How to Install Suricata IDS on Ubuntu 16.04

Requirements

  • A fresh Alibaba Cloud Ubuntu 16.04 instance with minimum 4 GB RAM.
  • A static IP address 192.168.0.100 is set up to your instance.
  • A root password is set up to your instance.

Launch Alibaba Cloud ECS Instance

apt-get update -y

Install Required Dependencies

apt-get install libpcre3-dbg libpcre3-devlibnet1-dev libyaml-dev libjansson4 libcap-ng-dev libmagic-dev libjansson-dev zlib1g-dev autoconf automake libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libtool libpcap-dev -y

Install Suricata

wget https://www.openinfosecfoundation.org/download/suricata-4.0.5.tar.gz
tar -xvzf suricata-4.0.5.tar.gz
cd suricata-4.0.5
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var
To build and install run 'make' and 'make install'.You can run 'make install-conf' if you want to install initial configuration
files to /etc/suricata/. Running 'make install-full' will install configuration
and rules and provide you a ready-to-run suricata.
To install Suricata into /usr/bin/suricata, have the config in
/etc/suricata and use /var/log/suricata as log dir, use:
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/
make
make install
Writing /usr/lib/python2.7/site-packages/suricatasc-0.9-py2.7.egg-info
make[3]: Nothing to be done for 'install-data-am'.
make[3]: Leaving directory '/root/suricata-4.0.5/scripts/suricatasc'
make[2]: Leaving directory '/root/suricata-4.0.5/scripts/suricatasc'
make[2]: Entering directory '/root/suricata-4.0.5/scripts'
make[3]: Entering directory '/root/suricata-4.0.5/scripts'
make[3]: Nothing to be done for 'install-exec-am'.
make[3]: Nothing to be done for 'install-data-am'.
make[3]: Leaving directory '/root/suricata-4.0.5/scripts'
make[2]: Leaving directory '/root/suricata-4.0.5/scripts'
make[1]: Leaving directory '/root/suricata-4.0.5/scripts'
Making install in etc
make[1]: Entering directory '/root/suricata-4.0.5/etc'
make[2]: Entering directory '/root/suricata-4.0.5/etc'
make[2]: Nothing to be done for 'install-exec-am'.
make[2]: Nothing to be done for 'install-data-am'.
make[2]: Leaving directory '/root/suricata-4.0.5/etc'
make[1]: Leaving directory '/root/suricata-4.0.5/etc'
make[1]: Entering directory '/root/suricata-4.0.5'
make[2]: Entering directory '/root/suricata-4.0.5'
make[2]: Nothing to be done for 'install-exec-am'.
Run 'make install-conf' if you want to install initial configuration files. Or 'make install-full' to install configuration and rules
make[2]: Leaving directory '/root/suricata-4.0.5'
make[1]: Leaving directory '/root/suricata-4.0.5'
make install-conf
install -d "/etc/suricata/"
install -d "/var/log/suricata/files"
install -d "/var/log/suricata/certs"
install -d "/var/run/"
install -m 770 -d "/var/run/suricata"

