There is an Ubuntu PPA of Suricata for Ubuntu 10.04 to 13.04 and the Ubuntu 13.04 is included Suricata in her repositories too. Meanwhile, those packages have IPS mode through NFQUEUE enabled. In addition, Suricata supports nVidia CUDA which requires to recompile the source code with suitable parameter.
Suricata not only can installed on servers but also on desktops and laptops. It performs quiet well on an Intel Atom ITX machine.
For the features, please read here for details.
The following is a basic and general setup of Suricata. For more advanced settings, please refer to the Reference below.
Step 1 :
sudo apt-get install python-software-properties
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install suricata htp
Step 2 :
To get the Emerging Threats rules :
cd /etc/suricata/
sudo wget https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz
sudo tar -xvzf emerging.rules.tar.gz
sudo ln -s /etc/suricata/rules/reference.config /etc/suricata/reference.config
sudo ln -s /etc/suricata/UbuntuPPA-configs/classification.config /etc/suricata/classification.config
sudo cp /etc/suricata/UbuntuPPA-configs/suricata-ppa-1.4-6ubuntu6.yaml /etc/suricata/suricata.yaml
*** You can use reference.config and classification.config at /etc/suricata/rules.
sudo mkdir /var/log/suricata
sudo touch /etc/suricata/threshold.config
Step 3 :
sudo nano /etc/suricata/suricata.yaml
Locate the following lines :
default-log-dir: /usr/local/var/log/suricata/
default-rule-path: /usr/local/etc/suricata/rules
classification-file: /usr/local/etc/suricata/classification.config
reference-config-file: /usr/local/etc/suricata/reference.config
#pid-file: /var/run/suricata.pid
#- rule-reload: true
#threshold-file: /usr/local/etc/suricata/threshold.config
- drop
enable: no
Replace with the following lines :
default-log-dir: /var/log/suricata/
default-rule-path: /etc/suricata/rules
classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config
pid-file: /var/run/suricata.pid
- rule-reload: true
threshold-file: /usr/local/etc/suricata/threshold.config
- drop
enable: yes
To test if it work or not :
sudo suricata -c /etc/suricata/suricata.yaml -i eth0
Several minutes later, check the
/var/log/suricata/stats.log
and /var/log/suricata/http.log
to see if there are some entries or not.Step 4 :
sudo iptables -A INPUT -j NFQUEUE
sudo iptables -A OUTPUT -j NFQUEUE
sudo iptables -A FORWARD -j NFQUEUE
To test if it work or not :
sudo suricata -c /etc/suricata/suricata.yaml -q 0
Step 5 :
sudo apt-get install oinkmaster
sudo nano /etc/oinkmaster.conf
Append the following line :
url = https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz
sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
Step 6 :
When everything is working fine, you can put them in the
/etc/rc.local
just right above "exit 0
" :#iptables -F
iptables -A INPUT -j NFQUEUE
iptables -A OUTPUT -j NFQUEUE
iptables -A FORWARD -j NFQUEUE
/etc/suricata/ips
Then create a file /etc/suricata/ips :
sudo nano /etc/suricata/ips
suricata -D -c /etc/suricata/suricata.yaml -q 0
oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
kill -USR2 `pidof suricata`
chmod +x /etc/suricata/ips
Then you can write a cron job to update Emerging Threats Rules everyday.
sudo crontab -e
Append the following :
@daily /etc/suricata/update-rules
Then create the
update-rule
sudo nano /etc/suricata/update-rules
oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
kill -USR2 `pidof suricata`
sudo chmod +x /etc/suricata/update-rules
Remarks :
If you want to create a user-interface for the IPS, you can refer to the "Reference" item [12].
If the Suricata acts as IPS gateway, it requires to bridge 2 NICs and 1 NIC for management purpose. In addition, you need to do some changes on the configure files.
If you have 4-cores CPU, you need to change the settings as the following :
iptables -A INPUT -j NFQUEUE --queue-balance 0:3
iptables -A OUTPUT -j NFQUEUE --queue-balance 0:3
iptables -A FORWARD -j NFQUEUE --queue-balance 0:3
suricata -D -c /etc/suricata/suricata.yaml -q 0 -q 1 -q 2 -q 3
Reference
[1] OISF - Open Information Security Foundation
[2] Ubuntu PPA
[3] Suricata - Features
[4] Suricata Rules
[5] Rules reload
[6] Rule Management with Oinkmaster
[7] SmoothSec 2.1 (Suricata IDS distribution)
[8] Setting up IPS/inline for Linux
[9] Installation with CUDA on Ubuntu Server
[10] Suricata, Snorby and Barnyard2 setup guide
[11] Kill process in Linux or terminate a process in UNIX or Linux systems
[12] Installing Snorby on Ubuntu 12.04
[13] Suricata.yaml
[14] Suricata IPS information
[15] Suricata - Windows
[16] Suricata - Mac OSX
[17] Suricata - FreeBSD
Thats all! See you.
0 comments:
Post a Comment