{"id":2201,"date":"2019-02-06T00:17:15","date_gmt":"2019-02-05T21:17:15","guid":{"rendered":"http:\/\/kifarunix.com\/?p=2201"},"modified":"2024-03-11T22:20:49","modified_gmt":"2024-03-11T19:20:49","slug":"install-and-setup-suricata-on-ubuntu-18-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-setup-suricata-on-ubuntu-18-04\/","title":{"rendered":"Install and Setup Suricata on Ubuntu 18.04"},"content":{"rendered":"\n<p>Today, we are going to learn how to install and setup Suricata on Ubuntu 18.04. Suricata is an opensource network threat detection tool. Suricata uses rules and signatures to detect threat in network traffic. It also supports Lua scripting language that helps it unearth the most complex would be threats in the network. Suricata is a product of <a href=\"https:\/\/suricata-ids.org\/about\/oisf\/\" target=\"_blank\" rel=\"noopener noreferrer\">Open Information Security Foundation<\/a>. It is capable of providing NIDS, IPS, NSM and offline pcap processing. It can be integrated with other tools such as BASE, Snorby, Sguil, SQueRT, ELK, SIEM solutions etc.<\/p>\n\n\n\n<p>To see a complete list of features supported by Suricata, you can check <a href=\"https:\/\/suricata-ids.org\/features\/all-features\/\" target=\"_blank\" rel=\"noopener noreferrer\">all features<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Installing Suricata on Ubuntu 18.04<\/h2>\n\n\n\n<p>There are two ways in which you can install Suricata on Ubuntu 18.04;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#source\">Installing from the source<\/a><\/li>\n\n\n\n<li><a href=\"#suricata-ppa-repo\">Installing from PPA Repository<\/a><\/li>\n<\/ul>\n\n\n\n<p>In this guide, we are going to cover both methods of installing Suricata on Ubuntu 18.04.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"source\">Installing Suricata from Source On Ubuntu 18.04<\/h3>\n\n\n\n<p>Installation Suricata from the Source on Ubuntu 18.04 is the surest way to get the latest and stable version of Suricata up and running on Ubuntu 1804.<\/p>\n\n\n\n<p>However it requires some little extra effort. Hence, before you can install Suricata from the source, ensure that you got all the required dependencies installed.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>sudo apt -y install libpcre3 libpcre3-dbg libpcre3-dev \\\nbuild-essential autoconf automake libtool libpcap-dev \\\nlibnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev \\\nlibcap-ng-dev libcap-ng0 make libmagic-dev \\\nlibjansson-dev libjansson4 pkg-config libnspr4-dev \\\nlibnss3-dev liblz4-dev rustc cargo python-pip python3-distutils\n<\/code><\/pre>\n\n\n\n<p>Suricata function as an IDS out of the box. If you need to include the IPS funtionality, install the following libraries.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0<\/code><\/pre>\n\n\n\n<p>Next, download the <a href=\"https:\/\/suricata.io\/download\/\" target=\"_blank\" rel=\"noreferrer noopener\">latest and stable Suricata tarball<\/a>. You can simply download as shown below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>wget https:\/\/www.openinfosecfoundation.org\/download\/suricata-6.0.5.tar.gz<\/code><\/pre>\n\n\n\n<p>Once the download is complete, extract the tarball.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tar xzf suricata-6.0.5.tar.gz<\/code><\/pre>\n\n\n\n<p>Navigate to Suricata tarball extract directory to configure Suricata engine for compilation. This ensures that Suricata is build with IPS capabilities.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd suricata-6.0.5\n.\/configure --enable-nfqueue --prefix=\/usr --sysconfdir=\/etc --localstatedir=\/var<\/code><\/pre>\n\n\n\n<p>Summary of the Suricata configuration;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>Suricata Configuration:\n  AF_PACKET support:                       yes\n  eBPF support:                            no\n  XDP support:                             no\n  PF_RING support:                         no\n  NFQueue support:                         no\n  NFLOG support:                           no\n  IPFW support:                            no\n  Netmap support:                          no \n  DAG enabled:                             no\n  Napatech enabled:                        no\n  WinDivert enabled:                       no\n\n  Unix socket enabled:                     