{"id":12400,"date":"2022-04-29T13:02:11","date_gmt":"2022-04-29T10:02:11","guid":{"rendered":"https:\/\/kifarunix.com\/?p=12400"},"modified":"2024-03-09T11:44:36","modified_gmt":"2024-03-09T08:44:36","slug":"install-and-setup-suricata-on-rocky-linux","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-setup-suricata-on-rocky-linux\/","title":{"rendered":"Install and Setup Suricata on Rocky Linux"},"content":{"rendered":"\n<p>In this tutorial, you will learn how to install and setup Suricata on Rocky Linux. <a aria-label=\"undefined (opens in a new tab)\" href=\"https:\/\/suricata-ids.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">Suricata<\/a> is a free and open source network threat detection engine. It can function as an intrusion detection  (IDS) engine, inline intrusion prevention system (IPS), network security monitoring (NSM) as well as offline pcap processing tool. It works by inspecting network traffic using rules and signature as well as Lua scripting support for detection of complex threats.<\/p>\n\n\n\n<p>Suricata offers quite a number of features. Read about them on <a aria-label=\"undefined (opens in a new tab)\" href=\"https:\/\/suricata-ids.org\/features\/all-features\/\" target=\"_blank\" rel=\"noreferrer noopener\">All Suricata features page<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Install and Setup Suricata on Rocky Linux<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">System Requirements<\/h3>\n\n\n\n<p>Well, Suricata is multi-threaded, hence, if you have enough cores, you can avail as enough as possible. Also, allocate enough RAM.<\/p>\n\n\n\n<p>In this demo, we have allocated 2 vCPUs and 4GB RAM to our Suricata server.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Install Suricata on Rocky Linux<\/h3>\n\n\n\n<p>There are various ways in which you can install Suricata on Rocky Linux;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#install-suricata-from-source\">Install Suricata on Rocky Linux from Source<\/a><\/li>\n\n\n\n<li><a href=\"#install-suricata-from-epel-repos\">Install Suricata on Rocky Linux from EPEL Repos<\/a><\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-suricata-from-source\">Install Suricata on Rocky Linux from Source<\/h4>\n\n\n\n<h5 class=\"wp-block-heading\">Run system update<\/h5>\n\n\n\n<p>Update your system package by running the command below<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>dnf update<\/code><\/pre>\n\n\n\n<h5 class=\"wp-block-heading\">Install Required Build tools and Dependencies<\/h5>\n\n\n\n<p>There are a number of package dependencies and build tools required for a successful build and install of Suricata on Rocky Linux from the source.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>dnf config-manager --set-enabled powertools<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>dnf install diffutils file-devel gcc jansson-devel \\\nmake nss-devel libyaml-devel libcap-ng-devel \\\nlibpcap-devel pcre-devel python3 python3-pyyaml \\\nrust-toolset zlib-devel curl wget tar lua lua-devel \\\nlz4-devel -y<\/code><\/pre>\n\n\n\n<h5 class=\"wp-block-heading\">Download Suricata Source Code<\/h5>\n\n\n\n<p>Download the latest stable release Suricata source code from <a aria-label=\"undefined (opens in a new tab)\" href=\"https:\/\/suricata-ids.org\/download\/\" target=\"_blank\" rel=\"noreferrer noopener\">Suricata downloads page<\/a>.<\/p>\n\n\n\n<p>As of this writing, Suricata 6.0.5 is the latest stable release version.<\/p>\n\n\n\n<p>Replace the value of the VER variable below with the current release version number of Suricata.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>VER=6.0.5<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>wget https:\/\/www.openinfosecfoundation.org\/download\/suricata-${VER}.tar.gz -P \/tmp<\/code><\/pre>\n\n\n\n<h5 class=\"wp-block-heading\">Extract Suricata Source Code<\/h5>\n\n\n\n<p>Once the download is complete, extract the source code;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd \/tmp<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>tar xzf suricata-${VER}.tar.gz<\/code><\/pre>\n\n\n\n<h5 class=\"wp-block-heading\">Build and Install Suricata on Rocky Linux<\/h5>\n\n\n\n<p>Navigate to the source directory and build and install Suricata on Rocky Linux.