FacebookTwitterFlickrYoutuberss

IDS with Suricata

From Zentyal Linux Small Business Server
Jump to: navigation, search
  • Title: IPS with Suricata
  • Author(s): Mateo Burillo
  • Date: 1 Septiembre 2014
  • Version(s): 1.0
  • Zentyal profiles: All


In this tutorial, we are going to install Suricata as an IDS on top of Zentyal Server (any Ubuntu host really).

First of all, let's install the software packages:

# apt-get install oinkmaster suricata


We are going to use the "emerging threats" list of security rules

# cd /etc/suricata
# mkdir rules


Oinkmaster will help us downloading and updating these rules, edit the following file:

vim /etc/oinkmaster.conf

At the end of the document add:

url = https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz

Use the following command to load the initial set of rules:

sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

To keep the rules updated, you can manually run the command above or set up a cron job.

Download the following suricata-debian.yaml file and place it under the directory /etc/suricata

Now we can test if suricata is able to run:

suricata -c /etc/suricata/suricata-debian.yaml -i any

Look for the following two lines in the execution log:

<Info> - 53 rule files processed. 15152 rules successfully loaded, 5 rules failed

And, the last one:

<Info> - all 3 packet processing threads, 3 management threads initialized, engine started.

If the engine is able to start, we just have to tune the service to run automatically with the desired parameters.

Edit the file /etc/default/suricata and customize the following parameters:

The 'RUN' parameters has to be 'yes' in order to behave like a daemon:

RUN=yes

The 'LISTENMODE' is pcap in our case:

LISTENMODE=pcap

The interface to listen, we can choose one interface, like 'eth0', several interfaces, or just 'any':

IFACE=any


The file /var/log/suricata/fast.log will contain all suspicious activity detected by Suricata, including the 'Priority' classification.

Personal tools
Namespaces

Variants
Actions

Zentyal Wiki

Zentyal Doc
Navigation
Toolbox