tested on bionic and debian buster
eth0
is a dedicated interface for iteth0
is the front-facing/external devicemake sure you have enough space, otherwise, those logs will eat your hard drive alive
df -h
default location is
ls -alF /var/log/suricata/ du -sh /var/log/suricata/
otherwise tune it
vi /etc/suricata/suricata.yaml default-log-dir: /data/suricata/ systemctl restart suricata
check the version you would get from the main
repo
apt search suricata
versus the version you would get from the official repo
apt install software-properties-common dirmngr add-apt-repository ppa:oisf/suricata-stable #apt-get update apt search suricata add-apt-repository -d ppa:oisf/suricata-stable
tested on buster
apt purge libhtp2 suricata suricata-update apt autoremove --purge git clone https://github.com/OISF/libhtp cd libhtp/ ./autogen.sh ./configure make -j16 make install ldconfig apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \ build-essential autoconf automake libtool libpcap-dev libnet1-dev \ libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev \ libjansson-dev pkg-config apt-get -y install libnetfilter-queue-dev apt install python3-pip python3-setuptools python3-distutils apt-get install liblz4-dev apt-get install libnss3-dev apt-get install libnspr4-dev apt install rustc cargo cbindgen cargo install --force cbindgen pip3 install --upgrade suricata-update apt install libluajit-5.1-dev apt install libprelude-dev git clone https://github.com/OISF/suricata.git cd suricata/ ./autogen.sh export PATH=/root/.cargo/bin:$PATH ./configure --enable-nfqueue --enable-non-bundled-htp --sysconfdir=/etc --localstatedir=/var --enable-luajit --enable-prelude #--prefix=/usr make -j16 clean time make -j16 #real 1m53.513s make install make install-conf which suricata /usr/local/bin/suricata -V This is Suricata version 6.0.0-dev (edcb784f1 2020-04-07)
enable all free-of-charge community rules
suricata-update update-sources suricata-update list-sources suricata-update list-enabled-sources suricata-update for rule in \ et/open \ oisf/trafficid \ tgreen/hunting \ etnetera/aggressive \ ptresearch/attackdetection \ sslbl/ja3-fingerprints \ sslbl/ssl-fp-blacklist \ ; do suricata-update enable-source $rule done; unset rule
in case you got a few errors, you might have to tune and get rid of a few rules manually
suricata-update
and in case you want to get rid of a whole ruleset
#suricata-update disable-source sslbl/ja3-fingerprints
make them available at default location for the daemon
ln -s /var/lib/suricata/rules /etc/suricata/
While checking rules -T
or starting the daemon
10/4/2020 -- 18:12:24 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 30658; enabled: 23832; added: 30658; removed 0; modified: 0 10/4/2020 -- 18:12:25 - <Info> -- Testing with suricata -T. 10/4/2020 -- 18:12:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_ENUM_MAP(15)] - event "certificate_missing_element" not present in ssl's enum map table. 10/4/2020 -- 18:12:25 - <Warning> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "tls" doesn't have event "certificate_missing_element" registered 10/4/2020 -- 18:12:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_ENUM_MAP(15)] - event "certificate_unknown_element" not present in ssl's enum map table. 10/4/2020 -- 18:12:25 - <Warning> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "tls" doesn't have event "certificate_unknown_element" registered 10/4/2020 -- 18:12:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_ENUM_MAP(15)] - event "certificate_invalid_string" not present in ssl's enum map table. 10/4/2020 -- 18:12:25 - <Warning> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "tls" doesn't have event "certificate_invalid_string" registered
==> in the meanwhile, need to disable those
cd /usr/local/share/suricata/rules/ cp -pi tls-events.rules tls-events.rules.dist vi tls-events.rules
by commenting out
certificate_missing_element certificate_unknown_element and certificate_invalid_string
…
ls -lF /etc/suricata/ ls -lF /var/log/suricata/ ls -lF /usr/local/share/suricata/rules/ ls -lF /var/lib/suricata/rules/
you can now proceed with Suricata’s setup
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Debian_Installation
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Installation
from source https://www.claudiokuenzler.com/blog/511/suricata-network-intrusion-detection-nids-debian-wheezy
Installing Suricata https://nsrc.org/workshops/2015/pacnog17-ws/attachments/ex-installing-suricata.htm
1 What is Bro? https://nsrc.org/workshops/2015/pacnog17-ws/attachments/bro-intro.htm