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd suricata-${VER}<\/code><\/pre>\n\n\n\n<p>Run the configure script to adapt Suricata to the system and verify that all required dependencies are in place.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>.\/configure --sysconfdir=\/etc --localstatedir=\/var --prefix=\/usr\/ --enable-lua --enable-geopip <\/code><\/pre>\n\n\n\n<p>The command installs Suricata binary into <code>\/usr\/bin\/suricata<\/code>, have the config in<code> \/etc\/suricata<\/code> and use <code>\/var\/log\/suricata<\/code> as log directory.<\/p>\n\n\n\n<p>For more build options, refer to <code>.\/configure --help<\/code>.<\/p>\n\n\n\n<p>Summary of the configuration;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nSuricata Configuration:\n  AF_PACKET support:                       yes\n  eBPF support:                            no\n  XDP support:                             no\n  PF_RING support:                         no\n  NFQueue support:                         no\n  NFLOG support:                           no\n  IPFW support:                            no\n  Netmap support:                          no \n  DAG enabled:                             no\n  Napatech enabled:                        no\n  WinDivert enabled:                       no\n\n  Unix socket enabled:                     yes\n  Detection enabled:                       yes\n\n  Libmagic support:                        yes\n  libnss support:                          yes\n  libnspr support:                         yes\n  libjansson support:                      yes\n  hiredis support:                         no\n  hiredis async with libevent:             no\n  Prelude support:                         no\n  PCRE jit:                                yes\n  LUA support:                             yes\n  libluajit:                               no\n  GeoIP2 support:                          no\n  Non-bundled htp:                         no\n  Hyperscan support:                       no\n  Libnet support:                          no\n  liblz4 support:                          yes\n  HTTP2 decompression:                     no\n\n  Rust support:                            yes\n  Rust strict mode:                        no\n  Rust compiler path:                      \/usr\/bin\/rustc\n  Rust compiler version:                   rustc 1.54.0 (Red Hat 1.54.0-3.module+el8.5.0+712+d335422a)\n  Cargo path:                              \/usr\/bin\/cargo\n  Cargo version:                           cargo 1.54.0\n  Cargo vendor:                            yes\n\n  Python support:                          yes\n  Python path:                             \/usr\/bin\/python3\n  Python distutils                         yes\n  Python yaml                              yes\n  Install suricatactl:                     yes\n  Install suricatasc:                      yes\n  Install suricata-update:                 yes\n\n  Profiling enabled:                       no\n  Profiling locks enabled:                 no\n\n  Plugin support (experimental):           yes\n\nDevelopment settings:\n  Coccinelle \/ spatch:                     no\n  Unit tests enabled:                      no\n  Debug output enabled:                    no\n  Debug validation enabled:                no\n\nGeneric build parameters:\n  Installation prefix:                     \/usr\n  Configuration directory:                 \/etc\/suricata\/\n  Log directory:                           \/var\/log\/suricata\/\n\n  --prefix                                 \/usr\n  --sysconfdir                             \/etc\n  --localstatedir                          \/var\n  --datarootdir                            \/usr\/share\n\n  Host:                                    x86_64-pc-linux-gnu\n  Compiler:                                gcc (exec name) \/ gcc (real)\n  GCC Protect enabled:                     no\n  GCC march native enabled:                yes\n  GCC Profile enabled:                     no\n  Position Independent Executable enabled: no\n  CFLAGS                                   -g -O2 -std=c11 -march=native -I${srcdir}\/..