How to Install Suricata IDS on Ubuntu 16.04

By Hitesh Jethva, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud’s incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.

Suricata is a free, open source, fast and robust intrusion detection system (IDS), intrusion prevention system (IPS) and Network Security Monitoring engine. Suricata inspects the network traffic using a powerful and extensive rules and signature language. You can set up Suricata as an active, inline IDS and IPS monitor inbound and outbound traffic. It can stop malicious traffic before it enters the network and alerts the administrator. You can also integrate Suricata with Linux Netfilter firewall.

In this tutorial, we will be installing and configuring Suricata on an Alibaba Cloud Elastic Compute Service (ECS) Ubuntu 16.04 server.

Requirements

  • A fresh Alibaba Cloud Ubuntu 16.04 instance with minimum 4 GB RAM.
  • A static IP address 192.168.0.100 is set up to your instance.
  • A root password is set up to your instance.

Launch Alibaba Cloud ECS Instance

First, Login to your Alibaba Cloud ECS Console. Create a new ECS instance, choosing Ubuntu 16.04 as the operating system with at least 2GB RAM. Connect to your ECS instance and log in as the root user.

Once you are logged into your Ubuntu 16.04 instance, run the following command to update your base system with the latest available packages.

Install Required Dependencies

Before starting, you will need to install some dependencies required by Suricata. You can install all of them by running the following command:

After installing all the packages, you can proceed to install Suricata.

Install Suricata

First, download the latest version of Suricata from their official website using the following command:

Next, extract the downloaded file with the following command:

Next, build the Suricata using the following command:

Output:

Next, install Suricata with the following command:

Output:

Next, install Suricata default configuration file with the following command:

You should see the following output:

Configure Suricata

Before starting, you will need to install Suricata IDS rule sets to your system. You can install it from Suricata source directory using the following command:

Output:

You can now start suricata by running as root something like /usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0.

If a library like libhtp.so is not found, you can run suricata with: LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0.

While rules are installed now, it’s highly recommended to use a rule manager for maintaining rules.

The two most common are Oinkmaster and Pulledpork. For a guide see:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster

You can list all the installed rules with the following command:

Output:

Next, you will need to modify suricata.yaml file. You can do this by running the following command:

Make the following changes as per your requirements:

Save and close the file, when you are finished.

Next, create your own rule set to test Suricata. This rules will generate an alert in /var/log/suricata/fast.log file when someone tries to Ping, SSH or DOS SYN FLOOD attacks.

Add the following lines:

Save and close the file.

Next, you will also need to define a path of this rule file in suricata.yaml:

Add the following lines inside rule-files: section:

Save and close the file.

Next, you will need to turn off any packet offload features on the NIC which Suricata is listening on. You can do this with the following command:

Finally, run the Suricata in live mode with the following command:

Test Suricta

Suricata IDS is now up and listening on the interface eth0. It’s time to perform intrusion detection.

To test Suricata, you will need to install some tools on the remote machine.

On the remote machine, install hping, nmap and nikto tool with the following command:

From remote machine, perform SYN FLOOD attack against Suricata server with the following command:

On the Suricata server, check the log with the following command:

You should get something like this:

From the remote machine, perform Nmap scan against Suricata server with the following command:

On the Suricata server, check the log with the following command:

You should see something like this:

Next, perform SSH connection attemt from the remote machine:

On the Suricata server, check the log with the following command:

You should see the following output:

From the remote machine, perform test attack against Suricata server with the following command:

On the Suricata server, check the log with the following command:

Output:

Reference:https://www.alibabacloud.com/blog/how-to-install-suricata-ids-on-ubuntu-16-04_594941?spm=a2c41.13059725.0.0

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store