yes\n  Detection enabled:                       yes\n\n  Libmagic support:                        yes\n  libnss support:                          yes\n  libnspr support:                         yes\n  libjansson support:                      yes\n  hiredis support:                         no\n  hiredis async with libevent:             no\n  Prelude support:                         no\n  PCRE jit:                                yes\n  LUA support:                             no\n  libluajit:                               no\n  GeoIP2 support:                          no\n  Non-bundled htp:                         no\n  Hyperscan support:                       no\n  Libnet support:                          yes\n  liblz4 support:                          yes\n  HTTP2 decompression:                     no\n\n  Rust support:                            yes\n  Rust strict mode:                        no\n  Rust compiler path:                      \/usr\/bin\/rustc\n  Rust compiler version:                   rustc 1.57.0\n  Cargo path:                              \/usr\/bin\/cargo\n  Cargo version:                           cargo 1.57.0\n  Cargo vendor:                            yes\n\n  Python support:                          yes\n  Python path:                             \/usr\/bin\/python3\n  Python distutils                         yes\n  Python yaml                              yes\n  Install suricatactl:                     yes\n  Install suricatasc:                      yes\n  Install suricata-update:                 yes\n\n  Profiling enabled:                       no\n  Profiling locks enabled:                 no\n\n  Plugin support (experimental):           yes\n\nDevelopment settings:\n  Coccinelle \/ spatch:                     no\n  Unit tests enabled:                      no\n  Debug output enabled:                    no\n  Debug validation enabled:                no\n\nGeneric build parameters:\n  Installation prefix:                     \/usr\n  Configuration directory:                 \/etc\/suricata\/\n  Log directory:                           \/varmake\/log\/suricata\/\n\n  --prefix                                 \/usr\n  --sysconfdir                             \/etc\n  --localstatedir                          \/varmake\n  --datarootdir                            \/usr\/share\n\n  Host:                                    x86_64-pc-linux-gnu\n  Compiler:                                gcc (exec name) \/ g++ (real)\n  GCC Protect enabled:                     no\n  GCC march native enabled:                yes\n  GCC Profile enabled:                     no\n  Position Independent Executable enabled: no\n  CFLAGS                                   -g -O2 -std=c11 -march=native -I${srcdir}\/..\/rust\/gen -I${srcdir}\/..\/rust\/dist\n  PCAP_CFLAGS                               -I\/usr\/include\n  SECCFLAGS                                \n\nTo build and install run 'make' and 'make install'.\n\nYou can run 'make install-conf' if you want to install initial configuration\nfiles to \/etc\/suricata\/. Running 'make install-full' will install configuration\nand rules and provide you a ready-to-run suricata.\n\nTo install Suricata into \/usr\/bin\/suricata, have the config in\n\/etc\/suricata and use \/var\/log\/suricata as log dir, use:\n.\/configure --prefix=\/usr\/ --sysconfdir=\/etc\/ --localstatedir=\/var\/\n<\/code><\/pre>\n\n\n\n<p>Compile and install the Suricata engine<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>make<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>make install-full<\/code><\/pre>\n\n\n\n<p>The <code>make install-full<\/code> command will simply install both Suricata initial configuration file and the Suricata rules using the new Suricata rule management tool, <code>suricata-update<\/code>.<\/p>\n\n\n\n<p>If the installation is successful, you should see the output below;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n...\ninstall -d \"\/etc\/suricata\/\"\ninstall -d \"\/varmake\/log\/suricata\/files\"\ninstall -d \"\/varmake\/log\/suricata\/certs\"\ninstall -d \"\/varmake\/run\/\"\ninstall -m 770 -d \"\/varmake\/run\/suricata\"\nmake[1]: Leaving directory '\/root\/suricata-6.0.5'\nmake install-rules\nmake[1]: Entering directory '\/root\/suricata-6.0.5'\nLD_LIBRARY_PATH=\/usr\/lib \/usr\/bin\/suricata-update \\\n\t--suricata \/usr\/bin\/suricata \\\n\t--suricata-conf \/etc\/suricata\/suricata.yaml \\\n\t--no-test --no-reload\n28\/4\/2022 -- 18:05:42 - <Info> -- Using data-directory \/varmake\/lib\/suricata.