Installing Suricata IDS/IPS

tested on bionic and debian buster

Network requirements

IDS – assuming you got port mirroring in place and eth0 is a dedicated interface for it
IPS – you’re the gateway and eth0 is the front-facing/external device

Storage requirements

make sure you have enough space, otherwise, those logs will eat your drive alive

df -h

default location is

ls -alF /var/log/suricata/
du -sh /var/log/suricata/

otherwise tune it

vi /etc/suricata/suricata.yaml

default-log-dir: /data/suricata/

systemctl restart suricata

Outdated binaries

check the version you would get from the main repo

apt search suricata

versus the version you would get from the official repo

apt install software-properties-common dirmngr
add-apt-repository ppa:oisf/suricata-stable
#apt-get update
apt search suricata
add-apt-repository -d ppa:oisf/suricata-stable

From source w/ IPS

see suricata-source

Enabling community rules

enable all free-of-charge community rules

suricata-update update-sources
suricata-update list-sources
suricata-update list-enabled-sources
suricata-update

for rule in \
    et/open \
    oisf/trafficid \
    tgreen/hunting \
    etnetera/aggressive \
    ptresearch/attackdetection \
    sslbl/ja3-fingerprints \
    sslbl/ssl-fp-blacklist \
    ; do
    suricata-update enable-source $rule
done; unset rule

in case you got a few errors, you might have to tune and get rid of a few rules manually

suricata-update

and in case you want to get rid of a whole ruleset

#suricata-update disable-source sslbl/ja3-fingerprints

make them available at default location for the daemon

ln -s /var/lib/suricata/rules /etc/suricata/

Initial troubleshooting

While checking rules -T or starting the daemon

10/4/2020 -- 18:12:24 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 30658; enabled: 23832; added: 30658; removed 0; modified: 0
10/4/2020 -- 18:12:25 - <Info> -- Testing with suricata -T.
10/4/2020 -- 18:12:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_ENUM_MAP(15)] - event "certificate_missing_element" not present in ssl's enum map table.
10/4/2020 -- 18:12:25 - <Warning> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "tls" doesn't have event "certificate_missing_element" registered
10/4/2020 -- 18:12:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_ENUM_MAP(15)] - event "certificate_unknown_element" not present in ssl's enum map table.
10/4/2020 -- 18:12:25 - <Warning> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "tls" doesn't have event "certificate_unknown_element" registered
10/4/2020 -- 18:12:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_ENUM_MAP(15)] - event "certificate_invalid_string" not present in ssl's enum map table.
10/4/2020 -- 18:12:25 - <Warning> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "tls" doesn't have event "certificate_invalid_string" registered

==> in the meanwhile, need to disable those

cd /usr/local/share/suricata/rules/
cp -pi tls-events.rules tls-events.rules.dist
vi tls-events.rules

by commenting out

certificate_missing_element
certificate_unknown_element and 
certificate_invalid_string

Additional sources

…

Ready to go

ls -lF /etc/suricata/
ls -lF /var/log/suricata/
ls -lF /usr/local/share/suricata/rules/
ls -lF /var/lib/suricata/rules/

you can now proceed with Suricata’s setup

Resources

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Debian_Installation

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Installation

PPA https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation_-_Personal_Package_Archives_(PPA)

Installing Suricata https://nsrc.org/workshops/2015/pacnog17-ws/attachments/ex-installing-suricata.htm

GUIDES | LECTURES | BENCHMARKS | SMTP HEALTH