IDS with Suricata
- Title: IPS with Suricata
- Author(s): Mateo Burillo
- Date: 1 Septiembre 2014
- Version(s): 1.0
- Zentyal profiles: All
In this tutorial, we are going to install Suricata as an IDS on top of Zentyal Server (any Ubuntu host really).
First of all, let's install the software packages:
# apt-get install oinkmaster suricata
We are going to use the "emerging threats" list of security rules
# cd /etc/suricata # mkdir rules
Oinkmaster will help us downloading and updating these rules, edit the following file:
vim /etc/oinkmaster.conf
At the end of the document add:
url = https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz
Use the following command to load the initial set of rules:
sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
To keep the rules updated, you can manually run the command above or set up a cron job.
Download the following suricata-debian.yaml file and place it under the directory /etc/suricata
Now we can test if suricata is able to run:
suricata -c /etc/suricata/suricata-debian.yaml -i any
Look for the following two lines in the execution log:
<Info> - 53 rule files processed. 15152 rules successfully loaded, 5 rules failed
And, the last one:
<Info> - all 3 packet processing threads, 3 management threads initialized, engine started.
If the engine is able to start, we just have to tune the service to run automatically with the desired parameters.
Edit the file /etc/default/suricata and customize the following parameters:
The 'RUN' parameters has to be 'yes' in order to behave like a daemon:
RUN=yes
The 'LISTENMODE' is pcap in our case:
LISTENMODE=pcap
The interface to listen, we can choose one interface, like 'eth0', several interfaces, or just 'any':
IFACE=any
The file /var/log/suricata/fast.log will contain all suspicious activity detected by Suricata, including the 'Priority' classification.