Eclectic Security

A few days ago was released Suricata 1.0.0 the new open source-based intrusion detection system (IDS). The main  feature of this IDS is the multi-threaded engine, this  feature is very usefull when you have to monitor a high speed links, having a multi-core monster machine allow you to use all the cores available. Other IDSs use only a  signle core with with the risk to be ineffective by  dropping packets due the CPU overload. Other feaures present on Suricata are: IpReputation, MultiPacketMatching, HardwareAccelerationSupport.

In this short How-To I’m going to cover an easy and effective way to compile and install Suricata on Ubuntu Server 10.04.

Add the suricata user and prepare the required folders:

useradd suricata -s /bin/false -c suricata_user
mkdir /etc/suricata
mkdir /var/log/suricata/
chown suricata.suricata /var/log/suricata/

Install the packages needed for compiling:

apt-get install libpcre3-dev libpcap-dev libyaml-dev zlib1g-dev libnet1  libnet1-dev libcap-ng-dev libhtp1 libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 build-essential checkinstall

Get suricata and decompress:

cd /tmp/
wget http://openinfosecfoundation.org/download/suricata-1.0.0.tar.gz
tar xvfz suricata-1.0.0.tar.gz
cd suricata-1.0.0

Run ./configure –help to see all the build options.

This will build suricata with IPS capabilities

./configure –enable-nfqueue

Suricata Configuration:
NFQueue support:          yes
IPFW support:             no
PF_RING support:          no
Prelude support:          no
Unit tests enabled:       no
Debug output enabled:     no
Debug validation enabled: no
CUDA enabled:             no
DAG enabled:              no
Profiling enabled:        no
GCC Protect enabled:      no
GCC march native enabled: yes
GCC Profile enabled:      no
Unified native time:      no
Non-bundled htp:          no

make

checkinstall

**********************************************************************

Done. The new package has been installed and saved to

/tmp/suricata-1.0.0/suricata_1.0.0-1_i386.deb

You can remove it from your system anytime using:

dpkg -r suricata

**********************************************************************

Install suricata with dpkg -i suricata_1.0.0-1_i386.deb

Copy the configuration files

cp classification.config suricata.yaml /etc/suricata/

Edit the configuration file suricata.yaml according to your  need. In the file are present some main sections to be configured.

Logging section, where you can define which kind of output is suitable, plain text, unified2-alert to be used with Barnyard2
The network interface, where you can define the network interface/s where you are runnin suricata, eth,wlan,br.
The rule-path, where suricata will look for the rules. In my case I’m sharing the same rules used by snort /etc/snort/rules
The HOME_NET, where you need to define the local addresses of your system/network.
The  libhtp config, where is possible to configure the web servers variables.

To start suricata:

suricata -D  -c /etc/suricata/suricata.yaml -s /etc/suricata/classification.config -i eth0

This is Suricata version 1.0.0
CPUs Summary:
CPUs online: 1
CPUs configured 1
Output module “AlertFastLog” registered.
Output module “AlertDebugLog” registered.
Output module “AlertUnifiedLog” registered.
Output module “AlertUnifiedAlert” registered.
Output module “Unified2Alert” registered.
Output module “LogHttpLog” registered.

You can tail the suricata log to check if is working, and run Inundator to create some allerts. So far so good.

tail -f /var/log/suricata/fast.log

[1:2001219:18] ET SCAN Potential SSH Scan [**]
[Classification: Attempted Information Leak]
[Priority: 3] {6} 173.244.197.210:27041 -> victim_ip

[1:2002911:4] ET SCAN Potential VNC Scan 5900-5920
[**] [Classification: Attempted Information Leak]
[Priority: 3] {6} 173.244.197.210:27041 -> victim_ip

Thanks to all the Suricata developers for all the efforts placed to meet the 1st July deadline.

Scridb filter