\n28\/4\/2022 -- 18:05:42 - <Info> -- Using \/usr\/share\/suricata\/rules for Suricata provided rules.\n28\/4\/2022 -- 18:05:42 - <Info> -- Found Suricata version 6.0.5 at \/usr\/bin\/suricata.\n28\/4\/2022 -- 18:05:42 - <Info> -- Loading \/etc\/suricata\/suricata.yaml\n28\/4\/2022 -- 18:05:42 - <Info> -- Disabling rules for protocol http2\n28\/4\/2022 -- 18:05:42 - <Info> -- Disabling rules for protocol modbus\n28\/4\/2022 -- 18:05:42 - <Info> -- Disabling rules for protocol dnp3\n28\/4\/2022 -- 18:05:42 - <Info> -- Disabling rules for protocol enip\n28\/4\/2022 -- 18:05:42 - <Info> -- No sources configured, will use Emerging Threats Open\n28\/4\/2022 -- 18:05:42 - <Info> -- Fetching https:\/\/rules.emergingthreats.net\/open\/suricata-6.0.5\/emerging.rules.tar.gz.\n 100% - 3274660\/3274660               \n28\/4\/2022 -- 18:06:35 - <Info> -- Done.\n28\/4\/2022 -- 18:06:35 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/app-layer-events.rules\n28\/4\/2022 -- 18:06:35 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/decoder-events.rules\n28\/4\/2022 -- 18:06:35 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/dhcp-events.rules\n28\/4\/2022 -- 18:06:35 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/dnp3-events.rules\n28\/4\/2022 -- 18:06:35 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/dns-events.rules\n28\/4\/2022 -- 18:06:35 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/files.rules\n28\/4\/2022 -- 18:06:35 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/http-events.rules\n28\/4\/2022 -- 18:06:35 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/ipsec-events.rules\n28\/4\/2022 -- 18:06:35 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/kerberos-events.rules\n28\/4\/2022 -- 18:06:35 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/modbus-events.rules\n28\/4\/2022 -- 18:06:35 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/nfs-events.rules\n28\/4\/2022 -- 18:06:35 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/ntp-events.rules\n28\/4\/2022 -- 18:06:35 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/smb-events.rules\n28\/4\/2022 -- 18:06:35 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/smtp-events.rules\n28\/4\/2022 -- 18:06:35 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/stream-events.rules\n28\/4\/2022 -- 18:06:35 - <Info> -- Loading distribution rule file \/usr\/share\/suricata\/rules\/tls-events.rules\n28\/4\/2022 -- 18:06:35 - <Info> -- Ignoring file rules\/emerging-deleted.rules\n28\/4\/2022 -- 18:06:37 - <Info> -- Loaded 33238 rules.\n28\/4\/2022 -- 18:06:37 - <Info> -- Disabled 14 rules.\n28\/4\/2022 -- 18:06:37 - <Info> -- Enabled 0 rules.\n28\/4\/2022 -- 18:06:37 - <Info> -- Modified 0 rules.\n28\/4\/2022 -- 18:06:37 - <Info> -- Dropped 0 rules.\n28\/4\/2022 -- 18:06:37 - <Info> -- Enabled 131 rules for flowbit dependencies.\n28\/4\/2022 -- 18:06:37 - <Info> -- Creating directory \/varmake\/lib\/suricata\/rules.\n28\/4\/2022 -- 18:06:37 - <Info> -- Backing up current rules.\n28\/4\/2022 -- 18:06:37 - <Info> -- Writing rules to \/varmake\/lib\/suricata\/rules\/suricata.rules: total: 33238; enabled: 25835; added: 33238; removed 0; modified: 0\n28\/4\/2022 -- 18:06:37 - <Info> -- Writing \/varmake\/lib\/suricata\/rules\/classification.config\n28\/4\/2022 -- 18:06:37 - <Info> -- Skipping test, disabled by configuration.\n28\/4\/2022 -- 18:06:37 - <Info> -- Done.\n\nYou can now start suricata by running as root something like:\n  \/usr\/bin\/suricata -c \/etc\/suricata\/suricata.yaml -i eth0\n\nIf a library like libhtp.so is not found, you can run suricata with:\n  LD_LIBRARY_PATH=\/usr\/lib \/usr\/bin\/suricata -c \/etc\/suricata\/suricata.yaml -i eth0\n\nThe Emerging Threats Open rules are now installed. Rules can be\nupdated and managed with the suricata-update tool.\n\nFor more information please see:\n  https:\/\/suricata.readthedocs.io\/en\/latest\/rule-management\/index.html\n\nmake[1]: Leaving directory '\/root\/suricata-6.0.5'\n<\/code><\/pre>\n\n\n\n<p>The configuration file is set under <code>\/etc\/suricata\/suricata.yaml<\/code> while the rules are written to <code>\/etc\/suricata\/rules\/<\/code>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"suricata-ppa-repo\">Installing Suricata on Ubuntu 18.04 from PPA repository<\/h3>\n\n\n\n<p>Even though Suricata is available on the default Ubuntu 18.04 repositories, it may not be up-to-date.