suricata using an Ubuntu machine. For that, we will use the command below to add the Suricata repository to our system.

sudo add-apt-repository ppa:oisf/suricata-stable
Add repository
Add repository

Next, let’s update our repositories, as we’ve just added a new repository.

sudo apt-get update

Now, let’s install Suricata. For this we will use the command below.

sudo apt-get install suricata
Install suricata
Install Suricata

Now let’s enable the Suricata to boot along with the system. This way, Suricata will be enabled every time the computer is restarted. For this, we will use the command below:

sudo systemctl enable suricata.service
Enable suricata on the system
Enable Suricata on the system

Alternative Suricata Installation

Alternatively, we can install Suricata using the other installation packages that allow Suricata to be installed on Mac. FreeBSD, Unix, and Windows. For this, we need to access the link below and select the package we want to install.

Note – This way of installation can also be interesting if you are using a Linux distribution other than Ubuntu.

https://suricata.io/download/

 Alternative install for Suricata
Alternative install for Suricata

Configuring the Suricata

Now that we’ve installed Suricata, let’s make some basic settings for the tool to work properly. For this, we will enter the Suricata configuration directory using the command below.

cd /etc/suricata

Next, we can list the files that are inside the Suricata folder. For this we can use the Linux ls command.

ls

We can see in the figure below that there are several files and a folder named rules.

 Suricata files
Suricata files

Before proceeding with the configuration. Let’s check which network interface we are going to use Suricata on. In our case, we are using a virtualbox virtual machine. And this virtual machine has two interfaces.

The first interface is in NAT mode and the second interface is in “internal network” mode. In this scenario, we are going to use Suricata in the second interface, that is, the “internal network” interface.

To check the existing interfaces we can use the command below.

ip addr

The figure below shows that our virtual machine has 3 interfaces. However the first interface is loopback so we can disregard it. Thus, the interface that we want to monitor with the Suricata is the third interface “enp0s8” as this is the interface that is in “internal network” mode.

 Select your interface
Select the interface

Now, let’s edit the “suricata.yaml” file and indicate the interface that we will monitor. For this, we are going to use the nano editor.

sudo nano suricata.yaml

Next, let’s look for the line that describes af-packet. Inside the line “- interface: eth0” we will remove the “eth0” and include the name of our interface.

In our case the interface that will be monitored is “enp0s8”. So let’s replace the interface name in the “suricata.yaml” file.

 Erase the default interface
Erase the default interface
 Replace with your interface
Replace with your interface

After that, let’s save the file.

The next step is to restart the Suricata for the change to take effect. For that, we can use the command below.

sudo service suricata restart

Update on Suricata Rules

Now let’s update the Suricata rules. Initially the Suricata contains some basic rules. However, we want a larger set of rules so that the Suricata can find a greater number of anomalies

We can verify the initial rules by checking the files that are inside the suricata rules directory. So we can use the command below to enter the directory and check the rules that exist in the files.

cd /etc/suricata/rules/

Now, let’s update the rules and add new rules to the Suricata. For this we will use the command below.

sudo suricata-update

We can see that new rules have been downloaded.

Updating suricata rules
Updating Suricata rules

Testing Suricata

Now we can test the Suricata. For this, we will use the command below.

sudo suricata -T
Testing Suricata
Testing Suricata

We can see that there were some “warnings” alerts for some protocols that were not enabled. In this case, if the protocol is not enabled in the “suricata.yaml” configuration file, we will have alert messages.

However, you can choose to disable certain protocols that will not be used on your network.

In the previous figure we had the alert message that informed that the rdp protocol was not enabled.

However, let’s assume that we want to use the RDP protocol on our network. In this way, we will return to the “suricata.yaml” file and we will enable RDP just by uncommenting the “#” line.

sudo nano /etc/suricata/suricata.yaml
 Remove the #
Remove the #
 Now, RDP is enable
Now, RDP is enable

Now, let’s restart the Suricata for the change to take effect. For this we will use the command below.

sudo service suricata restart

Then, let’s run the test again with the command below.

sudo suricata -T

Very well, now we can see in the figure below that the warning message “warning” for RDP has disappeared.

 No more warnings for RDP
No more warnings for RDP

The Suricata Logs

Using the installation of this tutorial, the log files and alerts will be stored in “/var/log/suricata/”. That way, we can go into that directory and list the contents to see what we have.

cd /var/log/suricata/

ls
 Suricata logs
Suricata logs

We can observe that we have several log files. However, in this tutorial we are going to talk about the “suricata.log” and “fast.log” files. Thus, the “suricata.log” file presents the logs referring to the operation of the suricata tool. An example log of “Suricataa.log” can be obtained using the command below.

tail suricata.log
 Suricata.log
Suricata.log

The other file, “fast.log”, presents the alerts generated by the Suricata. That way, you can check for alerts by inspecting the “fast.log” file. For that, we can use the command below.

tail fast.log

At first, the “fast.log” file may not contain any alerts. Therefore, in the next section we will present a test to generate alerts in the Suricata.

Testing Suricata as IDS

Let’s test the Suricata using a second virtual machine that will be connected to the internal VirtualBox network and consequently will be connected to the “enp0s8” interface of the Suricata machine.

As a second client we are using a virtual machine with Ubuntu turned on with an interface in internal network mode.

Below we have the topology used.

Scenario used in our tests
Scenario used in our tests

On the client machine we have NMAP installed and we are going to run a scan on the Suricata machine to see if it generates alarms.

This way, let’s use the command below on the client machine to start scanning ports on the machine where we have Suricata.

sudo nmap -sO 192.168.11.24

If you want to understand how NMAP works, you can see the following posts:

NMAP: Identify the version of a service

NMAP: Advanced Scan

NMAP: TCP and UDP port mapping

After using nmap, let’s go back to the Suricata machine and check the alerts file “/var/log/suricata/fast.log”. For this we can use the command below.

tail /var/log/suricata/fast.log
Suricata alerts
Suricata alerts

We can see that the Suricata is already inspecting our network interface and is consequently generating alarms. In addition, alarms display the date they occurred and a brief description of the alert.

In the alert description we can have an alert ID and the alert priority level. In the future we will present more information related to Suricata in future tutorials.

This tutorial is part of the Suricata Linux Course.

Lesson 1: Install Suricata on Linux

Lesson 2: Suricata Host IPS

Lesson 3: Suricata Network IPS

If you liked it, comment on our YouTube channel in the video below.

See more:

Snort PfSense : Detect DoS Attack

NMAP: Identify the version of a service

NMAP: Advanced Scan

NMAP: TCP and UDP port mapping

Addrwatch : Install and Configure

Arpwatch: Installation and Configuration

Juliana Mascarenhas

Data Scientist and Master in Computer Modeling by LNCC.
Computer Engineer