\/rust\/gen -I${srcdir}\/..\/rust\/dist\n  PCAP_CFLAGS                               \n  SECCFLAGS                                \n\nTo build and install run 'make' and 'make install'.\n\nYou can run 'make install-conf' if you want to install initial configuration\nfiles to \/etc\/suricata\/. Running 'make install-full' will install configuration\nand rules and provide you a ready-to-run suricata.\n\nTo install Suricata into \/usr\/bin\/suricata, have the config in\n\/etc\/suricata and use \/var\/log\/suricata as log dir, use:\n.\/configure --prefix=\/usr\/ --sysconfdir=\/etc\/ --localstatedir=\/var\/\n<\/code><\/pre>\n\n\n\n<p>Compile and install Suricata, Suricata rules and configurations.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>make<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>make install-full<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n...\nmake install-rules\nmake[1]: Entering directory '\/tmp\/suricata-6.0.5'\nLD_LIBRARY_PATH=\/usr\/lib \/usr\/bin\/suricata-update \\\n\t--suricata \/usr\/bin\/suricata \\\n\t--suricata-conf \/etc\/suricata\/suricata.yaml \\\n\t--no-test --no-reload\n29\/4\/2022 -- 04:36:02 - <Info> -- Using data-directory \/var\/lib\/suricata.\n29\/4\/2022 -- 04:36:02 - <Info> -- Using \/usr\/share\/suricata\/rules for Suricata provided rules.\n29\/4\/2022 -- 04:36:02 - <Info> -- Found Suricata version 6.0.5 at \/usr\/bin\/suricata.\n29\/4\/2022 -- 04:36:02 - <Info> -- Loading \/etc\/suricata\/suricata.yaml\n29\/4\/2022 -- 04:36:02 - <Info> -- Disabling rules for protocol http2\n29\/4\/2022 -- 04:36:02 - <Info> -- Disabling rules for protocol modbus\n29\/4\/2022 -- 04:36:02 - <Info> -- Disabling rules for protocol dnp3\n29\/4\/2022 -- 04:36:02 - <Info> -- Disabling rules for protocol enip\n29\/4\/2022 -- 04:36:02 - <Info> -- No sources configured, will use Emerging Threats Open\n29\/4\/2022 -- 04:36:02 - <Info> -- Fetching https:\/\/rules.emergingthreats.net\/open\/suricata-6.0.5\/emerging.rules.tar.gz.\n 100% - 3276257\/3276257               \n29\/4\/2022 -- 04:36:10 - <Info> -- Done.\n29\/4\/2022 -- 04:36:10 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/app-layer-events.rules\n29\/4\/2022 -- 04:36:10 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/decoder-events.rules\n29\/4\/2022 -- 04:36:10 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/dhcp-events.rules\n29\/4\/2022 -- 04:36:10 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/dnp3-events.rules\n29\/4\/2022 -- 04:36:10 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/dns-events.rules\n29\/4\/2022 -- 04:36:10 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/files.rules\n29\/4\/2022 -- 04:36:10 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/http-events.rules\n29\/4\/2022 -- 04:36:10 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/ipsec-events.rules\n29\/4\/2022 -- 04:36:10 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/kerberos-events.rules\n29\/4\/2022 -- 04:36:10 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/modbus-events.rules\n29\/4\/2022 -- 04:36:10 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/nfs-events.rules\n29\/4\/2022 -- 04:36:10 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/ntp-events.rules\n29\/4\/2022 -- 04:36:10 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/smb-events.rules\n29\/4\/2022 -- 04:36:10 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/smtp-events.rules\n29\/4\/2022 -- 04:36:10 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/stream-events.rules\n29\/4\/2022 -- 04:36:10 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/tls-events.rules\n29\/4\/2022 -- 04:36:10 - <Info> -- Ignoring file rules\/emerging-deleted.rules\n29\/4\/2022 -- 04:36:13 - <Info> -- Loaded 33248 rules.\n29\/4\/2022 -- 04:36:13 - <Info> -- Disabled 14 rules.\n29\/4\/2022 -- 04:36:13 - <Info> -- Enabled 0 rules.