One of the tasks of a system admin is maintaining the security of servers through network security monitoring and intrusion prevention. One of the tools that can perfectly be used to achieve this objective is Suricata.
What is Suricata IDS / IPS Tool
Suricata is one of the best open-source and independent threat and intrusion detection systems. It was developed by the Open Information Security Foundation (OISF) producing a beat version in 2009 and later a standard release in July 2010. Suricata quickly identifies and stops sophisticated attacks by combining network security monitoring (NSM), intrusion prevention (IPS), PCAP processing, and intrusion detection (IDS).
Suricata is able to prevent intrusion with both IDS and IPS in that, Intrusion Detection Systems (IDS) is able to analyze network traffic for signatures matching known attacks and Intrusion Prevention Systems (IPS) analyses the packets and it also has the ability to stop the packets from being delivered depending on the attack detected.
Features of Suricata IDS / IPS Tool are:
- It supports hashing and file extraction
- It offers multi threaded signature detection.
- Suricata offers more support for application layer protocols.
- Suricata can be easilty integrated with other tools such as Elasticsearch/Logstash, Kibana, Splunk e.t.c for logs processing due to its amazing ability to write logs in YAML and JSON formats.
- Has IP reputation used to load large amounts of data ,live load support e.t.c
- Supports TCP/IP engines
- It supports the Lua Scripting language which can be used to modify the outputs and create complex and detailed signature logic
- VXLAN support since 4.1.5
By the end of this guide, you should be able to install Suricata IDS / IPS Tool on Debian 11/10.
Step 1 – Install Suricata IDS / IPS Tool on Debian 11/10
There are multiple ways to get Suricata IDS / IPS Tool installed on your Debian 11/10 machine.
Option 1 – Install Suricata IDS / IPS Tool on Debian 11/10 from APT.
Suricata is available in the default Debian 11/10 repositories but the main problem with this installation is that the available versions are old.
Check the available repositories for Suricata on Debian 11/10 and the version available in the repositories
$ sudo apt-cache show suricata
Package: suricata
Version: 1:6.0.1-3
Installed-Size: 6466
Maintainer: Pierre Chifflier <[email protected]>
Architecture: amd64
Replaces: libhtp1 (<< 0.5.16), suricata-hyperscan (<< 3.2)
Depends: python3 (>= 3.2), python3-simplejson, python3:any, libbpf0 (>= 5.2.6), libc6 (>= 2.29), libcap-ng0 (>= 0.7.9), libevent-2.1-7 (>= 2.1.8-stable), libevent-pthreads-2.1-7 (>= 2.1.8-stable), libgcc-s1 (>= 4.2), libhiredis0.14 (>= 0.14.1), libhtp2 (>= 1:0.5.36-1~), libhyperscan5 (>= 5.4.0), libjansson4 (>= 2.2), libluajit-5.1-2 (>= 2.0.4+dfsg), liblz4-1 (>= 0.0~r127), libmagic1 (>= 5.12), libmaxminddb0 (>= 1.0.2), libnet1 (>= 1.1.5), libnetfilter-log1 (>= 0.0.13), libnetfilter-queue1 (>= 1.0.2), libnfnetlink0, libnspr4 (>= 2:4.9-2~), libnss3 (>= 2:3.13.4-2~), libpcap0.8 (>= 1.0.0), libpcre3, libyaml-0-2, zlib1g (>= 1:1.1.4), lsb-base (>= 3.0-6)
Pre-Depends: dpkg (>= 1.15.7.2), init-system-helpers (>= 1.54~)
Recommends: snort-rules-default, suricata-update
Suggests: libtcmalloc-minimal4
.........
If you choose this method, install Suricata IDS / IPS Tool on Debian 11/10 using the command below.
sudo apt install suricataDependency tree:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
libevent-core-2.1-7 libevent-pthreads-2.1-7 libhiredis0.14 libhtp2
libhyperscan5 libluajit-5.1-2 libluajit-5.1-common libnet1 libnetfilter-log1
libnetfilter-queue1 oinkmaster python3-simplejson python3-yaml
snort-rules-default suricata-update
Suggested packages:
snort | snort-pgsql | snort-mysql libtcmalloc-minimal4
The following NEW packages will be installed:
libevent-core-2.1-7 libevent-pthreads-2.1-7 libhiredis0.14 libhtp2
libhyperscan5 libluajit-5.1-2 libluajit-5.1-common libnet1 libnetfilter-log1
libnetfilter-queue1 oinkmaster python3-simplejson python3-yaml
snort-rules-default suricata suricata-update
0 upgraded, 16 newly installed, 0 to remove and 19 not upgraded.
Need to get 5,836 kB of archives.
After this operation, 28.1 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Option 2 – Install Suricata IDS / IPS Tool on Debian 11/10 from source
With this installation method, you are guaranteed the latest available version of the Suricata IDS / IPS Tool.
