Installing and Configuring Suricata on Ubuntu

In this blog, I’ll guide you through the process of both installing and configuring Suricata on Ubuntu, providing a firsthand look at its functionality and capabilities.

But, what is Suricata ??

Suricata stands as a high-performance, open-source network analysis, and threat detection software widely adopted by both private and public organizations. Major vendors also embed Suricata to fortify their assets against potential threats.

In simple terms, Suricata is like a digital security guard for computer networks. It carefully watches the traffic moving through the network, looking for any signs of suspicious or harmful activity. It helps keep the network safe by identifying and alerting to potential threats, making it a valuable tool for organizations to protect their digital assets.

Suricata has mainly two operational modes:

1. Active (IPS) — It is used to alert, log and block network traffic that matches specific rules.

2. Passive (IDS) — It is used to identify, alert and log suspicious network traffic within a network.

Okay, now that we know what is Suricata let’s understand how it works.

Suricata actively monitors network traffic, employs both signature and anomaly-based detection methods, and provides administrators with alerts and logs to enhance network security. In IPS mode, it can actively block potential threats, adding a preventive layer to its capabilities. Here’s a simplified overview of how Suricata works:

1. Packet Capture: Suricata captures packets flowing through the network, collecting data from different network segments.
2. Packet Decoding: It decodes and inspects the content of each packet, understanding the various network protocols used for communication.
3. Signature-Based Detection: Suricata uses signature-based detection, where it compares the characteristics of network traffic against a database of known patterns associated with malicious activities. This is similar to how antivirus software identifies known viruses.
4. Anomaly-Based Detection: In addition to signature-based detection, Suricata employs anomaly-based detection. It looks for deviations from normal patterns of network behaviour, helping to identify previously unknown or emerging threats.
5. Logging and Alerting: When Suricata identifies suspicious activity or potential security threats, it generates logs and alerts. These reports provide details about the detected events, allowing administrators to investigate further.
6. Logging and Blocking (IPS Mode): In Intrusion Prevention System (IPS) mode, Suricata not only logs and alerts but can also take proactive measures to block or prevent potentially malicious traffic. This adds an extra layer of security by actively stopping threats in real-time.
7. Traffic Flow and Management: Suricata can be deployed at different points within the network, such as at the network perimeter, on internal network segments, or in the cloud. The placement depends on the specific security requirements of the organization.
8. Configuration and Rule Sets: Suricata’s behaviour is highly configurable through rule sets. Administrators can define specific rules to tailor Suricata’s detection and response capabilities to the organization’s security policies.
9. Regular Updates: To stay effective against evolving threats, Suricata benefits from regular updates to its signature databases and software. These updates ensure that the system remains current and capable of identifying new types of threats.

Let’s move from theory to practice. Now, we’ll dive into the hands-on process of installing Suricata.

Prerequisites to check off before initiating the installation:

1. A laptop or PC (no surprises there)
2. Reliable and stable internet connection
3. VirtualBox or VMware Workstation
4. Ubuntu installed on VirtualBox or VMware
5. A touch of curiosity

Lets get started now..

Follow the provided steps for a seamless installation experience. Stick to the instructions to ensure a smooth setup process.

1. Launch your Ubuntu VM, open a web browser, and head to the official Suricata website. Navigate to the Documentation section and click on ‘Installation.’ Alternatively, you can directly access the installation guide through the following link: https://docs.suricata.io/en/latest/install.html

2. Execute the given commands as shown in the documentation to setup and install the latest Stable Suricata on Ubuntu.

sudo apt-get install software-properties-common
sudo add-apt-repository ppa:oisf/suricata-stable;
sudo apt-get update
sudo apt-get install suricata

3. Once Suricata is installed, let’s now check if its running already by using the following command.

sudo systemctl status surictata

4. As we can see that Suricata is already running and we haven’t set it up completely, so its best to stop the service while we are configuring it. Execute the following command to stop the service.

sudo systemctl stop suricata

To start Suricata again, simply type the following command

sudo systemctl start suricata.service 
or 
sudo systemctl start suricata

5. Now that Suricata is successfully installed, and its service is running successfully, let’s explore its configuration files located in the /etc/suricata/ directory.