<\/p>\n\n\n\n<p>As a result, to ensure that you got the latest version installed, you need to add the following PPA repository.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo add-apt-repository ppa:oisf\/suricata-stable<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt update<\/code><\/pre>\n\n\n\n<p>Once the PPA repo is set, install Suricata with the package manager.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt-cache policy suricata<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>suricata:\n  Installed: (none)\n  Candidate: 6.0.5-0ubuntu2\n  Version table:\n     6.0.5-0ubuntu2 500\n        500 http:\/\/ppa.launchpad.net\/oisf\/suricata-stable\/ubuntu bionic\/main amd64 Packages\n     3.2-2ubuntu3 500\n        500 http:\/\/us.archive.ubuntu.com\/ubuntu bionic\/universe amd64 Packages\n<\/code><\/pre>\n\n\n\n<p>As you can see, we have the latest release version of Suricata.<\/p>\n\n\n\n<p>You can then do the installation by executing the command;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt install suricata jq<\/code><\/pre>\n\n\n\n<p>You can instead install Suricata with debugging enabled.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo apt install suricata-dbg<\/code><\/pre>\n\n\n\n<p>That is all with installation.<\/p>\n\n\n\n<p>You can check what configurations options are installed with Suricata;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo suricata --build-info<\/code><\/pre>\n\n\n\n<p>The command also gets you the version of installed Suricata.<\/p>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>This is Suricata version 6.0.5 RELEASE\nFeatures: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST \nSIMD support: none\nAtomic intrinsics: 1 2 4 8 byte(s)\n64-bits, Little-endian architecture\nGCC version 7.5.0, C version 201112\ncompiled with _FORTIFY_SOURCE=2\nL1 cache line size (CLS)=64\nthread local storage method: _Thread_local\ncompiled with LibHTP v0.5.40, linked against LibHTP v0.5.40\n\nSuricata Configuration:\n  AF_PACKET support:                       yes\n  eBPF support:                            no\n  XDP support:                             no\n  PF_RING support:                         no\n  NFQueue support:                         yes\n  NFLOG support:                           no\n  IPFW support:                            no\n  Netmap support:                          no \n  DAG enabled:                             no\n  Napatech enabled:                        no\n  WinDivert enabled:                       no\n\n  Unix socket enabled:                     yes\n  Detection enabled:                       yes\n\n  Libmagic support:                        yes\n  libnss support:                          yes\n  libnspr support:                         yes\n  libjansson support:                      yes\n  hiredis support:                         yes\n  hiredis async with libevent:             yes\n  Prelude support:                         no\n  PCRE jit:                                yes\n  LUA support:                             yes, through luajit\n  libluajit:                               yes\n  GeoIP2 support:                          yes\n  Non-bundled htp:                         yes\n  Hyperscan support:                       yes\n  Libnet support:                          yes\n  liblz4 support:                          yes\n  HTTP2 decompression:                     no\n\n  Rust support:                            yes\n  Rust strict mode:                        no\n  Rust compiler path:                      \/usr\/bin\/rustc\n  Rust compiler version:                   rustc 1.57.0\n  Cargo path:                              \/usr\/bin\/cargo\n  Cargo version:                           cargo 1.57.0\n  Cargo vendor:                            yes\n\n  Python support:                          yes\n  Python path:                             \/usr\/bin\/python3\n  Python distutils                         yes\n  Python yaml                              yes\n  Install suricatactl:                     yes\n  Install suricatasc:                      yes\n  Install