Update your APT package index.
sudo apt updateThen proceed and install the required packages to install Suricata IDS / IPS Tool from source.
sudo apt-get install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev \
libnet1-dev libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \
libcap-ng-dev libcap-ng0 make libmagic-dev \
libnss3-dev libgeoip-dev liblua5.1-dev libhiredis-dev libevent-dev \
python-yaml rustc cargoFor IPtables integration install the below packages.
sudo apt-get install libnetfilter-queue-dev libnetfilter-queue1 \
libnetfilter-log-dev libnetfilter-log1 \
libnfnetlink-dev libnfnetlink0
The next step is to install the Suricata-update tool used to update Suricata rules. This tool will be installed using PIP.
sudo apt-get install python3-pipWith PIP installed, proceed and install Suricata-update on Debian 11/10 with the command:
sudo pip3 install --upgrade suricata-updateSample Output:
Collecting suricata-update
Downloading https://files.pythonhosted.org/packages/81/eb/051dcb8184831723d6d7d5e4b5f2f2d9b987430a00019cd0a1a5785bd430/suricata-update-1.2.2.tar.gz (69kB)
100% |████████████████████████████████| 71kB 388kB/s
Collecting pyyaml (from suricata-update)
Downloading https://files.pythonhosted.org/packages/eb/5f/6e6fe6904e1a9c67bc2ca5629a69e7a5a0b17f079da838bab98a1e548b25/PyYAML-6.0-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl (596kB)
100% |████████████████████████████████| 604kB 993kB/s
Building wheels for collected packages: suricata-update
Running setup.py bdist_wheel for suricata-update ... done
Stored in directory: /home/debian/.cache/pip/wheels/a1/d5/49/206350d2b2aeafb3e35a826f3baa8609bed844b3ef53d0e370
Successfully built suricata-update
Installing collected packages: pyyaml, suricata-update
Successfully installed pyyaml-6.0 suricata-update-1.2.2Find where Suricata update is installed.
$ whereis suricata-update
suricata-update: /usr/local/bin/suricata-updateCreate a symbolic link for the Suricata-update tool.
sudo ln -s /usr/local/bin/suricata-update /usr/bin/suricata-updateNow proceed to the Official Suricata downloads page and download the latest version of Suricata. Alternatively, pull the .tar file as below. As of this guide, the latest version was at 6.0.3.
wget https://www.openinfosecfoundation.org/download/suricata-6.0.3.tar.gz Now extract the file:
tar xzf suricata-6.0.3.tar.gzNow compile and install Suricata as below.
cd suricata-6.0.3
sudo ./configure --sysconfdir=/etc --localstatedir=/var --prefix=/usr/ --enable-lua --enable-nfqueue --enable-suricata-update --enable-rules
sudo make
sudo make install-fullStep 2 – Working with Suricata Rules on Debian 11/10
By default, Suricata is built to use certain rules called signatures. These signatures are used to detect intrusion by matching threads. These rules are located in the /usr/share/suricata/rules directory.
ls /usr/share/suricata/rulesThe available rules on my system:
app-layer-events.rules http-events.rules smb-events.rules
decoder-events.rules ipsec-events.rules smtp-events.rules
dhcp-events.rules kerberos-events.rules stream-events.rules
dnp3-events.rules modbus-events.rules tls-events.rules
dns-events.rules nfs-events.rules
files.rules ntp-events.rulesEmergency threat rules are stored at /var/lib/suricata/rules/suricata.rules and can be installed or updated using the command:
$ sudo suricata-update
16/10/2021 -- 04:03:25 - <Info> -- Using data-directory /var/lib/suricata.
16/10/2021 -- 04:03:25 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
16/10/2021 -- 04:03:25 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
16/10/2021 -- 04:03:25 - <Info> -- Found Suricata version 6.0.3 at /usr/bin/suricata.
16/10/2021 -- 04:03:25 - <Info> -- Loading /etc/suricata/suricata.yaml
16/10/2021 -- 04:03:25 - <Info> -- Disabling rules for protocol http2
16/10/2021 -- 04:03:25 - <Info> -- Disabling rules for protocol modbus
16/10/2021 -- 04:03:25 - <Info> -- Disabling rules for protocol dnp3
16/10/2021 -- 04:03:25 - <Info> -- Disabling rules for protocol enip
16/10/2021 -- 04:03:25 - <Info> -- No sources configured, will use Emerging Threats Open
16/10/2021 -- 04:03:25 - <Info> -- Last download less than 15 minutes ago. Not downloading https://rules.emergingthreats.net/open/suricata-6.0.3/emerging.rules.tar.gz.
16/10/2021 -- 04:03:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules
16/10/2021 -- 04:03:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules
16/10/2021 -- 04:03:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules
16/10/2021 -- 04:03:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules
16/10/2021 -- 04:03:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dns-events.rules
16/10/2021 -- 04:03:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/files.rules
16/10/2021 -- 04:03:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/http-events.rulesStep 3 – Configure Suricata IDS / IPS Tool on Debian 11/10.