So, within the Suricata directory, we find four essential files. Let’s break down each one to better understand its specific function.

1. classification.config: This file is used for configuring classifications of detected events in Suricata. Classifications categorize events based on their nature, providing a way to understand and organize the alerts generated by Suricata. Examples of classifications include “attempted-dos,” “successful-dos,” and various exploit categories.
2. reference.config: This file contains references and mappings for various data used by Suricata. This may include information about malware, known threats, or other reference data that aids in the interpretation of alerts. It provides context to help analysts understand the significance of detected events.
3. suricata.yaml: It is the main configuration file for Suricata. It holds a comprehensive set of parameters that govern the behaviour of the Suricata IDS/IPS engine. These settings cover a wide range of aspects, including network configuration, logging, output formats, rule management, and more. Customizing suricata.yaml allows users to tailor Suricata to their specific network environment and security policies.
4. threshold.config: This file is dedicated to configuring alert thresholding in Suricata. Thresholding is a mechanism that helps manage the volume of generated alerts by defining conditions under which alerts should be suppressed or triggered. It allows for fine-tuning alerting based on the frequency or pattern of specific events, preventing alert overload.

Note: These configuration files collectively play a crucial role in shaping the behaviour of Suricata, enabling users to define classifications, provide reference data, customize the overall engine settings, and implement alert thresholding for more effective intrusion detection and prevention.

6. Let’s now configure the Suricata.yaml file. Open a terminal and open the file using a text editor.

The file should resemble the following. Now, let’s specify the actual HOME_NET subnet address. To find it, simply open a new window inside the terminal and type ‘ip a’ or ‘ifconfig,’ similar to the right side of the terminal window.

7. Replace the default HOME_NET subnet by the specific machine’s subnet i.e. 192.168.250.134/24 and save it.

8. Scroll down to the bottom and stop at “Linux high speed capture support” which is located under Step 3. We need to now replace the default interface with the network interface we are monitoring i.e. ens33.

9. Again scroll down to “Cross platform libpcap support” and replace the default interface with the specific interface we are going to monitor on.

10. The next essential option to configure is the Community Flow ID. This feature is crucial for event correlation, particularly when utilizing tools like Zeek or working with logs in JSON format. To enable this, search for ‘community-id.’ Enabling the community ID field in EVE records provides a consistent flow ID, aiding in matching records with the output of other tools such as Zeek. To enhance security, consider modifying the seed for a less predictable ID. Suricata, by default, generates log files in JSON format, so ensure to set this option to ‘true’ for effective log management.

11. The next option to review is the location of the actual rules. Search for ‘default-rule-path.’ This points to the default rule path, typically found under /var/lib/suricata/rules. If you want to add a custom rules file then you can specify it here if it already exists within the directory. So if its already under “/var/lib/suricata/rules” then you can just provide the name custom.rules however if it’s stored in another directory then you can say /etc/suricata/rules/custom.rule. So any custom rule or rule sets that you’d like to load up can be done this way. For now we don’t have that file because suricata doesn’t create it by default so we’ll just write and quit because we dont wanna modify that right now.

12. Now we need to run Suricata once in order for the rules to be created in the specified directory. Also we have updated the suricata rules set so we have to do that next. Type in the following command to update the rules set.

sudo suricata-update

13. If we now list the “/var/lib/suricata” directory you can see that we have suricata.rules (that contains an aggregation of all the rules) and classification.config files present.

14. One of Suricata’s standout features is its flexibility in specifying custom sources for rule retrieval. By default, Suricata allows you to choose additional sources to fetch rules or rule sets. You can achieve this by running the following command, which downloads the list of available sources.

sudo suricata-update list-sources

15. These sources provide diverse rule sets tailored to your specific requirements. It’s worth noting that some may require a subscription; licenses such as MIT or Open-Source, however, can be freely pulled without the need for subscription registration.

16. To incorporate or utilize a specific source from the provided list, let’s take an example: if we want to add the ‘malsilo/win-malware’ rule set, we can achieve this by executing the following command.

sudo suricata-update enablesource malsilo/win-malware

17. Now update Suricata again to make sure we get the latest rules set here.

If we take a look at the actual suricata service, it should be disabled.