\n29\/4\/2022 -- 04:36:13 - <Info> -- Modified 0 rules.\n29\/4\/2022 -- 04:36:13 - <Info> -- Dropped 0 rules.\n29\/4\/2022 -- 04:36:13 - <Info> -- Enabled 131 rules for flowbit dependencies.\n29\/4\/2022 -- 04:36:13 - <Info> -- Creating directory \/var\/lib\/suricata\/rules.\n29\/4\/2022 -- 04:36:13 - <Info> -- Backing up current rules.\n29\/4\/2022 -- 04:36:13 - <Info> -- Writing rules to \/var\/lib\/suricata\/rules\/suricata.rules: total: 33248; enabled: 25845; added: 33248; removed 0; modified: 0\n29\/4\/2022 -- 04:36:13 - <Info> -- Writing \/var\/lib\/suricata\/rules\/classification.config\n29\/4\/2022 -- 04:36:13 - <Info> -- Skipping test, disabled by configuration.\n29\/4\/2022 -- 04:36:13 - <Info> -- Done.\n\nYou can now start suricata by running as root something like:\n  \/usr\/bin\/suricata -c \/etc\/suricata\/suricata.yaml -i eth0\n\nIf a library like libhtp.so is not found, you can run suricata with:\n  LD_LIBRARY_PATH=\/usr\/lib \/usr\/bin\/suricata -c \/etc\/suricata\/suricata.yaml -i eth0\n\nThe Emerging Threats Open rules are now installed. Rules can be\nupdated and managed with the suricata-update tool.\n\nFor more information please see:\n  https:\/\/suricata.readthedocs.io\/en\/latest\/rule-management\/index.html\n\nmake[1]: Leaving directory '\/tmp\/suricata-6.0.5'\n<\/code><\/pre>\n\n\n\n<p>Suricata is now installed from sources on Rocky Linux.<\/p>\n\n\n\n<h4 class=\"wp-block-heading install-suricata-from-epel-repos\">Install Suricata on Rocky Linux from EPEL Repos<\/h4>\n\n\n\n<p>For a seamless installation of Suricata on Rocky Linux, using EPEL repos to install it is a sure bet.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Install EPEL Repos on Rocky Linux<\/h5>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf install epel-release<\/code><\/pre>\n\n\n\n<h5 class=\"wp-block-heading\">Install Suricata from EPEL Repos on Rocky Linux<\/h5>\n\n\n\n<pre class=\"wp-block-code\"><code>dnf info suricata<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\nAvailable Packages\nName         : suricata\nVersion      : 5.0.8\nRelease      : 1.el8\nArchitecture : x86_64\nSize         : 2.3 M\nSource       : suricata-5.0.8-1.el8.src.rpm\nRepository   : epel\nSummary      : Intrusion Detection System\nURL          : https:\/\/suricata-ids.org\/\nLicense      : GPLv2\n...\n<\/code><\/pre>\n\n\n\n<p>Unfortunately, as of this writing, the EPEL repos on Rocky Linux provides Suricata 5.0.8.<\/p>\n\n\n\n<p>Thus, installing Suricata from source is the surest way to get the latest version running.<\/p>\n\n\n\n<p>If you want to install this this version, however, just execute the command;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf install suricata -y<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Suricata Rules<\/h3>\n\n\n\n<p>Suricata utilizes various rule sets\/signatures to detect and alert on matching threats. Rules are also known as Signatures. &nbsp;<a href=\"https:\/\/rules.emergingthreats.net\/open\/\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noreferrer noopener\">Emerging Threats<\/a>,&nbsp;<a aria-label=\"undefined (opens in a new tab)\" href=\"http:\/\/www.emergingthreatspro.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Emerging Threats Pro<\/a>&nbsp;and source fire&#8217;s&nbsp;<a aria-label=\"undefined (opens in a new tab)\" href=\"http:\/\/www.snort.org\/vrt\/\" target=\"_blank\" rel=\"noreferrer noopener\">VRT<\/a> are the most commonly used rules.<\/p>\n\n\n\n<p>In most cases, you can find the rules files under <code>\/etc\/suricata\/rules\/<\/code>. This is when you install Suricata from repos.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ls -1 \/etc\/suricata\/rules\/<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>app-layer-events.rules\ndecoder-events.rules\ndhcp-events.rules\ndnp3-events.rules\ndns-events.rules\nfiles.rules\nhttp2-events.rules\nhttp-events.rules\nipsec-events.rules\nkerberos-events.rules\nmodbus-events.rules\nmqtt-events.rules\nnfs-events.rules\nntp-events.rules\nsmb-events.rules\nsmtp-events.rules\nstream-events.rules\ntls-events.rules\n<\/code><\/pre>\n\n\n\n<p>Emergency Threat rules are usually stored as <code><strong>\/var\/lib\/suricata\/rules\/suricata.rules<\/strong><\/code>.