09.06.2023

How To Install Suricata on Ubuntu 20.04

Description

Suricata is a program for network security logs collection, monitoring and audit. This utility is “built” around the group of rules, predefined or user-made. Then, according to this rules, traffic "flow" will be analized or/and modified.

Suricata has some “out-of-the-box” predefined rules, which could be called "passive mode" cause system just warns an administrator without any traffic changes.

It is possible to run this software on the office's gateway to “passthrough” all traffic or run onto all hosts independantly.

Before the start

Optimal hardware requirements is relative to the the LAN topology and depends of your needs. Moustly, a lot of inspected traffic needs much resources should be assigned to Suricata. In common cases at least 2 CPU cores and 4 or 8 GygaBytes of RAM is needed.

So, requirements is:

Ubuntu 20.04, on the server notless then 4Gb RAM and 2 CPU cores, permissions to do something as root or sudo-group member, system firewall enabled.

Installation process

One-time configuration

The Suricata utility is "covers" needs of majority users "out-of-the-box". It is working in "safe" mode, so no network packets drops, only warns. This practice is good until you dont have "deep knoweledges" in this topic.
But even default preset probably has some useful options, e.g. community flow ID
It could be useful in case needs of integrate another complexes (Elasticsearch for example) with Suricata. Community ID could be inserted into Suricata config. Just edit "community-id:" directive, set its value to "true" in /etc/suricata/suricata.yaml config.

cd /etc/suricata/suricata.yaml

Define which network interface should we monitoring. To find network adapter with default interface you should run command like this:

ip -j -p route show default

A little description: -j option will set "output" format as JSON, -p flag will improove readability. The "main" is shown adapter is into "dev" row.


To check and change an interface name please open file /etc/suricata/suricata.yaml, look for "interface" directive around the row #550. If there are multiple interfaces presented, possible to add it into the config file too.

Finally, you must re-run the service. Do

service suricata restart

Rulesets updating

To get additional rules suricata-update tool should be used. Utility can get traffic rules from a resources of non-commercial or paid providers. Also it could show sets system uses now.

suricata-update list-sources

This tool is designed to manage rulesets, enable or disable it. E.g. to install new ruleset, please execute:

suricata-update enable-source <RULESET_NAME>

Run suricata-update again to apply changes.

Checking the current settings

Good practice is checking configuration after each modify. Just execute:

suricata -T -v -c /etc/suricata/suricata.yaml # -T option is forces Suricata to work in "checking" mode, -c will set path to config file, -v option needs to print more information

Service's launching

To restart the daemon after successful config check please execute:

service suricata restart

Then look, is service really started or not

service suricata status

Testing actual rules

To check is rules really relevant to expectations or not, just install jq tool to do log more understandable and get especially file:

apt-get install jq
apt-get install curl
curl http://testmynids.org/uid/index.html


To look for alerts please do:

tail -f /var/log/suricata/fast.log
tail -f /var/log/suricata/eve.log

You will see "filterd" output from the logs sorted by alert ID:

jq 'select(.alert .signature_id==<ALERT_ID>)' /var/log/suricata/eve.json

At the end

Today you've installed Suricata tool. You saw how to use a Community Flow ID for combine utility with another useful tools. Also we know how to inspect service settings and test our HTTP traffic.