Suricata IDS/IPS

tested on bionic

Requirements

Assuming you got port mirroring in place

link to the mirrored switch port,

echo -eth3 > /sys/class/net/bond0/bonding/slaves
ifconfig eth3 up

if this is a XEN guest,

brctl addbr sniffeth3
brctl addif sniffeth3 eth3
brctl show
ifconfig sniffeth3 up
ifconfig eth3 up
ifconfig sniffeth3
ifconfig eth3

root = "/dev/xvda1 ro console=hvc0 netcfg/do_not_use_netplan=true"
# KEEP IPV6 -- ipv6.disable=1

vif = [ 'bridge=pubbr0, vifname=sne-sniff.0',
    'bridge=sniffeth3, vifname=sne-sniff.1' ]

first things first, check that you can sniff from that interface,

ifconfig -a
ifconfig eth1 up
tcpdump -i eth1 arp

…seeing some ARPs? All fine.

make sure the sniffing interface comes up at startup,

vi /etc/network/interfaces

auto eth1
iface eth1 inet manual

Installation

check the version you would get from the main repo,

apt search suricata # 3.2

versus the one you find on the official repo (4.1.2),

apt install software-properties-common dirmngr
add-apt-repository ppa:oisf/suricata-stable
#apt-get update
apt search suricata # 4.1.2
apt install suricata

Setup

cd /etc/suricata/
cp -pi suricata.yaml suricata.yaml.dist

wipe-out the comments

sed -r '/[[:space:]]*#/d; /^$/d' suricata.yaml.dist > suricata.yaml.dist.clean

enable everything

sed -r '/[[:space:]]*#/d; /^$/d; s/enabled: no/enabled: yes/g' suricata.yaml.dist > suricata.yaml

define your subnet

vi suricata.yaml

    HOME_NET: "[YOUR_SUBNET1/24,YOUR_SUBNET2/24]"
    EXTERNAL_NET: "!$HOME_NET"

eventually force /var/run/suricata/suricata-command.socket

unix-command:
  enabled: yes

not built-in

  - alert-prelude:
      enabled: no

Rust instead of C

  - dns-log:
      enabled: no

fix ethX

egrep '[^#]*eth[0-9]' suricata.yaml
mv suricata.yaml suricata.yaml.badeth
sed 's/eth[0-9]/eth1/g' suricata.yaml.badeth > suricata.yaml

also there

vi /etc/default/suricata

IFACE=eth1

and check,

diff -bu suricata.yaml.dist.clean suricata.yaml

Disk Space

make sure you have enough space, otherwise, those logs will eat your hard drive alive

df -h
systemctl stop suricata

mv /var/log/suricata/ /data/
ln -s /data/suricata /var/log/
vi /etc/suricata/suricata.yaml

default-log-dir: /data/suricata/

systemctl start suricata

Setup User Permissions

chown -R root:root /etc/suricata/

useradd -r suri -s /bin/false
vipw --> change home dir to /var/run/suricata
chown -R suri:suri /var/lib/suricata/
chown -R suri:suri /var/run/suricata/
chown -R suri:suri /var/log/suricata/

run as user,

cat >> suricata.yaml <<-EOF
run-as:
  user: suri
  group: suri
EOF

vi /etc/default/suricata

RUN_AS_USER=suri

NFQ / inline mode / IPS

suricata --build-info | less

…look for NFQ

Ready to go

System D

vi /etc/default/suricata

IFACE=eth1

tail -F /var/log/suricata/suricata.log /var/log/suricata/suricata-start.log &
systemctl status suricata
systemctl restart suricata

after some time this should show up

ls -lF /var/run/suricata/suricata-command.socket

gives

/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -vvv

Old School

assuming eth1 is a dedicated interface for mirroring,

vi /etc/rc.local

#!/bin/bash

#self verbose
ifconfig eth1 up
/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth1 --init-errors-fatal &
#--pidfile /var/run/suricata.pid --af-packet -D -vvv
#--user=suri

chmod +x /etc/rc.local

simple -HUP does not seem to work

ps auxww | grep suricata
pkill suricata
/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth1 --init-errors-fatal &

scripted for user permissions

vi START-SURICATA

chown -R root:root /etc/suricata/
chown -R suri:suri /var/lib/suricata/
chown -R suri:suri /var/run/suricata/
chown -R suri:suri /data/suricata/
systemctl start suricata

chmod +x START-SURICATA

and check,

systemctl status suricata 
ps auxww | grep suricata

Rules & Maintenance

see http://pub.nethence.com/security/suricata-rules

Troubleshooting

when starting it for the first time,

26/12/2018 -- 10:43:31 - <Warning> -- [ERRCODE: SC_ERR_NOT_SUPPORTED(225)] - dns-log is not available when Rust is enabled.
26/12/2018 -- 10:43:31 - <Warning> -- [ERRCODE: SC_ERR_NOT_SUPPORTED(225)] - Prelude support not compiled in. Reconfigure/recompile with --enable-prelude to add Prelude support.

==> tweak the config as shown above

Resources

Installation

Setup

Trash

   - http-log:
      enabled: yes

   - tls-log:
      enabled: yes  # Log TLS connections.

   - tls-store:
      enabled: yes

   - dns-log:
      enabled: yes

Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml