Install Suricata on Rocky Linux 8|AlmaLinux 8

Suricata is the best independent open source threat detection engine. It combines Intrusion detection (IDS), Intrusion prevention (IPS), network security monitoring (NSM) and PCAP processing.

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) both make up parts of the network infrastructure.IDS analyses a network traffic for signatures matching known attacks while IPS analyses packets and also have the ability to stop the packet from being delivered depending on the attack detected. Suricata works by identifying, stopping and assessing the most sophisticated attacks.

Suricata has the following key features:

  • Offers multi threaded signature detection.
  • Supports hashing and file extraction
  • Offers more support for application layer protocols.
  • Supports La Scripting language which can be used to modify the outputs and create complex and detailed signature logic
  • Supports TCP/IP engines
  • Has IP reputation used to load large amounts of data ,live load support e.t.c
  • With its amazing ability to write logs in YAML and JSON formats, it can be easilty integrated with other tools such as Elasticsearch/Logstash, Kibana, Splunk e.t.c for logs processing.

In this guide, we will walk through the installation of Suricata IDS / IPS Tool on Rocky Linux 8|AlmaLinux 8.

There are multiple ways to install Suricata IDS / IPS tool.

Method 1: Install Suricata from Source

Suricata can be installed form a source code through the following steps:

1.Update your system

sudo dnf update

2. Install dependencies:

sudo dnf config-manager --set-enabled powertools
sudo dnf install diffutils gcc jansson-devel make nss-devel pcre-devel python3 python3-pyyaml rust-toolset zlib-devel curl wget tar lua lz4-devel

3. Download the latest stable Suricata source code. Also check for the latest release version from the official release page.

VER=$(curl -s https://api.github.com/repos/OISF/suricata/releases/latest|grep tag_name|cut -d '"' -f 4|sed 's/suricata-//')
wget https://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz -P /tmp

4.Extract the source code

cd /tmp
tar xzf suricata-${VER}.tar.gz

5. Build and install the Suricata

cd suricata-${VER}
./configure --sysconfdir=/etc --localstatedir=/var --prefix=/usr/ --enable-lua --enable-geopip 
make
sudo make install-full

Method 2: Install Suricata from EPEL repo

Alternatively one can install Suricata from EPEL repos. First install EPEL repos:

sudo dnf install epel-release

Dependency tree:

..
Transaction Summary
================================================================================
Install  1 Package

Total download size: 22 k
Installed size: 32 k
Is this ok [y/N]: y

Check the latest available version of Suricata from EPEL repos as below:

sudo dnf info suricata

Proceed and install the latest stable version of Suricata form EPEL repos:

sudo dnf install suricata

Dependency tree:

....
Transaction Summary
==========================================================================
Install  7 Packages

Total download size: 5.9 M
Installed size: 21 M
Is this ok [y/N]: y

Working with Suricata Rules

Suricata is build to use certain rules called signatures. These signatures are used to alert on matching threats. In most cases, these rules/signatures are located in /etc/suricata/rules/ more so when you install Suricata form repos.

sudo ls /etc/suricata/rules/

The available rules:

app-layer-events.rules	http-events.rules      smb-events.rules
decoder-events.rules	ipsec-events.rules     smtp-events.rules
dhcp-events.rules	kerberos-events.rules  stream-events.rules
dnp3-events.rules	modbus-events.rules    tls-events.rules
dns-events.rules	nfs-events.rules
files.rules		ntp-events.rules

The emergency threat rules are stored as /var/lib/suricata/rules/suricata.rules and are installed or updated using:

$ sudo suricata-update
1/11/2024 -- 10:17:05 - <Info> -- Using data-directory /var/lib/suricata.
21/11/2024 -- 10:17:05 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
21/11/2024 -- 10:17:05 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.........
............
21/11/2024 -- 10:17:28 - <Info> -- Testing with suricata -T.
21/11/2024 -- 10:18:38 - <Info> -- Done.

In Suricata, a rule comprises of the following elements:

  • The header that defines the protocol IP addresses, ports and direction of the given rule.
  • The action which determines what is bound to happen when the signature match.
  • Rule options defines the specifics of the rule

Set Up Suricata IDS / IPS Tool

The default configuration file for Suricata is stored as a YAML file at /etc/suricata/suricata.yaml. This YAML file contains many setups, but for this basic setup we will put our focus on the network interface on which Suricata is listening and the IP address for the network interface. Find the IP address attached to the interface

$ ip --brief add
lo               UNKNOWN        127.0.0.1/8 ::1/128 
enp0s3           UP             192.168.1.48/24 fe80::9a7a:c5e0:70de:4954/64

You can see my interface enp0s3 is attached to 192.168.1.48

Now open the YAML file:

sudo vi /etc/suricata/suricata.yaml

In the file, we need to make a few changes. We need to define the internal (protected) and external networks under the vars section. This is achieved by setting the values for HOME_NET and EXTERNAL_NET

HOME_NET includes the IP address of the network interface on which Suricata is running. The EXTERNAL_NET defines any network not listed as local

 vars:
  # more specific is better for alert accuracy and performance
  address-groups:
    #HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
    HOME_NET: "[192.168.1.48]"
    #HOME_NET: "[192.168.0.0/16]"
    #HOME_NET: "[10.0.0.0/8]"
    #HOME_NET: "[172.16.0.0/12]"
    #HOME_NET: "any"

    EXTERNAL_NET: "!$HOME_NET"
    #EXTERNAL_NET: "any"
...

Then set the interface name at af-packet

# Linux high speed capture support
af-packet:
  - interface: enp0s3
...........

Define rule path

In this demo, we will use the default path, however one can set another one under the default-rule-path

...
default-rule-path: /var/lib/suricata/rules

rule-files:
  - suricata.rules
...

Save and exit.

Packet Offloading

Disable packet offloading in Suricata by disabling interface Large Receive Offload (LRO)/Generic Receive Offload (GRO). Below, replace interface with your own interface on which Suricata is listening:

sudo ethtool -K <interface> gro off lro off

Confirm if the feature is enabled:

ethtool -k <interface> | grep -iE "generic|large"

Sample output:

	tx-checksum-ip-generic: on
generic-segmentation-offload: on
generic-receive-offload: off
large-receive-offload: off [fixed]

You can disable the feature by running:

ethtool -K <interface> gro off lro off

Use Suricata IDS / IPS

Suricata is managed by a systemd service. But before initializing it, first specify the interface on which Suricata is listening as below:

sudo vi /etc/sysconfig/suricata

On the file, make the following changes:

# Add options to be passed to the daemon
#OPTIONS="-i eth0 --user suricata "
OPTIONS="-i enp0s3 --user suricata "

Start and enable Suricata to run on boot:

sudo systemctl enable --now suricata

Check the status of the service

 systemctl status suricata

Alternatively, you can run Suricata without using systemd service as above, just issue this command and specify the interface as below:

sudo suricata -D -c /etc/suricata/suricata.yaml -i enp0s3

Check if the process is running:

sudo tail /var/log/suricata/suricata.log

Sample output:

21/11/2024 -- 10:37:11 - <Notice> - This is Suricata version 5.0.7 RELEASE running in SYSTEM mode
21/11/2024 -- 10:37:11 - <Info> - CPUs/cores online: 1
21/11/2024 -- 10:37:11 - <Info> - Found an MTU of 1500 for 'enp0s3'
21/11/2024 -- 10:37:11 - <Info> - Found an MTU of 1500 for 'enp0s3'
21/11/2024 -- 10:37:11 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - pid file '/var/run/suricata.pid' exists and Suricata appears to be running. Aborting!
21/11/2024 -- 10:37:12 - <Info> - Going to use 1 thread(s)
21/11/2024 -- 10:37:12 - <Info> - Running in live mode, activating unix socket
21/11/2024 -- 10:37:12 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
21/11/2024 -- 10:37:12 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
21/11/2024 -- 10:37:12 - <Info> - All AFP capture threads are running.

Check th alert logs for Suricata:

sudo tail -f /var/log/suricata/fast.log

Check the stats log:

sudo tail -f /var/log/suricata/stats.log

Write logs in EVE.json output:

sudo tail -f /var/log/suricata/eve.json

Test Suricata IDS / IPS Tool

Here we will have a test scenario Suricata sing the the default Emergency Threat rules. If you have created custom rules, confirm the syntax using:

sudo suricata -c /etc/suricata/suricata.yaml -T -v

Sample output:

21/11/2024 -- 10:39:19 - <Info> - Running suricata under test mode
21/11/2024 -- 10:39:19 - <Notice> - This is Suricata version 5.0.7 RELEASE running in SYSTEM mode
21/11/2024 -- 10:39:19 - <Info> - CPUs/cores online: 1
21/11/2024 -- 10:39:19 - <Info> - fast output device (regular) initialized: fast.log
21/11/2024 -- 10:39:19 - <Info> - eve-log output device (regular) initialized: eve.json
21/11/2024 -- 10:39:19 - <Info> - stats output device (regular) initialized: stats.log
21/11/2024 -- 10:39:40 - <Info> - 1 rule files processed. 22865 rules successfully loaded, 0 rules failed
21/11/2024 -- 10:39:40 - <Info> - Threshold config parsed: 0 rule(s) found
21/11/2024 -- 10:39:40 - <Info> - 22868 signatures processed. 1235 are IP-only rules, 3924 are inspecting packet payload, 17510 inspect application layer, 104 are decoder event only
21/11/2024 -- 10:40:35 - <Notice> - Configuration provided was successfully loaded. Exiting.
21/11/2024 -- 10:40:35 - <Info> - cleaning up signature grouping structure... complete

With this output, restart Suricata IDS / IPS Tool:

sudo systemctl restart suricata

Test Attack SSH DDoS.