18. To test the configuration file, you can run the following command:

sudo suricata -T -c /etc/suricata/suricata.yaml -v

In test mode, Suricata provides an overview of resources and the logging configuration. It indicates that the fast output device, responsible for intrusion logs, is in fast mode. Additionally, the eve-log output device produces logs in JSON format. The intrusion logs can be found in ‘fast.log,’ while the same information is available in ‘eve.log’ in JSON format. The output indicates the successful processing of 1 rule file, with 35,995 rules loaded successfully and 0 rules failed.

19. Having verified that Suricata runs smoothly, to start the service, execute the following command:

sudo systemctl start suricata

20. Now that Suricata is up and running, let’s validate its functionality. For a quick test, we’ll use one of the default rules included in the rules file, located in the directory we just explored (i.e., /var/lib/suricata/suricata.rules). To execute the test, simply run the following command:

curl http://testmynids.org/uid/index.html

So it just tells us uid=root so that request is actually considered to be malicious because it means that we have gained access to root or an intruder could have gained access to root.

21. But how do we know that this was logged, well to do that we can say

sudo cat /var/lib/suricata/fast.log

Here are the actual logs, providing details on the source, destination, and more. This confirmation assures us that Suricata is actively working as intended.

22. Next, let’s explore the process of adding custom rules to further enhance Suricata’s capabilities. In order to do that we need to first stop Suricata service using the following command:

23. Now add/create the custom suricata rule in the “/var/lib/suricata/rules” directory. (Note: you can also add the rules in the “/etc/suricata” directory but you need to specify the rule path in the suricata.yaml file). The way to create/add the custom rule is as follows:

sudo vi /var/lib/suricata/rules/cutom.rule

24. This will open up the vim text editor for you to add the rule. Write the in the similar way as given below:

alert icmp any any -> $HOME_NET any ( msg: "ICMP Ping Alert"; sid:1; rev:1;)

Save the rule and quit the text editor.

Lets try to understand the rule by breaking it down:

• alert : This keyword indicates that Suricata should generate an alert when the specified conditions are met.
• icmp : It specifies the protocol, in this case, ICMP (Internet Control Message Protocol).
• any any : Describes the source and destination IP addresses. In this rule, it's set to match any source and any destination.
• -> : Indicates the direction of the traffic. -> means from source to destination.
• $HOME_NET any : Specifies that the source IP is the internal network (as defined by the HOME_NET variable) and any destination IP.
• msg: “ICMP Ping Alert” : A custom message to be included in the alert.
• sid:1 : A unique identifier for the rule. This can be used for reference or management purposes.
• rev:1 : The revision number of the rule. This is helpful when updating or modifying rules.

25. We now have to modify the yaml configuration file. So we are looking for the rule-path. Open the yaml file using the following command:

Add the new rule i.e. custom.rule under the rule-files: , then save the file and quit the editor.

26. Now again let’s test the configuration to make sure there isn’t any issues in the configuration file.

27. So the test was successful, indicating no issues in the YAML file. Now, let’s commence the Suricata service using the command:

28. I will now try to run the ping from a different machine and lets see if it logs the requests.

29. To view the logs use the following command.

As evident from the above screenshot, ICMP requests have been successfully logged in the fast.log file. This confirms that our custom rule is functioning as expected.

30. To view the same log file in JSON format, utilize the ‘tail’ utility to fetch the latest logs and pipe the output into the ‘jq’ utility for a more organized presentation. Execute the following command to view the JSON file:

This is particularly beneficial when data is presented in JSON format, offering comprehensive details such as timestamp, source IP and port, destination IP and port, protocol, and signature. Such structured information proves invaluable for tasks like importing into tools such as Zeek or conducting event correlation.

Congratulations! You’ve successfully installed and configured Suricata. Feel free to explore and experiment with its powerful features.

For more information, you can refer to the Suricata’s official guide and follow its website.

Thank you for taking the time to read this post. I hope you found it helpful. Stay tuned for more insights in our next encounter. Until next time, stay secure and stay curious!