<\/p>\n\n\n\n<p>The ET Open rules, <strong>suricata.rules<\/strong>, usually contains all the rules defined on the rules file located under the <code><strong>\/etc\/suricata\/rules\/<\/strong><\/code>.<\/p>\n\n\n\n<p>To install and update Emergency Threat rules, use  the <code><strong>suricata-update<\/strong><\/code> command.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>suricata-update<\/code><\/pre>\n\n\n\n<p>This downloads and installs <code>suricata.rules<\/code>.<\/p>\n\n\n\n<p>A rule\/signature consists of the following sections:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The <strong>action<\/strong>, that determines what happens when the signature matches.<\/li>\n\n\n\n<li>The <strong>header<\/strong>, defining the protocol, IP addresses, ports and direction of the rule.<\/li>\n\n\n\n<li>The <strong>rule options<\/strong>, defining the specifics of the rule.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>alert ip any any -&gt; any any (msg:\"SURICATA Applayer Mismatch protocol both directions\"; flow:established; app-layer-event:applayer_mismatch_protocol_both_directions; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260000; rev:1;)<\/code><\/pre>\n\n\n\n<p>Read more on <a href=\"https:\/\/suricata.readthedocs.io\/en\/suricata-4.1.2\/rules\/intro.html\" target=\"_blank\" rel=\"noopener\">introduction to Suricata rules<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Suricata Basic Setup<\/h3>\n\n\n\n<p><code><strong>\/etc\/suricata\/suricata.yaml<\/strong><\/code> is the default Suricata configuration file.<\/p>\n\n\n\n<p>The configuration file contains a lot of configurable options. However, for our basic setup, we will only focus on the network interface on which Suricata is listening on and the IP address attached to that interface.<\/p>\n\n\n\n<p>To find the interface and the IP address, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ip --brief add<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\nlo               UNKNOWN        127.0.0.1\/8 ::1\/128 \nenp0s3           UP             10.0.2.15\/24 \n<strong>enp0s8           UP             192.168.60.22\/24 fe80::a00:27ff:fe42:2ef5\/64 \n<\/strong>virbr0           DOWN           192.168.122.1\/24 \nvirbr0-nic       DOWN\n<\/code><\/pre>\n\n\n\n<p>In our case, our interface is <strong>enp0s8<\/strong> and the IP address is <strong><code>192.168.60.22<\/code><\/strong>.<\/p>\n\n\n\n<p>Open and edit the Suricata config file.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/etc\/suricata\/suricata.yaml<\/code><\/pre>\n\n\n\n<p>Under the <strong>vars<\/strong> section, you need to configure Suricata to differentiate between your internal network to be protected and external network. This can be done by defining the correct values for the&nbsp;<code>HOME_NET<\/code>&nbsp;and&nbsp;<code>EXTERNAL_NET<\/code>&nbsp;variables respectively under the address groups.<\/p>\n\n\n\n<p>The <strong><code>HOME_NET<\/code><\/strong> variable should include the IP address of the interface on which Suricata is listening on and all the local networks to protect.<\/p>\n\n\n\n<p>The <code>EXTERNAL_NET<\/code>&nbsp;variables should define any IP or network that is not local.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>...\nvars:\n  # more specific is better for alert accuracy and performance\n  address-groups:\n    #HOME_NET: \"[192.168.0.0\/16,10.0.0.0\/8,172.16.0.0\/12]\"\n<strong>    HOME_NET: \"[192.168.60.22]\"\n<\/strong>    #HOME_NET: \"[192.168.0.0\/16]\"\n    #HOME_NET: \"[10.0.0.0\/8]\"\n    #HOME_NET: \"[172.16.0.0\/12]\"\n    #HOME_NET: \"any\"\n\n<strong>    EXTERNAL_NET: \"!$HOME_NET\"<\/strong>\n...\n<\/code><\/pre>\n\n\n\n<p>Under the <code><strong>af-packet<\/strong><\/code> section, set the value of the interface to your interface name.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>...\n# Linux high speed capture support\n<strong>af-packet:\n<\/strong>  - interface: <strong>enp0s8<\/strong>\n...