Installing Suricata IDS/IPS

tested on bionic and debian buster

Network requirements

• IDS – assuming you got port mirroring in place and eth0 is a dedicated interface for it
• IPS – you’re the gateway and eth0 is the front-facing/external device

Storage requirements

make sure you have enough space, otherwise, those logs will eat your hard drive alive

df -h

default location is

ls -alF /var/log/suricata/
du -sh /var/log/suricata/

otherwise tune it

vi /etc/suricata/suricata.yaml

default-log-dir: /data/suricata/

systemctl restart suricata

Outdated binaries

check the version you would get from the main repo

apt search suricata

versus the version you would get from the official repo

apt install software-properties-common dirmngr
add-apt-repository ppa:oisf/suricata-stable
#apt-get update
apt search suricata
add-apt-repository -d ppa:oisf/suricata-stable

From source w/ IPS

tested on buster

apt purge libhtp2 suricata suricata-update
apt autoremove --purge

git clone https://github.com/OISF/libhtp
cd libhtp/
./autogen.sh
./configure
make -j16
make install
ldconfig

apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \
build-essential autoconf automake libtool libpcap-dev libnet1-dev \
libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev \
libjansson-dev pkg-config
apt-get -y install libnetfilter-queue-dev

apt install python3-pip python3-setuptools python3-distutils
apt-get install liblz4-dev
apt-get install libnss3-dev
apt-get install libnspr4-dev
apt install rustc cargo cbindgen
cargo install --force cbindgen
pip3 install --upgrade suricata-update
apt install libluajit-5.1-dev
apt install libprelude-dev

git clone https://github.com/OISF/suricata.git
cd suricata/
./autogen.sh
export PATH=/root/.cargo/bin:$PATH
./configure --enable-nfqueue --enable-non-bundled-htp --sysconfdir=/etc --localstatedir=/var --enable-luajit --enable-prelude
#--prefix=/usr
make -j16 clean
time make -j16 #real    1m53.513s
make install
make install-conf

which suricata
/usr/local/bin/suricata -V

This is Suricata version 6.0.0-dev (edcb784f1 2020-04-07)

Enabling community rules

enable all free-of-charge community rules

suricata-update update-sources
suricata-update list-sources
suricata-update list-enabled-sources
suricata-update

for rule in \
    et/open \
    oisf/trafficid \
    tgreen/hunting \
    etnetera/aggressive \
    ptresearch/attackdetection \
    sslbl/ja3-fingerprints \
    sslbl/ssl-fp-blacklist \
    ; do
    suricata-update enable-source $rule
done; unset rule

in case you got a few errors, you might have to tune and get rid of a few rules manually

suricata-update

and in case you want to get rid of a whole ruleset

#suricata-update disable-source sslbl/ja3-fingerprints

make them available at default location for the daemon

ln -s /var/lib/suricata/rules /etc/suricata/

Initial troubleshooting

While checking rules -T or starting the daemon

10/4/2020 -- 18:12:24 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 30658; enabled: 23832; added: 30658; removed 0; modified: 0
10/4/2020 -- 18:12:25 - <Info> -- Testing with suricata -T.
10/4/2020 -- 18:12:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_ENUM_MAP(15)] - event "certificate_missing_element" not present in ssl's enum map table.
10/4/2020 -- 18:12:25 - <Warning> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "tls" doesn't have event "certificate_missing_element" registered
10/4/2020 -- 18:12:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_ENUM_MAP(15)] - event "certificate_unknown_element" not present in ssl's enum map table.
10/4/2020 -- 18:12:25 - <Warning> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "tls" doesn't have event "certificate_unknown_element" registered
10/4/2020 -- 18:12:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_ENUM_MAP(15)] - event "certificate_invalid_string" not present in ssl's enum map table.
10/4/2020 -- 18:12:25 - <Warning> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "tls" doesn't have event "certificate_invalid_string" registered

==> in the meanwhile, need to disable those

cd /usr/local/share/suricata/rules/
cp -pi tls-events.rules tls-events.rules.dist
vi tls-events.rules

by commenting out

certificate_missing_element
certificate_unknown_element and 
certificate_invalid_string

Additional sources

…

Ready to go

ls -lF /etc/suricata/
ls -lF /var/log/suricata/
ls -lF /usr/local/share/suricata/rules/
ls -lF /var/lib/suricata/rules/

you can now proceed with Suricata’s setup

Resources

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Debian_Installation

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Installation

PPA https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation_-_Personal_Package_Archives_(PPA)

from source https://www.claudiokuenzler.com/blog/511/suricata-network-intrusion-detection-nids-debian-wheezy

Installing Suricata https://nsrc.org/workshops/2015/pacnog17-ws/attachments/ex-installing-suricata.htm

alternatives

1 What is Bro? https://nsrc.org/workshops/2015/pacnog17-ws/attachments/bro-intro.htm