Now that Suricata is successfully installed on Debian Debian 11/10 let’s edit the YAML file at /etc/suricata/suricata.yaml to protect the internal network from attacks.
sudo vim /etc/suricata/suricata.yamlIn the file, we need to edit the HOME_NET which includes the IP address of the system on which Suricata is running.
Navigate to the vars section and edit as shown.
vars:
# more specific is better for alert accuracy and performance
address-groups:
#HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
HOME_NET: "[192.168.100.48]"
#HOME_NET: "[192.168.0.0/16]"
#HOME_NET: "[10.0.0.0/8]"
#HOME_NET: "[172.16.0.0/12]"
#HOME_NET: "any"
EXTERNAL_NET: "!$HOME_NET"
#EXTERNAL_NET: "any"
...
# Linux high speed capture support
af-packet:
- interface: enp0s3
...........Remember that you need to replace 192.168.100.124 with your internal network IP address and enp0s3 with your network interface.
Step 4 – Use Suricata IDS / IPS Tool On Debian 11/10.
We first need to find a way to manage our Suricata service if we installed it by building from source
Create Suricata Systemd Service.
Suricata has its main configuration file at /etc/suricata/suricata.yaml. To create a systemd Suricata service, you need to know your network interface.
$ ifconfigMy network interface is enp0s3, so I will create a file as below.
$ sudo vim /etc/systemd/system/suricata.service
[Unit]
Description=Suricata Intrusion Detection Service
After=syslog.target network-online.target
[Service]
ExecStartPre=/bin/rm -f /var/run/suricata.pid
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml -i enp0s3 --pidfile /var/run/suricata.pid $OPTIONS
ExecReload=/bin/kill -USR2 $MAINPID
[Install]
WantedBy=multi-user.targetReload daemons.
sudo systemctl daemon-reloadStart and enable Suricata service.
sudo systemctl start suricataCheck the status of the service.
$ systemctl status suricata
● suricata.service - Suricata Intrusion Detection Service
Loaded: loaded (/etc/systemd/system/suricata.service; disabled; vendor preset: enabled)
Active: active (running) since Wed 2021-10-27 21:09:49 EAT; 8s ago
Process: 52997 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
Main PID: 52998 (Suricata-Main)
Tasks: 1 (limit: 4663)
Memory: 260.0M
CPU: 8.599s
CGroup: /system.slice/suricata.service
└─52998 /usr/bin/suricata -c /etc/suricata/suricata.yaml -i enp0s3 --pidfile /var/run/suricata.pid
Oct 27 21:09:49 debian systemd[1]: Starting Suricata Intrusion Detection Service...
Oct 27 21:09:49 debian systemd[1]: Started Suricata Intrusion Detection Service.
Oct 27 21:09:49 debian suricata[52998]: 27/10/2021 -- 21:09:49 - <Info> - Configuration node 'HOME_NET' redefined.
Oct 27 21:09:49 debian suricata[52998]: 27/10/2021 -- 21:09:49 - <Notice> - This is Suricata version 6.0.3 RELEASE running in SYSTEM modeSuricata can also be run by specifying the interface as below.
suricata -D -c /etc/suricata/suricata.yaml -i enp0s3You can check the stats log on Suricata using:
sudo tail -f /var/log/suricata/stats.logCheck the write logs in the EVE.jso output using:
sudo tail -f /var/log/suricata/eve.jsonCheck alert logs in Suricata with:
sudo tail -f /var/log/suricata/fast.logStep 5 – Test Suricata IDS / IPS Tool on Debian 11/10.
In this guide, we will try and perform a DDoS attack on our Debian 11/10 system. In case you have created custom rules, you can check the syntax using:
sudo suricata -c /etc/suricata/suricata.yaml -T -vSample Output:
Then on another system, perform a DDoS attack but ensure the hping3 package is installed.
##On CentOS 8/RHEL 8/Rocky Linux 8
sudo dnf install hping3
###On Debian/Ubuntu
sudo apt install hping3Then perform the attack on your Debian 11/10 system
sudo hping3 -S -p 22 --flood --rand-source 192.168.100.124With this running check alerts on your Debian 11/10 system with Suricata installed.
sudo tail -f /var/log/suricata/fast.logSample Output:
From the output, Suricata IDS / IPS is running well using the default emergency threat rules.
That is it! We have concluded this guide on how to install Suricata IDS / IPS Tool on Debian 11/10. I hope it was of great significance to you.
See more:
- 5 Security Tips for Linux Users
- Install and Use NetworkManager (NMCLI) on Ubuntu / Debian
- Install and Use Ansible on Debian
- Install LAMP Stack on Ubuntu / Debian with Ansible