Using another system let us try and perform a DDoS attack. First install hping3 as below.

##For CentOS 8/RHEL 8/Rocky Linux 8
sudo dnf install hping3

### For Debian/Ubuntu
sudo apt install hping3

Then perform the attack:

$ sudo hping3 -S -p 22 --flood --rand-source 192.168.1.48
HPING 192.168.1.48 (wlo1 192.168.1.48): S set, 40 headers + 0 data bytes
hping in flood mode, no replies will be shown.......

With this running, let us see the alerts on our system with Suricata IDS / IPS Tool.

sudo tail -f /var/log/suricata/fast.log

Sample output:

......................
07/21/2024-10:49:53.596568  [**] [1:2400017:2956] ET DROP Spamhaus DROP Listed Traffic Inbound group 18 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 160.255.133.174:36745 -> 192.168.1.48:23
07/21/2024-10:49:53.713779  [**] [1:2400000:2956] ET DROP Spamhaus DROP Listed Traffic Inbound group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 41.72.57.247:36954 -> 192.168.1.48:23
07/21/2024-10:49:53.714094  [**] [1:2400011:2956] ET DROP Spamhaus DROP Listed Traffic Inbound group 12 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 125.169.174.51:36981 -> 192.168.1.48:23
07/21/2024-10:49:53.717055  [**] [1:2400017:2956] ET DROP Spamhaus DROP Listed Traffic Inbound group 18 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 160.255.208.147:37251 -> 192.168.1.48:23
07/21/2024-10:49:53.769295  [**] [1:2400001:2956] ET DROP Spamhaus DROP Listed Traffic Inbound group 2 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 42.143.75.90:47491 -> 192.168.1.48:23
07/21/2024-10:49:53.771109  [**] [1:2400017:2956] ET DROP Spamhaus DROP Listed Traffic Inbound group 18 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 163.50.213.209:47649 -> 192.168.1.48:23
07/21/2024-10:49:53.821934  [**] [1:2400001:2956] ET DROP Spamhaus DROP Listed Traffic Inbound group 2 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 42.223.35.162:54085 -> 192.168.1.48:23
07/21/2024-10:49:53.827060  [**] [1:2400033:2956] ET DROP Spamhaus DROP Listed Traffic Inbound group 34 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 202.20.62.126:54536 -> 192.168.1.48:23

With this, we are safe to assume that Suricata is running well using the Default Emergency Threat rules.

Conclusion

We have come to the end of this guide. We have installed Suricata IDS / IPS Tool on Rocky Linux 8|AlmaLinux 8. We have also made a few configurations and tested Suricata IDS / IPS Tool. I hope this guide was helpful.

Explore More with CloudSpinx

Looking to streamline your tech stack? At CloudSpinx, we deliver robust solutions tailored to your needs.

Learn more about how we can support your journey with CloudSpinx.

Your IT Journey Starts Here!

Ready to level up your IT skills? Our new eLearning platform is coming soon to help you master the latest technologies.

Be the first to know when we launch! Join our waitlist now.

Join our Linux and open source community. Subscribe to our newsletter for tips, tricks, and collaboration opportunities!

Recent Post

Leave a Comment

Your email address will not be published. Required fields are marked *

Related Post

PHP is a recursive acronym that stands for Hypertext Processor. It is a popular general-purpose scripting language used in web […]

We previously installed Asterisk LTS 18 on Rocky Linux 9 and we saw that it can only be administered from […]

In this blog post we will install Asterisk 18 with FreePBX on Rocky Linux / AlmaLinux 9. Asterisk is a […]

Let's Connect

Unleash the full potential of your business with CloudSpinx. Our expert solutions specialists are standing by to answer your questions and tailor a plan that perfectly aligns with your unique needs.
You will get a response from our solutions specialist within 12 hours
We understand emergencies can be stressful. For immediate assistance, chat with us now

Contact CloudSpinx today!

Download CloudSpinx Profile

Discover the full spectrum of our expertise and services by downloading our detailed Company Profile. Simply enter your first name, last name, and email address.