Simple Suricata Setup On an Ubuntu Laptop

This morning I installed Suricata on a laptop with the Ubuntu 10.04 LTS ("Lucid Lynx") operating system. The instructions at OISF did not work, libhtp did not set up and so forth, so I wanted to provide the exact command line instructions needed.

Open a root terminal, and enter the following commands (text not in bold face):

sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0

sudo apt-get -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0

wget http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-0.6.4.tar.gz

tar -xzvf libcap-ng-0.6.4.tar.gz

cd libcap-ng-0.6.4

./configure && make && sudo make install

apt-get install libhtp1

apt-get install libhtp-dev

wget http://www.openinfosecfoundation.org/download/suricata-1.0.0.tar.gz

tar -xvzf suricata-1.0.0.tar.gz

cd suricata-1.0.0

./configure --enable-nfqueue

sudo mkdir /var/log/suricata/

In the terminal window, you will see:

Suricata Configuration:

  • NFQueue support: yes
  • IPFW support: no
  • PF_RING support: no
  • Prelude support: no
  • Unit tests enabled: no
  • Debug output enabled: no
  • Debug validation enabled: no
  • CUDA enabled: no
  • DAG enabled: no
  • Profiling enabled: no
  • GCC Protect enabled: no
  • GCC march native enabled: yes
  • GCC Profile enabled: no
  • Unified native time: no
  • Non-bundled htp: no

make

make install

mkdir /etc/suricata

apt-get install checkinstall

checkinstall

dpkg -i suricata_1.0.0-1_i386.deb

cp classification.config suricata.yaml /etc/suricata/

mkdir /etc/suricata/rules

cd /etc/suricata/rules

wget http://www.emergingthreats.net/rules/emerging-attack_response.rules

wget http://www.emergingthreats.net/rules/emerging-scan.rules

wget http://www.emergingthreats.net/rules/emerging-exploit.rules

wget http://www.emergingthreats.net/rules/emerging-current_events.rules

wget http://www.emergingthreats.net/rules/emerging-voip.rules

wget http://www.emergingthreats.net/rules/emerging-malware.rules

wget http://www.emergingthreats.net/rules/emerging-dos.rules

wget http://www.emergingthreats.net/rules/emerging-drop.rules

wget http://www.emergingthreats.net/rules/emerging-compromised.rules

wget http://www.emergingthreats.net/rules/emerging-dshield.rules

wget http://www.emergingthreats.net/rules/emerging-botcc.rules

wget http://www.emergingthreats.net/rules/emerging-rbn.rules

wget http://www.emergingthreats.net/rules/emerging-virus.rules

Add other rules from http://www.emergingthreats.net/index.php/rules-mainmenu-38.html as desired:

Edit Suricata's config file (suricata.yaml) using vi:

cd /etc/suricata/

sudo vi suricata.yaml

As I am using the Emerging Threats rules and use Smoothwall as a gateway, I will add port 222 (Smoothwall's SSH port) to SSH_PORTS:

# emerging config

  • SSH_PORTS: 22,222

Modify your log file details, and define your network variables:

Once Suricata is compiled and installed, you must define (or reference) the location where the ruleset is stored. In the example above, we have placed the Emerging Threats rules in the config file's default location, so you won't have to change that.

A sample standard configuration file (named suricata.yaml) can be found in the Suricata base directory. Configuration details are entered in suricata.yaml that set the location for log files, log file and alert formats, and rule variable definitions.

Network variables are in the format of:

  • VARIABLE:"[X.Y.Z.A/NETMASK]"

For example, the variable HOME_NET, for a home network with the IP range 192.168.0.0/16, would be represented as:

  • HOME_NET:"[192.168.0.0/16]"

When setting a variable to the value of another variable, the variable referenced must be quoted. For example to set the variable HTTP_SERVERS to HOME_NET, HTTP_SERVERS would be configured as:

  • HTTP_SERVERS:"$HOME_NET"

Start Suricata in the root terminal:

suricata -D -c /etc/suricata/suricata.yaml -s /etc/suricata/classification.config -i wlan0

Upon a successful startup, the following will be displayed in the terminal window:

  • [11402] 17/7/2010 -- 12:26:52 - (suricata.c:402) (main) -- This is Suricata version 1.0.0
  • [11402] 17/7/2010 -- 12:26:52 - (util-cpu.c:167) (UtilCpuPrintSummary?) -- CPUs Summary:
  • [11402] 17/7/2010 -- 12:26:52 - (util-cpu.c:169) (UtilCpuPrintSummary?) -- CPUs online: 1
  • [11402] 17/7/2010 -- 12:26:52 - (util-cpu.c:171) (UtilCpuPrintSummary?) -- CPUs configured 1
  • [11402] 17/7/2010 -- 12:26:52 - (output.c:60) (OutputRegisterModule?) -- Output module "AlertFastLog" registered.
  • [11402] 17/7/2010 -- 12:26:52 - (output.c:60) (OutputRegisterModule?) -- Output module "AlertDebugLog" registered.
  • [11402] 17/7/2010 -- 12:26:52 - (output.c:60) (OutputRegisterModule?) -- Output module "AlertUnifiedLog" registered.
  • [11402] 17/7/2010 -- 12:26:52 - (output.c:60) (OutputRegisterModule?) -- Output module "AlertUnifiedAlert" registered.
  • [11402] 17/7/2010 -- 12:26:52 - (output.c:60) (OutputRegisterModule?) -- Output module "Unified2Alert" registered.
  • [11402] 17/7/2010 -- 12:26:52 - (output.c:60) (OutputRegisterModule?) -- Output module "LogHttpLog" registered.

You can learn more about Suricata at the Open Information Security Foundation: http://www.openinfosecfoundation.org/

Many thanks are due to the entire Suricata team for delivering the next generation intrusion prevention system!

-- JamesMcQuaid - 17 Jul 2010

Topic revision: r2 - 2010-07-17 - JamesMcQuaid
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats