IDS with Suricata

From Zentyal Linux Small Business Server
Revision as of 14:26, 1 September 2014 by Admin (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
  • Title: IPS with Suricata
  • Author(s): Mateo Burillo
  • Date: 1 Septiembre 2014
  • Version(s): 1.0
  • Zentyal profiles: All

In this tutorial, we are going to install Suricata as an IDS on top of Zentyal Server (any Ubuntu host really).

First of all, let's install the software packages:

# apt-get install oinkmaster suricata

We are going to use the "emerging threats" list of security rules

# cd /etc/suricata
# mkdir rules

Oinkmaster will help us downloading and updating these rules, edit the following file:

vim /etc/oinkmaster.conf

At the end of the document add:

url = https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz

Use the following command to load the initial set of rules:

sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

To keep the rules updated, you can manually run the command above or set up a cron job.

Download the following suricata-debian.yaml file and place it under the directory /etc/suricata

Now we can test if suricata is able to run:

suricata -c /etc/suricata/suricata-debian.yaml -i any

Look for the following two lines in the execution log:

<Info> - 53 rule files processed. 15152 rules successfully loaded, 5 rules failed

And, the last one:

<Info> - all 3 packet processing threads, 3 management threads initialized, engine started.

If the engine is able to start, we just have to tune the service to run automatically with the desired parameters.

Edit the file /etc/default/suricata and customize the following parameters:

The 'RUN' parameters has to be 'yes' in order to behave like a daemon:


The 'LISTENMODE' is pcap in our case:


The interface to listen, we can choose one interface, like 'eth0', several interfaces, or just 'any':


The file /var/log/suricata/fast.log will contain all suspicious activity detected by Suricata, including the 'Priority' classification.

Personal tools


Zentyal Wiki

Zentyal Doc