<\/code><\/pre>\n\n\n\n<p>Save and exit the configuration file.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Specify Suricata Rules<\/h3>\n\n\n\n<p>Define the Suricata rules-files to use. We are using the default ET rules in this demo;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>...\ndefault-rule-path: \/var\/lib\/suricata\/rules\n\nrule-files:\n  - suricata.rules\n...<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Disable Packet Offloading<\/h3>\n\n\n\n<p>Disable Suricata packet offloading by disabling interface Large Receive Offload (LRO)\/Generic Receive Offload (GRO);<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ethtool -K &lt;interface&gt; gro off lro off<\/code><\/pre>\n\n\n\n<p>Replace <code>&lt;interface&gt;<\/code> with your interface.<\/p>\n\n\n\n<p>First check if these features are enabled;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ethtool -k enp0s8 | grep -iE \"generic|large\"<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>\ttx-checksum-ip-generic: on\ngeneric-segmentation-offload: on\ngeneric-receive-offload: off\nlarge-receive-offload: off &#91;fixed]<\/code><\/pre>\n\n\n\n<p>If enabled, disable by running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ethtool -K enp0s8 gro off lro off<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Running Suricata<\/h3>\n\n\n\n<p>You can run Suricata on foreground using the command;<\/p>\n\n\n\n<p>suricata -c \/etc\/suricata\/suricata.yaml -i enp0s8<\/p>\n\n\n\n<p>To run it as daemon in the background;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>suricata -D -c \/etc\/suricata\/suricata.yaml -i enp0s8<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Suricata logging;<\/h4>\n\n\n\n<p>To check if Suricata is running check the Suricata log:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tail \/var\/log\/suricata\/suricata.log<\/code><\/pre>\n\n\n\n<p>You should see such a line;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n...\n29\/4\/2022 -- 05:48:48 - <Info> - Found an MTU of 1500 for 'enp0s8'\n29\/4\/2022 -- 05:48:48 - <Info> - Found an MTU of 1500 for 'enp0s8'\n29\/4\/2022 -- 05:48:48 - <Info> - fast output device (regular) initialized: fast.log\n29\/4\/2022 -- 05:48:48 - <Info> - eve-log output device (regular) initialized: eve.json\n29\/4\/2022 -- 05:48:48 - <Info> - stats output device (regular) initialized: stats.log\n29\/4\/2022 -- 05:48:48 - <Info> - Running in live mode, activating unix socket\n29\/4\/2022 -- 05:48:49 - <Info> - 1 rule files processed. 25845 rules successfully loaded, 0 rules failed\n29\/4\/2022 -- 05:48:49 - <Info> - Threshold config parsed: 0 rule(s) found\n29\/4\/2022 -- 05:48:50 - <Info> - 25848 signatures processed. 1244 are IP-only rules, 4128 are inspecting packet payload, 20272 inspect application layer, 108 are decoder event only\n<\/code><\/pre>\n\n\n\n<p>To check Suricata statistics;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tail -f \/var\/log\/suricata\/stats.log<\/code><\/pre>\n\n\n\n<p>To check Suricata alert logs;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tail -f \/var\/log\/suricata\/fast.log<\/code><\/pre>\n\n\n\n<p>Suricata can also write logs in EVE Json output. The default log file is;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tail -f \/var\/log\/suricata\/eve.json<\/code><\/pre>\n\n\n\n<p>Check our other guide on&nbsp;<a href=\"https:\/\/kifarunix.com\/install-and-setup-suricata-on-ubuntu-22-04-ubuntu-20-04\/#read-suricata-eve-json-logs-with-jq\" target=\"_blank\" rel=\"noreferrer noopener\">how to read Suricata Eve JSON logs<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Testing Suricata Rules<\/h3>\n\n\n\n<p>In this demo, we are using the default ET Suricata rules. If you have created you own custom rules, be sure to test the Suricata rules for syntax errors;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>suricata -c \/etc\/suricata\/suricata.yaml -T -v<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Perform SSH DDoS Test Attack<\/h3>\n\n\n\n<p>On another system, install hping3 tool and perform an SSH DDoS test attack.