suricata-update:                 yes\n\n  Profiling enabled:                       no\n  Profiling locks enabled:                 no\n\n  Plugin support (experimental):           yes\n\nDevelopment settings:\n  Coccinelle \/ spatch:                     no\n  Unit tests enabled:                      no\n  Debug output enabled:                    no\n  Debug validation enabled:                no\n\nGeneric build parameters:\n  Installation prefix:                     \/usr\n  Configuration directory:                 \/etc\/suricata\/\n  Log directory:                           \/var\/log\/suricata\/\n\n  --prefix                                 \/usr\n  --sysconfdir                             \/etc\n  --localstatedir                          \/var\n  --datarootdir                            \/usr\/share\n\n  Host:                                    x86_64-pc-linux-gnu\n  Compiler:                                gcc (exec name) \/ g++ (real)\n  GCC Protect enabled:                     yes\n  GCC march native enabled:                no\n  GCC Profile enabled:                     no\n  Position Independent Executable enabled: yes\n  CFLAGS                                   -g -O2 -fdebug-prefix-map=\/build\/suricata-QUjETh\/suricata-6.0.5=. -fstack-protector-strong -Wformat -Werror=format-security -std=c11 -I${srcdir}\/..\/rust\/gen -I${srcdir}\/..\/rust\/dist\n  PCAP_CFLAGS                               -I\/usr\/include\n  SECCFLAGS                                -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Configure Suricata on Ubuntu 18.04<\/h3>\n\n\n\n<p>At the end of installation, you will have Suricata rules under<code> \/etc\/suricata\/rules<\/code>\/ and the main configuration file under <code>\/etc\/suricata\/suricata.yaml<\/code>.<\/p>\n\n\n\n<p>The default Suricata configuration file commented well enough to provide a clear understanding of what every setting is for.<\/p>\n\n\n\n<p>To begin with, you need to configure Suricata to differentiate between your internal network to be proctected and external network. This can be done by defining the correct values for the <code>HOME_NET<\/code> and <code>EXTERNAL_NET<\/code> variables respectively under the address groups.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/etc\/suricata\/suricata.yaml<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>    HOME_NET: \"&#91;10.0.2.0\/24]\"\n...\n    EXTERNAL_NET: \"!$HOME_NET\"\n...<\/code><\/pre>\n\n\n\n<p>In my case, am using the IP address, <code>10.0.2.0\/24<\/code>, as my home network. The external networks are set to any that doesn&#8217;t match the home networks.<\/p>\n\n\n\n<p>You can define multiple networks.<\/p>\n\n\n\n<p>Also, define the interface on which Suricata will use to inspect the traffic. By default, Suricata uses <strong><code>eth0<\/code><\/strong> interfaces.<\/p>\n\n\n\n<p>So get your interfaces using the ip command and determine which one to configure Suricata to use.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ip a<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000\n    link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n    inet 127.0.0.1\/8 scope host lo\n       valid_lft forever preferred_lft forever\n    inet6 ::1\/128 scope host \n       valid_lft forever preferred_lft forever\n2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000\n    link\/ether 08:00:27:87:10:f0 brd ff:ff:ff:ff:ff:ff\n    inet 10.0.2.15\/24 brd 10.0.2.255 scope global dynamic enp0s3\n       valid_lft 84377sec preferred_lft 84377sec\n    inet6 fe80::a00:27ff:fe87:10f0\/64 scope link \n       valid_lft forever preferred_lft forever\n3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000\n    link\/ether 08:00:27:7e:14:7d brd ff:ff:ff:ff:ff:ff\n    inet 192.168.57.10\/24 brd 192.168.57.255 scope global enp0s8\n       valid_lft forever preferred_lft forever\n    inet6 fe80::a00:27ff:fe7e:147d\/64 scope link \n       valid_lft forever preferred_lft forever\n<\/code><\/pre>\n\n\n\n<p>In my case, will use interface enp0s3. you can also see that the HOME_NET defined is on that interface.<\/p>\n\n\n\n<p>The interfaces can be set by updating the value of interface under af-packets section;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>af-packet:\n  - interface: <strong>enp0s3<\/strong><\/code><\/pre>\n\n\n\n<p>Next, install Suricata Emerging Threat rules.