How to Install Suricata IDS on Ubuntu 16.04

Requirements

Launch Alibaba Cloud ECS Instance

apt-get update -y

Install Required Dependencies

apt-get install libpcre3-dbg libpcre3-devlibnet1-dev libyaml-dev libjansson4 libcap-ng-dev libmagic-dev libjansson-dev zlib1g-dev autoconf automake libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libtool libpcap-dev -y

Install Suricata

wget https://www.openinfosecfoundation.org/download/suricata-4.0.5.tar.gz
tar -xvzf suricata-4.0.5.tar.gz
cd suricata-4.0.5
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var
To build and install run 'make' and 'make install'.You can run 'make install-conf' if you want to install initial configuration
files to /etc/suricata/. Running 'make install-full' will install configuration
and rules and provide you a ready-to-run suricata.
To install Suricata into /usr/bin/suricata, have the config in
/etc/suricata and use /var/log/suricata as log dir, use:
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/
make
make install
Writing /usr/lib/python2.7/site-packages/suricatasc-0.9-py2.7.egg-info
make[3]: Nothing to be done for 'install-data-am'.
make[3]: Leaving directory '/root/suricata-4.0.5/scripts/suricatasc'
make[2]: Leaving directory '/root/suricata-4.0.5/scripts/suricatasc'
make[2]: Entering directory '/root/suricata-4.0.5/scripts'
make[3]: Entering directory '/root/suricata-4.0.5/scripts'
make[3]: Nothing to be done for 'install-exec-am'.
make[3]: Nothing to be done for 'install-data-am'.
make[3]: Leaving directory '/root/suricata-4.0.5/scripts'
make[2]: Leaving directory '/root/suricata-4.0.5/scripts'
make[1]: Leaving directory '/root/suricata-4.0.5/scripts'
Making install in etc
make[1]: Entering directory '/root/suricata-4.0.5/etc'
make[2]: Entering directory '/root/suricata-4.0.5/etc'
make[2]: Nothing to be done for 'install-exec-am'.
make[2]: Nothing to be done for 'install-data-am'.
make[2]: Leaving directory '/root/suricata-4.0.5/etc'
make[1]: Leaving directory '/root/suricata-4.0.5/etc'
make[1]: Entering directory '/root/suricata-4.0.5'
make[2]: Entering directory '/root/suricata-4.0.5'
make[2]: Nothing to be done for 'install-exec-am'.
Run 'make install-conf' if you want to install initial configuration files. Or 'make install-full' to install configuration and rules
make[2]: Leaving directory '/root/suricata-4.0.5'
make[1]: Leaving directory '/root/suricata-4.0.5'
make install-conf
install -d "/etc/suricata/"
install -d "/var/log/suricata/files"
install -d "/var/log/suricata/certs"
install -d "/var/run/"
install -m 770 -d "/var/run/suricata"

Configure Suricata

cd suricata-4.0.5
make install-rules
install -d "/etc/suricata/rules"
/usr/bin/wget -qO - https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz | tar -x -z -C "/etc/suricata/" -f -
ls  /etc/suricata/rules
app-layer-events.rules          emerging-current_events.rules  emerging-netbios.rules      emerging-voip.rules
botcc.portgrouped.rules emerging-deleted.rules emerging-p2p.rules emerging-web_client.rules
botcc.rules emerging-dns.rules emerging-policy.rules emerging-web_server.rules
BSD-License.txt emerging-dos.rules emerging-pop3.rules emerging-web_specific_apps.rules
ciarmy.rules emerging-exploit.rules emerging-rpc.rules emerging-worm.rules
compromised-ips.txt emerging-ftp.rules emerging-scada.rules gpl-2.0.txt
compromised.rules emerging-games.rules emerging-scan.rules http-events.rules
decoder-events.rules emerging-icmp_info.rules emerging-shellcode.rules LICENSE
dnp3-events.rules emerging-icmp.rules emerging-smtp.rules modbus-events.rules
dns-events.rules emerging-imap.rules emerging-snmp.rules sid-msg.map
drop.rules emerging-inappropriate.rules emerging-sql.rules smtp-events.rules
dshield.rules emerging-info.rules emerging-telnet.rules stream-events.rules
emerging-activex.rules emerging-malware.rules emerging-tftp.rules suricata-4.0-enhanced-open.txt
emerging-attack_response.rules emerging-misc.rules emerging-trojan.rules tls-events.rules
emerging-chat.rules emerging-mobile_malware.rules emerging-user_agents.rules tor.rules
nano /etc/suricata/suricata.yaml
HOME_NET: "[192.168.0.0/16]"
EXTERNAL_NET: "!$HOME_NET"
nano /etc/suricata/rules/my.rules
alert icmp any any -> $HOME_NET any (msg:"ICMP connection attempt"; sid:1000002; rev:1;) 
alert tcp any any -> $HOME_NET 22 (msg:"SSH connection attempt"; sid:1000003; rev:1;)
alert tcp any any -> $HOME_NET 80 (msg:"DOS Unusually fast port 80 SYN packets outbound, Potential DOS"; flags: S,12; threshold: type both, track by_dst, count 500, seconds 5; classtype:misc-activity; sid:6;)
nano /etc/suricata/suricata.yaml
- my.rules
ethtool -K eth0 tso off
ethtool -K eth0 tx off
ethtool -K eth0 gro off
/usr/bin/suricata -D -c /etc/suricata/suricata.yaml -i eth0

Test Suricta

apt-get install nikto hping3 nmap -y
hping3 -S 192.168.0.100 -p 80 --flood
tail -f /var/log/suricata/fast.log
10/26/2018-12:24:52.146740  [**] [1:6:0] DOS Unusually fast port 80 SYN packets outbound, Potential DOS [**] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.0.104:2545 -> 192.168.0.100:80
10/26/2018-12:24:55.516790 [**] [1:6:0] DOS Unusually fast port 80 SYN packets outbound, Potential DOS [**] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.0.104:42629 -> 192.168.0.100:80
nmap -sS -v -n -A 192.168.0.100 -T4
tail -f /var/log/suricata/fast.log
10/26/2018-12:34:29.048872  [**] [1:1000002:1] ICMP connection attempt [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.0.104:8 -> 192.168.0.100:9
10/26/2018-12:34:29.048954 [**] [1:1000002:1] ICMP connection attempt [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.0.100:0 -> 192.168.0.104:9
10/26/2018-12:34:29.073931 [**] [1:1000002:1] ICMP connection attempt [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.0.104:8 -> 192.168.0.100:0
ssh 192.168.0.100
tail -f /var/log/suricata/fast.log
10/26/2018-13:35:32.971883  [**] [1:1000003:1] SSH connection attempt [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.0.104:60367 -> 192.168.0.100:22
nikto -h 192.168.0.100 -C all
tail -f /var/log/suricata/fast.log
10/26/2018-11:09:34.392428  [**] [1:2024364:3] ET SCAN Possible Nmap User-Agent Observed [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.0.104:43459 -> 192.168.0.100:80
10/26/2018-11:09:34.516266 [**] [1:2024364:3] ET SCAN Possible Nmap User-Agent Observed [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.0.104:43464 -> 192.168.0.100:80
10/26/2018-11:09:34.623732 [**] [1:2024364:3] ET SCAN Possible Nmap User-Agent Observed [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.0.104:43466 -> 192.168.0.100:80
10/26/2018-11:09:34.949076 [**] [1:2024364:3] ET SCAN Possible Nmap User-Agent Observed [

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store