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf install hping3<\/code><\/pre>\n\n\n\n<p>Then attack SSH on the server running Suricata.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>hping3 -S -p 22 --flood --rand-source 192.168.60.22<\/code><\/pre>\n\n\n\n<p>Refer to <code>man hping3<\/code>.<\/p>\n\n\n\n<p>While hping is running, tail the alert logs on Suricata server;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tail -f \/var\/log\/suricata\/eve.json<\/code><\/pre>\n\n\n\n<p>You should see such log lines;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n{\"timestamp\":\"2022-04-29T05:55:31.753686-0400\",\"flow_id\":913602724057769,\"in_iface\":\"enp0s8\",\"event_type\":\"flow\",\"src_ip\":\"192.168.60.22\",\"src_port\":22,\"dest_ip\":\"238.159.48.57\",\"dest_port\":19281,\"proto\":\"TCP\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":58,\"bytes_toclient\":0,\"start\":\"2022-04-29T05:54:29.021161-0400\",\"end\":\"2022-04-29T05:54:29.021161-0400\",\"age\":0,\"state\":\"new\",\"reason\":\"timeout\",\"alerted\":false},\"tcp\":{\"tcp_flags\":\"00\",\"tcp_flags_ts\":\"00\",\"tcp_flags_tc\":\"00\"}}\n{\"timestamp\":\"2022-04-29T05:55:31.753724-0400\",\"flow_id\":482134604256005,\"in_iface\":\"enp0s8\",\"event_type\":\"flow\",\"src_ip\":\"192.168.60.22\",\"src_port\":22,\"dest_ip\":\"229.141.92.196\",\"dest_port\":4263,\"proto\":\"TCP\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":58,\"bytes_toclient\":0,\"start\":\"2022-04-29T05:54:26.529157-0400\",\"end\":\"2022-04-29T05:54:26.529157-0400\",\"age\":0,\"state\":\"new\",\"reason\":\"timeout\",\"alerted\":false},\"tcp\":{\"tcp_flags\":\"00\",\"tcp_flags_ts\":\"00\",\"tcp_flags_tc\":\"00\"}}\n{\"timestamp\":\"2022-04-29T05:55:31.753782-0400\",\"flow_id\":1040673625480213,\"in_iface\":\"enp0s8\",\"event_type\":\"flow\",\"src_ip\":\"192.168.60.22\",\"src_port\":22,\"dest_ip\":\"233.190.70.84\",\"dest_port\":15282,\"proto\":\"TCP\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":58,\"bytes_toclient\":0,\"start\":\"2022-04-29T05:54:14.465941-0400\",\"end\":\"2022-04-29T05:54:14.465941-0400\",\"age\":0,\"state\":\"new\",\"reason\":\"timeout\",\"alerted\":false},\"tcp\":{\"tcp_flags\":\"00\",\"tcp_flags_ts\":\"00\",\"tcp_flags_tc\":\"00\"}}\n{\"timestamp\":\"2022-04-29T05:55:31.754723-0400\",\"flow_id\":662957021708724,\"in_iface\":\"enp0s8\",\"event_type\":\"flow\",\"src_ip\":\"192.168.60.22\",\"src_port\":22,\"dest_ip\":\"239.90.205.156\",\"dest_port\":40733,\"proto\":\"TCP\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":58,\"bytes_toclient\":0,\"start\":\"2022-04-29T05:54:15.246196-0400\",\"end\":\"2022-04-29T05:54:15.246196-0400\",\"age\":0,\"state\":\"new\",\"reason\":\"timeout\",\"alerted\":false},\"tcp\":{\"tcp_flags\":\"00\",\"tcp_flags_ts\":\"00\",\"tcp_flags_tc\":\"00\"}}\n{\"timestamp\":\"2022-04-29T05:55:31.763583-0400\",\"flow_id\":199353956657015,\"in_iface\":\"enp0s8\",\"event_type\":\"flow\",\"src_ip\":\"192.168.60.22\",\"src_port\":22,\"dest_ip\":\"239.1.144.165\",\"dest_port\":34671,\"proto\":\"TCP\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":58,\"bytes_toclient\":0,\"start\":\"2022-04-29T05:54:13.485239-0400\",\"end\":\"2022-04-29T05:54:13.485239-0400\",\"age\":0,\"state\":\"new\",\"reason\":\"timeout\",\"alerted\":false},\"tcp\":{\"tcp_flags\":\"00\",\"tcp_flags_ts\":\"00\",\"tcp_flags_tc\":\"00\"}}\n{\"timestamp\":\"2022-04-29T05:55:31.769914-0400\",\"flow_id\":88586750486633,\"in_iface\":\"enp0s8\",\"event_type\":\"flow\",\"src_ip\":\"192.168.60.22\",\"src_port\":22,\"dest_ip\":\"228.201.23.168\",\"dest_port\":42934,\"proto\":\"TCP\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":58,\"bytes_toclient\":0,\"start\":\"2022-04-29T05:54:19.354409-0400\",\"end\":\"2022-04-29T05:54:19.354409-0400\",\"age\":0,\"state\":\"new\",\"reason\":\"timeout\",\"alerted\":false},\"tcp\":{\"tcp_flags\":\"00\",\"tcp_flags_ts\":\"00\",\"tcp_flags_tc\":\"00\"}}\n{\"timestamp\":\"2022-04-29T05:55:31.770119-0400\",\"flow_id\":799150435263953,\"in_iface\":\"enp0s8\",\"event_type\":\"flow\",\"src_ip\":\"192.168.60.22\",\"src_port\":22,\"dest