Suricata is a robust, free, and open-source network analysis and threat detection tool developed by the Open Information Security Foundation (OISF). Serving dual purposes, Suricata functions as both an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS). By utilizing a comprehensive rule set and signature language, it excels in threat detection and prevention, making it a worthy alternative to Snort for gaining valuable insights into network security.
In this guide, we’ll walk you through the steps to install Suricata on an Ubuntu 22.04 server.
Requirements
- An Ubuntu 22.04 server.
- Root access or a configured root password on your server.
Getting Started
Before you begin, it’s crucial to update your system packages to ensure you’re working with the latest versions. Update them by executing the following:
apt update -y apt upgrade -y
Once updated, proceed to install the necessary dependencies with:
apt install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libjansson4 pkg-config libnspr4-dev libnss3-dev liblz4-dev rustc cargo python3-pip python3-distutils apt install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0
Install Suricata from Source
Download the latest Suricata version by running:
wget https://www.openinfosecfoundation.org/download/suricata-6.0.8.tar.gz
After downloading, extract the file with:
tar xzf suricata-6.0.8.tar.gz
Navigate to the extracted directory and configure the build with:
cd suricata-6.0.8 ./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var
Follow these steps to install Suricata:
make make install-full
Install Suricata from Ubuntu Repository
If preferred, Suricata can be installed from the Ubuntu repository. Start by installing dependencies:
apt install gnupg2 software-properties-common curl wget git unzip -y
Then add the Suricata repository:
add-apt-repository ppa:oisf/suricata-stable --yes
Update your repository cache:
apt update
Verify the available Suricata package:
apt-cache policy suricata
Then, install Suricata:
apt install suricata jq
Verify the installation with:
suricata --build-info
Configure Suricata
Edit the configuration file to define your network interface and network:
nano /etc/suricata/suricata.yaml
Modify the following lines to match your network settings:
HOME_NET: "[10.0.2.0/24]"
EXTERNAL_NET: "!$HOME_NET"
af-packet:
- interface: eth0
sip: enabled: no
Save the changes and update Suricata’s configuration:
suricata-update
Verify the configuration:
suricata -T -c /etc/suricata/suricata.yaml -v
Manage Suricata Service
Enable and start Suricata:
systemctl enable --now suricata
Check the service status:
systemctl status suricata
Verify Suricata
First, disable packet offload features with:
ethtool -K eth0 gro off lro off
Then, stop and restart Suricata manually:
systemctl stop suricata rm -rf /var/run/suricata.pid suricata -D -c /etc/suricata/suricata.yaml -i eth0
To test Suricata, log into a remote system and run a DDoS simulation:
hping3 -S -p 80 --flood --rand-source suricata-ip -I eth0 -c 50
Check Suricata logs to confirm detection:
tail -f /var/log/suricata/fast.log
Conclusion
You’ve successfully installed and configured Suricata on Ubuntu 22.04. This powerful tool will help secure your servers against a variety of attacks. If you have any questions, feel free to reach out.
FAQ
What is Suricata?
Suricata is an open-source IDS/IPS and network monitoring engine, offering rich insights into network traffic behavior.
Why use Suricata over Snort?
Both Suricata and Snort are robust tools; however, Suricata is known for its high performance and scalability, support for multi-threading, and a rich set of features.
Can Suricata be used in a production environment?
Yes, Suricata is well-suited for production environments and widely used across various industries for network security.
Why do we disable packet offload features?
Packet offload features like GRO/LRO can interfere with Suricata’s ability to inspect packets accurately; thus, they are disabled to ensure correct functioning.