News
Seven days of Black Friday madness — great deal from Serverspace!
Serverspace Black Friday
VB
July 27, 2022
Updated June 9, 2023

How To Install Suricata on Ubuntu 20.04

Linux Ubuntu

Description

Suricata is a program for network security logs collection, monitoring and audit. This utility is “built” around the group of rules, predefined or user-made. Then, according to this rules, traffic "flow" will be analized or/and modified.

Suricata has some “out-of-the-box” predefined rules, which could be called "passive mode" cause system just warns an administrator without any traffic changes.

It is possible to run this software on the office's gateway to “passthrough” all traffic or run onto all hosts independantly.

Before the start

Optimal hardware requirements is relative to the the LAN topology and depends of your needs. Moustly, a lot of inspected traffic needs much resources should be assigned to Suricata. In common cases at least 2 CPU cores and 4 or 8 GygaBytes of RAM is needed.

So, requirements is:

Ubuntu 20.04, on the server notless then 4Gb RAM and 2 CPU cores, permissions to do something as root or sudo-group member, system firewall enabled.

Installation process

  • Firstly, you need to add 3rd-party repo into the operation system. Just authorize as superuser and execute:
    add-apt-repository ppa:oisf/suricata-stable

    Confirm if security warning appears

Connecting an additional repository

  • Install maintainer's pre-built tool:
    apt-get update
    apt-get install suricata

Adding a software package

  • Then add new service to the autostart pool. If you've seen console output like this - startup turned on successfully:
    systemctl enable suricata

pic.4

One-time configuration

The Suricata utility is "covers" needs of majority users "out-of-the-box". It is working in "safe" mode, so no network packets drops, only warns. This practice is good until you dont have "deep knoweledges" in this topic.
But even default preset probably has some useful options, e.g. community flow ID
It could be useful in case needs of integrate another complexes (Elasticsearch for example) with Suricata. Community ID could be inserted into Suricata config. Just edit "community-id:" directive, set its value to "true" in /etc/suricata/suricata.yaml config.

cd /etc/suricata/suricata.yaml

pic.5

Define which network interface should we monitoring. To find network adapter with default interface you should run command like this:

ip -j -p route show default

A little description: -j option will set "output" format as JSON, -p flag will improove readability. The "main" is shown adapter is into "dev" row.

pic.5
To check and change an interface name please open file /etc/suricata/suricata.yaml, look for "interface" directive around the row #550. If there are multiple interfaces presented, possible to add it into the config file too.

pic.6

Finally, you must re-run the service. Do

service suricata restart

Rulesets updating

To get additional rules suricata-update tool should be used. Utility can get traffic rules from a resources of non-commercial or paid providers. Also it could show sets system uses now.

suricata-update list-sources

This tool is designed to manage rulesets, enable or disable it. E.g. to install new ruleset, please execute:

suricata-update enable-source <RULESET_NAME>

pic.6

Run suricata-update again to apply changes.

Checking the current settings

Good practice is checking configuration after each modify. Just execute:

suricata -T -v -c /etc/suricata/suricata.yaml # -T option is forces Suricata to work in "checking" mode, -c will set path to config file, -v option needs to print more information

Configuration check

Service's launching

To restart the daemon after successful config check please execute:

service suricata restart

Then look, is service really started or not

service suricata status

pic.9

Testing actual rules

To check is rules really relevant to expectations or not, just install jq tool to do log more understandable and get especially file:

apt-get install jq
apt-get install curl
curl http://testmynids.org/uid/index.html

pic.10
To look for alerts please do:

tail -f /var/log/suricata/fast.log
tail -f /var/log/suricata/eve.log

You will see "filterd" output from the logs sorted by alert ID:

jq 'select(.alert .signature_id==<ALERT_ID>)' /var/log/suricata/eve.json

Detailed description of the threat

At the end

Today you've installed Suricata tool. You saw how to use a Community Flow ID for combine utility with another useful tools. Also we know how to inspect service settings and test our HTTP traffic.

Vote:
1 out of 5
Аverage rating : 1.9
Rated by: 22
1101 CT Amsterdam The Netherlands, Herikerbergweg 292
+31 20 262-58-98
700 300
ITGLOBAL.COM NL
700 300
We use cookies to make your experience on the Serverspace better. By continuing to browse our website, you agree to our
Use of Cookies and Privacy Policy.