<\/p>\n\n\n\n<p>By default, the Suricata rules are placed under <code><strong>\/etc\/suricata\/rules\/<\/strong><\/code> directory. <\/p>\n\n\n\n<p>To list the default Suricata rules;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ls -1 \/etc\/suricata\/rules\/<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>app-layer-events.rules\ndecoder-events.rules\ndhcp-events.rules\ndnp3-events.rules\ndns-events.rules\nfiles.rules\nhttp2-events.rules\nhttp-events.rules\nipsec-events.rules\nkerberos-events.rules\nmodbus-events.rules\nmqtt-events.rules\nnfs-events.rules\nntp-events.rules\nsmb-events.rules\nsmtp-events.rules\nstream-events.rules\ntls-events.rules\n<\/code><\/pre>\n\n\n\n<p>With the defaulr rules, only less detection can be made. Emerging Threat rules are the <strong><em>most comprehensive rule set optimized for the&nbsp;Suricata&nbsp;open source IDS\/IPS engine<\/em><\/strong>.<\/p>\n\n\n\n<p>To install Suricata ET rules, use the <strong><code>suricata-update<\/code><\/strong> command as shown below;<\/p>\n\n\n\n<p><strong>NOTE that the ET rules are installed automatically when you build Suricata from source and install using the make install-full command.<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo suricata-update<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n28\/4\/2022 -- 18:51:21 - <Info> -- Using data-directory \/var\/lib\/suricata.\n28\/4\/2022 -- 18:51:21 - <Info> -- Using Suricata configuration \/etc\/suricata\/suricata.yaml\n28\/4\/2022 -- 18:51:21 - <Info> -- Using \/etc\/suricata\/rules for Suricata provided rules.\n28\/4\/2022 -- 18:51:21 - <Info> -- Found Suricata version 6.0.5 at \/usr\/bin\/suricata.\n28\/4\/2022 -- 18:51:21 - <Info> -- Loading \/etc\/suricata\/suricata.yaml\n28\/4\/2022 -- 18:51:21 - <Info> -- Disabling rules for protocol http2\n28\/4\/2022 -- 18:51:21 - <Info> -- Disabling rules for protocol modbus\n28\/4\/2022 -- 18:51:21 - <Info> -- Disabling rules for protocol dnp3\n28\/4\/2022 -- 18:51:21 - <Info> -- Disabling rules for protocol enip\n28\/4\/2022 -- 18:51:21 - <Info> -- No sources configured, will use Emerging Threats Open\n28\/4\/2022 -- 18:51:21 - <Info> -- Fetching https:\/\/rules.emergingthreats.net\/open\/suricata-6.0.5\/emerging.rules.tar.gz.\n 100% - 3274660\/3274660               \n28\/4\/2022 -- 18:51:27 - <Info> -- Done.\n28\/4\/2022 -- 18:51:28 - <Info> -- Loading distribution rule file \/etc\/suricata\/rules\/app-layer-events.rules\n28\/4\/2022 -- 18:51:28 - <Info> -- Loading distribution rule file \/etc\/suricata\/rules\/decoder-events.rules\n28\/4\/2022 -- 18:51:28 - <Info> -- Loading distribution rule file \/etc\/suricata\/rules\/dhcp-events.rules\n28\/4\/2022 -- 18:51:28 - <Info> -- Loading distribution rule file \/etc\/suricata\/rules\/dnp3-events.rules\n28\/4\/2022 -- 18:51:28 - <Info> -- Loading distribution rule file \/etc\/suricata\/rules\/dns-events.rules\n28\/4\/2022 -- 18:51:28 - <Info> -- Loading distribution rule file \/etc\/suricata\/rules\/files.rules\n28\/4\/2022 -- 18:51:28 - <Info> -- Loading distribution rule file \/etc\/suricata\/rules\/http-events.rules\n28\/4\/2022 -- 18:51:28 - <Info> -- Loading distribution rule file \/etc\/suricata\/rules\/ipsec-events.rules\n28\/4\/2022 -- 18:51:28 - <Info> -- Loading distribution rule file \/etc\/suricata\/rules\/kerberos-events.rules\n28\/4\/2022 -- 18:51:28 - <Info> -- Loading distribution rule file \/etc\/suricata\/rules\/modbus-events.rules\n28\/4\/2022 -- 18:51:28 - <Info> -- Loading distribution rule file \/etc\/suricata\/rules\/nfs-events.rules\n28\/4\/2022 -- 18:51:28 - <Info> -- Loading distribution rule file \/etc\/suricata\/rules\/ntp-events.rules\n28\/4\/2022 -- 18:51:28 - <Info> -- Loading distribution rule file \/etc\/suricata\/rules\/smb-events.rules\n28\/4\/2022 -- 18:51:28 - <Info> -- Loading distribution rule file \/etc\/suricata\/rules\/smtp-events.rules\n28\/4\/2022 -- 18:51:28 - <Info> -- Loading distribution rule file \/etc\/suricata\/rules\/stream-events.rules\n28\/4\/2022 -- 18:51:28 - <Info> -- Loading distribution rule file \/etc\/suricata\/rules\/tls-events.rules\n28\/4\/2022 -- 18:51:28 - <Info> -- Ignoring file rules\/emerging-deleted.rules\n28\/4\/2022 -- 18:51:29 - <Info> -- Loaded 33238 rules.\n28\/4\/2022 -- 18:51:29 - <Info> -- Disabled 14 rules.\n28\/4\/2022 -- 18:51:29 - <Info> -- Enabled 0 rules.