Configure Suricata

cd suricata-4.0.5
make install-rules
install -d "/etc/suricata/rules"
/usr/bin/wget -qO - https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz | tar -x -z -C "/etc/suricata/" -f -
ls  /etc/suricata/rules
app-layer-events.rules          emerging-current_events.rules  emerging-netbios.rules      emerging-voip.rules
botcc.portgrouped.rules emerging-deleted.rules emerging-p2p.rules emerging-web_client.rules
botcc.rules emerging-dns.rules emerging-policy.rules emerging-web_server.rules
BSD-License.txt emerging-dos.rules emerging-pop3.rules emerging-web_specific_apps.rules
ciarmy.rules emerging-exploit.rules emerging-rpc.rules emerging-worm.rules
compromised-ips.txt emerging-ftp.rules emerging-scada.rules gpl-2.0.txt
compromised.rules emerging-games.rules emerging-scan.rules http-events.rules
decoder-events.rules emerging-icmp_info.rules emerging-shellcode.rules LICENSE
dnp3-events.rules emerging-icmp.rules emerging-smtp.rules modbus-events.rules
dns-events.rules emerging-imap.rules emerging-snmp.rules sid-msg.map
drop.rules emerging-inappropriate.rules emerging-sql.rules smtp-events.rules
dshield.rules emerging-info.rules emerging-telnet.rules stream-events.rules
emerging-activex.rules emerging-malware.rules emerging-tftp.rules suricata-4.0-enhanced-open.txt
emerging-attack_response.rules emerging-misc.rules emerging-trojan.rules tls-events.rules
emerging-chat.rules emerging-mobile_malware.rules emerging-user_agents.rules tor.rules
nano /etc/suricata/suricata.yaml
HOME_NET: "[192.168.0.0/16]"
EXTERNAL_NET: "!$HOME_NET"
nano /etc/suricata/rules/my.rules
alert icmp any any -> $HOME_NET any (msg:"ICMP connection attempt"; sid:1000002; rev:1;) 
alert tcp any any -> $HOME_NET 22 (msg:"SSH connection attempt"; sid:1000003; rev:1;)
alert tcp any any -> $HOME_NET 80 (msg:"DOS Unusually fast port 80 SYN packets outbound, Potential DOS"; flags: S,12; threshold: type both, track by_dst, count 500, seconds 5; classtype:misc-activity; sid:6;)
nano /etc/suricata/suricata.yaml
- my.rules
ethtool -K eth0 tso off
ethtool -K eth0 tx off
ethtool -K eth0 gro off
/usr/bin/suricata -D -c /etc/suricata/suricata.yaml -i eth0

Test Suricta

apt-get install nikto hping3 nmap -y
hping3 -S 192.168.0.100 -p 80 --flood
tail -f /var/log/suricata/fast.log
10/26/2018-12:24:52.146740  [**] [1:6:0] DOS Unusually fast port 80 SYN packets outbound, Potential DOS [**] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.0.104:2545 -> 192.168.0.100:80
10/26/2018-12:24:55.516790 [**] [1:6:0] DOS Unusually fast port 80 SYN packets outbound, Potential DOS [**] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.0.104:42629 -> 192.168.0.100:80
nmap -sS -v -n -A 192.168.0.100 -T4
tail -f /var/log/suricata/fast.log
10/26/2018-12:34:29.048872  [**] [1:1000002:1] ICMP connection attempt [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.0.104:8 -> 192.168.0.100:9
10/26/2018-12:34:29.048954 [**] [1:1000002:1] ICMP connection attempt [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.0.100:0 -> 192.168.0.104:9
10/26/2018-12:34:29.073931 [**] [1:1000002:1] ICMP connection attempt [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.0.104:8 -> 192.168.0.100:0
ssh 192.168.0.100
tail -f /var/log/suricata/fast.log
10/26/2018-13:35:32.971883  [**] [1:1000003:1] SSH connection attempt [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.0.104:60367 -> 192.168.0.100:22
nikto -h 192.168.0.100 -C all
tail -f /var/log/suricata/fast.log
10/26/2018-11:09:34.392428  [**] [1:2024364:3] ET SCAN Possible Nmap User-Agent Observed [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.0.104:43459 -> 192.168.0.100:80
10/26/2018-11:09:34.516266 [**] [1:2024364:3] ET SCAN Possible Nmap User-Agent Observed [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.0.104:43464 -> 192.168.0.100:80
10/26/2018-11:09:34.623732 [**] [1:2024364:3] ET SCAN Possible Nmap User-Agent Observed [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.0.104:43466 -> 192.168.0.100:80
10/26/2018-11:09:34.949076 [**] [1:2024364:3] ET SCAN Possible Nmap User-Agent Observed [

--

--

--

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Tip of the Week: How to void sent invoice back to draft | TimeSolv

Role of Python Language in AI and MI.

TCP/IP Behind the Scene

What’s Docker?

Rapid launch of a stable E-Commerce solution with perspective growth into a full-fledged product.

Building a Multi-Cloud Strategy

Messaging Systems : ETL for real time Data Processing

Connecting Pandas to a Database with SQLAlchemy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

More from Medium

Finding an Optimal Suite of Nodes for a Kubernetes Cluster Operations

Synonyms in Elasticsearch

kafkaVision: An open-source monitoring tool for Apache Kafka

mTLS with Apache HTTP server