_ip\":\"233.210.240.81\",\"dest_port\":11143,\"proto\":\"TCP\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":58,\"bytes_toclient\":0,\"start\":\"2022-04-29T05:54:24.583121-0400\",\"end\":\"2022-04-29T05:54:24.583121-0400\",\"age\":0,\"state\":\"new\",\"reason\":\"timeout\",\"alerted\":false},\"tcp\":{\"tcp_flags\":\"00\",\"tcp_flags_ts\":\"00\",\"tcp_flags_tc\":\"00\"}}\n{\"timestamp\":\"2022-04-29T05:55:31.770257-0400\",\"flow_id\":443144890559460,\"in_iface\":\"enp0s8\",\"event_type\":\"flow\",\"src_ip\":\"192.168.60.22\",\"src_port\":22,\"dest_ip\":\"224.47.115.112\",\"dest_port\":41823,\"proto\":\"TCP\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":58,\"bytes_toclient\":0,\"start\":\"2022-04-29T05:54:17.273380-0400\",\"end\":\"2022-04-29T05:54:17.273380-0400\",\"age\":0,\"state\":\"new\",\"reason\":\"timeout\",\"alerted\":false},\"tcp\":{\"tcp_flags\":\"00\",\"tcp_flags_ts\":\"00\",\"tcp_flags_tc\":\"00\"}}\n{\"timestamp\":\"2022-04-29T05:55:31.770276-0400\",\"flow_id\":1991257262436679,\"in_iface\":\"enp0s8\",\"event_type\":\"flow\",\"src_ip\":\"192.168.60.22\",\"src_port\":22,\"dest_ip\":\"228.165.58.214\",\"dest_port\":29507,\"proto\":\"TCP\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":58,\"bytes_toclient\":0,\"start\":\"2022-04-29T05:54:16.831815-0400\",\"end\":\"2022-04-29T05:54:16.831815-0400\",\"age\":0,\"state\":\"new\",\"reason\":\"timeout\",\"alerted\":false},\"tcp\":{\"tcp_flags\":\"00\",\"tcp_flags_ts\":\"00\",\"tcp_flags_tc\":\"00\"}}\n...\n<\/code><\/pre>\n\n\n\n<p>Check the stats;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat \/var\/log\/suricata\/stats.log<\/code><\/pre>\n\n\n\n<p>With that simple test, we can see that Suricata is setup and running well using the default Emergency Threat rules.<\/p>\n\n\n\n<p>That marks the end of our guide on how to setup Suricata on Rocky Linux.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Reference<\/h3>\n\n\n\n<p>Read more on <a aria-label=\"undefined (opens in a new tab)\" href=\"https:\/\/suricata.readthedocs.io\/en\/suricata-5.0.3\/\" target=\"_blank\" rel=\"noreferrer noopener\">Suricata User Guide<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Related Tutorials<\/h3>\n\n\n\n<p><a aria-label=\"undefined (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-and-setup-suricata-on-ubuntu-18-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Setup Suricata on Ubuntu 18.04<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-setup-suricata-on-ubuntu-22-04-ubuntu-20-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Setup Suricata on Ubuntu 22.04\/Ubuntu 20.04<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Other Rocky Linux Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/setup-ipsec-vpn-server-with-libreswan-on-rocky-linux\/\" target=\"_blank\" rel=\"noreferrer noopener\">Setup IPSec VPN server with Libreswan on Rocky Linux<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to install and setup Suricata on Rocky Linux. Suricata is a free and open source network threat detection<\/p>\n","protected":false},"author":3,"featured_media":12369,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121,317],"tags":[319,4952,3587,4953,4955,318,4954],"class_list":["post-12400","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","category-suricata","tag-ids","tag-install-suricata-rocky-linux","tag-rocky-linux-8","tag-rocky-linux-8-suricata","tag-rocky-linux-suricata-install","tag-suricata","tag-suricata-ids","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12400"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=12400"}],"version-history":[{"count":5,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12400\/revisions"}],"predecessor-version":[{"id":20459,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12400\/revisions\/20459"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/12369"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=12400"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=12400"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=12400"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}