HOWTO : Suricata on SSD and Ubuntu 12.04 LTS Desktop
Hardware
Laptop : Lenovo ThinkPad X201s Type 5397-G9B
Processor : Intel Core i7 CPU L640 @ 2.13GHz (2-core with 4 HT)
Memory : 8GB DDR3 RAM
Storage : AData SX900 512GB SSD
Software
Operating System : Ubuntu Desktop 12.04 LTS x86_64
Intrusion Prevention System : Suricata 1.4 (inline mode)
Introduction
Suricata is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field.
There is an Ubuntu PPA of Suricata for Ubuntu 10.04 to 13.04 and the Ubuntu 13.04 is included Suricata in her repositories too. Meanwhile, those packages have IPS mode through NFQUEUE enabled. In addition, Suricata supports nVidia CUDA which requires to recompile the source code with suitable parameter.
Suricata not only can installed on servers but also on desktops and laptops. It performs quiet well on an Intel Atom ITX machine.
For the features, please read here for details.
Installation
Step 0 :
This step is for SSD only and make sure you have enough memory.
Add the following to the "
To make it look like :
Then, add the following :
After that, edit the following :
Add the following right before the "
Step 1 :
Step 2 :
To get the Emerging Threats rules :
*** You can use reference.config and classification.config at /etc/suricata/rules.
Step 3 :
Locate the following lines :
Replace with the following lines :
To test if it work or not :
Several minutes later, check the
Step 4 :
To test if it work or not :
Step 5 :
Append the following line :
Step 6 :
When everything is working fine, you can put them in the
Then create a file /etc/suricata/ips :
Then create the
Step 7 :
Whenever you want to update the rules, you can :
That's all! See you.
Laptop : Lenovo ThinkPad X201s Type 5397-G9B
Processor : Intel Core i7 CPU L640 @ 2.13GHz (2-core with 4 HT)
Memory : 8GB DDR3 RAM
Storage : AData SX900 512GB SSD
Software
Operating System : Ubuntu Desktop 12.04 LTS x86_64
Intrusion Prevention System : Suricata 1.4 (inline mode)
Introduction
Suricata is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field.
There is an Ubuntu PPA of Suricata for Ubuntu 10.04 to 13.04 and the Ubuntu 13.04 is included Suricata in her repositories too. Meanwhile, those packages have IPS mode through NFQUEUE enabled. In addition, Suricata supports nVidia CUDA which requires to recompile the source code with suitable parameter.
Suricata not only can installed on servers but also on desktops and laptops. It performs quiet well on an Intel Atom ITX machine.
For the features, please read here for details.
Installation
Step 0 :
This step is for SSD only and make sure you have enough memory.
sudo nano /etc/fstabAdd the following to the "
/" (or "/home" and "/" or alike) :discard,noatime,nodiratimeTo make it look like :
UUID=99f0925f-badc-4939 .... -7df6eca0c720 / ext4 discard,noatime,nodiratime,errors=remount-ro 0 1Then, add the following :
tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0
tmpfs /var/spool tmpfs defaults,noatime,mode=1777 0 0
tmpfs /var/log tmpfs defaults,noatime,mode=0755 0 0
tmpfs /var/log/suricata tmpfs defaults,noatime,mode=0755 0 0After that, edit the following :
sudo nano /etc/rc.localAdd the following right before the "
exit 0" :echo deadline > /sys/block/sda/queue/scheduler
echo 1 > /sys/block/sda/queue/iosched/fifo_batchStep 1 :
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install suricata htpStep 2 :
To get the Emerging Threats rules :
cd /etc/suricata/
sudo wget https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz
sudo tar -xvzf emerging.rules.tar.gz
sudo ln -s /etc/suricata/rules/reference.config /etc/suricata/reference.config
sudo ln -s /etc/suricata/UbuntuPPA-configs/classification.config /etc/suricata/classification.config
sudo cp /etc/suricata/UbuntuPPA-configs/suricata-ppa-1.4-6ubuntu6.yaml /etc/suricata/suricata.yaml*** You can use reference.config and classification.config at /etc/suricata/rules.
sudo touch /etc/suricata/threshold.configStep 3 :
sudo nano /etc/suricata/suricata.yamlLocate the following lines :
default-log-dir: /usr/local/var/log/suricata/
default-rule-path: /usr/local/etc/suricata/rules
classification-file: /usr/local/etc/suricata/classification.config
reference-config-file: /usr/local/etc/suricata/reference.config
#pid-file: /var/run/suricata.pid
#- rule-reload: true
#threshold-file: /usr/local/etc/suricata/threshold.config
- drop
enable: noReplace with the following lines :
default-log-dir: /var/log/suricata/
default-rule-path: /etc/suricata/rules
classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config
pid-file: /var/run/suricata.pid
- rule-reload: true
threshold-file: /usr/local/etc/suricata/threshold.config
- drop
enable: yesTo test if it work or not :
sudo suricata -c /etc/suricata/suricata.yaml -i eth0Several minutes later, check the
/var/log/suricata/stats.log and /var/log/suricata/http.log to see if there are some entries or not.Step 4 :
sudo iptables -A INPUT -j NFQUEUE
sudo iptables -A OUTPUT -j NFQUEUE
sudo iptables -A FORWARD -j NFQUEUETo test if it work or not :
sudo suricata -c /etc/suricata/suricata.yaml -q 0Step 5 :
sudo apt-get install oinkmastersudo nano /etc/oinkmaster.confAppend the following line :
url = https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gzsudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rulesStep 6 :
When everything is working fine, you can put them in the
/etc/rc.local just right above "exit 0" :iptables -A INPUT -j NFQUEUE --queue-balance 0:3
iptables -A OUTPUT -j NFQUEUE --queue-balance 0:3
iptables -A FORWARD -j NFQUEUE --queue-balance 0:3/etc/suricata/ipsThen create a file /etc/suricata/ips :
sudo nano /etc/suricata/ipssuricata -D -c /etc/suricata/suricata.yaml -q 0 -q 1 -q 2 -q 3chmod +x /etc/suricata/ipsThen create the
update-rulesudo nano /etc/suricata/update-rulesoinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/ruleskill -USR2 `pidof suricata`sudo chmod +x /etc/suricata/update-rulesStep 7 :
Whenever you want to update the rules, you can :
sudo /etc/suricata/update-rulesThat's all! See you.