\n28\/4\/2022 -- 18:51:29 - <Info> -- Modified 0 rules.\n28\/4\/2022 -- 18:51:29 - <Info> -- Dropped 0 rules.\n28\/4\/2022 -- 18:51:30 - <Info> -- Enabled 131 rules for flowbit dependencies.\n28\/4\/2022 -- 18:51:30 - <Info> -- Creating directory \/var\/lib\/suricata\/rules.\n28\/4\/2022 -- 18:51:30 - <Info> -- Backing up current rules.\n28\/4\/2022 -- 18:51:30 - <Info> -- Writing rules to \/var\/lib\/suricata\/rules\/suricata.rules: total: 33238; enabled: 25835; added: 33238; removed 0; modified: 0\n28\/4\/2022 -- 18:51:30 - <Info> -- Writing \/var\/lib\/suricata\/rules\/classification.config\n28\/4\/2022 -- 18:51:30 - <Info> -- Testing with suricata -T.\n28\/4\/2022 -- 18:51:30 - <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.\n28\/4\/2022 -- 18:51:30 - <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.\n28\/4\/2022 -- 18:51:30 - <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.\n28\/4\/2022 -- 18:52:08 - <Info> -- Done.\n<\/code><\/pre>\n\n\n\n<p>The ET rules are written to <strong><code>\/var\/lib\/suricata\/rules\/suricata.rules<\/code><\/strong>.<\/p>\n\n\n\n<p>Note that Suricata is configured to load Suricata-Update managed rules by default.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/etc\/suricata\/suricata.yaml<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>...\ndefault-rule-path: \/var\/lib\/suricata\/rules\n\nrule-files:\n  - suricata.rules\n..<\/code><\/pre>\n\n\n\n<p>If you want to write the ET rules under \/etc\/suricata\/rules\/, specify the output directory on suricata-update command.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo suricata-update -o \/etc\/suricata\/rules\/<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Running Suricata on Ubuntu<\/h3>\n\n\n\n<p>You can now start and enable Suricata service to run on system boot.<\/p>\n\n\n\n<p>However, always before you start Suricata, run the configuration check;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo suricata -T -c \/etc\/suricata\/suricata.yaml -v<\/code><\/pre>\n\n\n\n<p>In case of any error, fix it before you can start Suricata<\/p>\n\n\n\n<p>If there is no error, then start Suricata;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl enable --now suricata<\/code><\/pre>\n\n\n\n<p>You can check the status;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl status suricata<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Testing Suricata Rules<\/h3>\n\n\n\n<p>We will use the downloaded ET rules to test Suricata detection.<\/p>\n\n\n\n<p>As a test, we are going to demonstrate how to alert on a possible SYN flood using Hping3.<\/p>\n\n\n\n<p>You can install hping3 tool on a separate system or on same system running Suricata;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt install hping3<\/code><\/pre>\n\n\n\n<p>Before you can proceed, you need to disable packet offload features on the network interface on which Suricata is listen.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ethtool -K enp0s3 gro off lro off<\/code><\/pre>\n\n\n\n<p>If you get the <code>Cannot change large-receive-offload<\/code>, it means that your interface doesn&#8217;t support this feature and it is safe to ignore it. However, you can verify this by running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ethtool -k enp0s3 | grep large<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>large-receive-offload: off &#91;fixed]<\/code><\/pre>\n\n\n\n<p>Next, fire Suricata in PCAP live mode by executing the command below.<\/p>\n\n\n\n<p>By the way, there are various modes in which Suricata can run. You can list them by running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>suricata --list-runmodes<\/code><\/pre>\n\n\n\n<p>So to run in live PCAP mode, run the commands below. You can change your monitoring interface.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl stop suricata<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>rm -rf \/var\/run\/suricata.pid<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>suricata -D -c \/etc\/suricata\/suricata.yaml -i enp0s3<\/code><\/pre>\n\n\n\n<p>Perform a simple DDoS attack test against our Suricata host from a different host.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>hping3 -S -p 80 --flood --rand-source 10.0.2.15 -I enp0s3 -c 50<\/code><\/pre>\n\n\n\n<p>While Suricata is running on Suricata host and while the DDoS attack test against Suricata host is running p, tail the Suricata alert logs on Suricata host to see what is happening;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tail -f \/var\/log\/suricata\/fast.log<\/code><\/pre>\n\n\n\n<p>You should be able to get some sample alerts;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>04\/28\/2022-20:53:23.163746  [**] [1:2400001:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 2 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 42.133.35.225:16743 -&gt; 10.0.2.15:80\n04\/28\/2022-20:53:23.167683  [**] [1:2400011:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 12 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 146.51.146.59:16820 -&gt; 10.0.2.15:80\n04\/28\/2022-20:53:23.192930  [**] [1:2400001:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 2 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 42.171.44.198:16969 -&gt; 10.0.2.15:80\n04\/28\/2022-20:53:23.205414  [**] [1:2400001:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 2 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 42.160.30.47:17115 -&gt; 10.0.2.15:80\n04\/28\/2022-20:53:23.235223  [**] [1:2400001:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 2 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 42.219.24.133:17293 -&gt; 10.0.2.15:80\n04\/28\/2022-20:53:23.294544  [**] [1:2400025:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 26 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 198.56.117.198:17846 -&gt; 10.0.2.15:80\n04\/28\/2022-20:53:23.297399  [**] [1:2400015:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 16 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 165.102.152.191:17899 -&gt; 10.0.2.15:80\n04\/28\/2022-20:53:23.555831  [**] [1:2400001:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 2 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 42.222.235.227:20024 -&gt; 10.0.2.15:80\n04\/28\/2022-20:53:23.580783  [**] [1:2400009:3237] ET DROP Spamhaus DROP Listed Traffic Inbound group 10 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 119.232.119.66:20190 -&gt; 10.0.2.15:80\n....\n<\/code><\/pre>\n\n\n\n<p>Check our other guide on <a href=\"https:\/\/kifarunix.com\/install-and-setup-suricata-on-ubuntu-22-04-ubuntu-20-04\/#read-suricata-eve-json-logs-with-jq\" target=\"_blank\" rel=\"noreferrer noopener\">how to read Suricata Eve JSON logs<\/a>.<\/p>\n\n\n\n<p>Feel free to read more about Suricata on their <a href=\"https:\/\/suricata.readthedocs.io\/en\/suricata-4.1.0\/\" target=\"_blank\" rel=\"noopener noreferrer\">documentation page<\/a>.<\/p>\n\n\n\n<p>Other Tutorials;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-setup-suricata-on-centos-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Setup Suricata on CentOS 8<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-nikto-web-scanner-on-rocky-linux-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Nikto Web Scanner on Rocky Linux 8<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today, we are going to learn how to install and setup Suricata on Ubuntu 18.04. Suricata is an opensource network threat detection tool. Suricata uses<\/p>\n","protected":false},"author":1,"featured_media":12369,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,317],"tags":[4947,319,4940,4941,320,318,1835,4943,4945,4946,4944,4942],"class_list":["post-2201","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-suricata","tag-hping3","tag-ids","tag-install-and-setup-suricata-on-ubuntu-18-04","tag-install-suricata-ubuntu","tag-ips","tag-suricata","tag-suricata-et-rules","tag-suricata-ubuntu","tag-suricata-update","tag-testing-suricata-rules","tag-ubuntu-18-04-suricata","tag-ubuntu-install-suricata","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2201"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=2201"}],"version-history":[{"count":16,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2201\/revisions"}],"predecessor-version":[{"id":21111,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2201\/revisions\/21111"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/12369"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=2201"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=2201"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=2201"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}