HOWTO : Suricata on SSD and Ubuntu 12.04 LTS Desktop

Hardware



Laptop : Lenovo ThinkPad X201s Type 5397-G9B

Processor : Intel Core i7 CPU L640 @ 2.13GHz (2-core with 4 HT)

Memory : 8GB DDR3 RAM

Storage : AData SX900 512GB SSD



Software



Operating System : Ubuntu Desktop 12.04 LTS x86_64

Intrusion Prevention System : Suricata 1.4 (inline mode)



Introduction



Suricata is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field.



There is an Ubuntu PPA of Suricata for Ubuntu 10.04 to 13.04 and the Ubuntu 13.04 is included Suricata in her repositories too. Meanwhile, those packages have IPS mode through NFQUEUE enabled. In addition, Suricata supports nVidia CUDA which requires to recompile the source code with suitable parameter.



Suricata not only can installed on servers but also on desktops and laptops. It performs quiet well on an Intel Atom ITX machine.



For the features, please read here for details.



Installation



Step 0 :



This step is for SSD only and make sure you have enough memory.



sudo nano /etc/fstab



Add the following to the "/" (or "/home" and "/" or alike) :



discard,noatime,nodiratime



To make it look like :



UUID=99f0925f-badc-4939 .... -7df6eca0c720 / ext4 discard,noatime,nodiratime,errors=remount-ro 0 1



Then, add the following :



tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0

tmpfs /var/spool tmpfs defaults,noatime,mode=1777 0 0

tmpfs /var/log tmpfs defaults,noatime,mode=0755 0 0

tmpfs /var/log/suricata tmpfs defaults,noatime,mode=0755 0 0




After that, edit the following :



sudo nano /etc/rc.local



Add the following right before the "exit 0" :



echo deadline > /sys/block/sda/queue/scheduler

echo 1 > /sys/block/sda/queue/iosched/fifo_batch




Step 1 :



sudo add-apt-repository ppa:oisf/suricata-stable

sudo apt-get update

sudo apt-get install suricata htp




Step 2 :



To get the Emerging Threats rules :



cd /etc/suricata/



sudo wget https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz



sudo tar -xvzf emerging.rules.tar.gz



sudo ln -s /etc/suricata/rules/reference.config /etc/suricata/reference.config



sudo ln -s /etc/suricata/UbuntuPPA-configs/classification.config /etc/suricata/classification.config



sudo cp /etc/suricata/UbuntuPPA-configs/suricata-ppa-1.4-6ubuntu6.yaml /etc/suricata/suricata.yaml




*** You can use reference.config and classification.config at /etc/suricata/rules.



sudo touch /etc/suricata/threshold.config



Step 3 :



sudo nano /etc/suricata/suricata.yaml



Locate the following lines :



default-log-dir: /usr/local/var/log/suricata/

default-rule-path: /usr/local/etc/suricata/rules

classification-file: /usr/local/etc/suricata/classification.config

reference-config-file: /usr/local/etc/suricata/reference.config

#pid-file: /var/run/suricata.pid

#- rule-reload: true

#threshold-file: /usr/local/etc/suricata/threshold.config



- drop

enable: no




Replace with the following lines :



default-log-dir: /var/log/suricata/

default-rule-path: /etc/suricata/rules

classification-file: /etc/suricata/classification.config

reference-config-file: /etc/suricata/reference.config

pid-file: /var/run/suricata.pid

- rule-reload: true

threshold-file: /usr/local/etc/suricata/threshold.config



- drop

enable: yes




To test if it work or not :



sudo suricata -c /etc/suricata/suricata.yaml -i eth0



Several minutes later, check the /var/log/suricata/stats.log and /var/log/suricata/http.log to see if there are some entries or not.



Step 4 :



sudo iptables -A INPUT -j NFQUEUE

sudo iptables -A OUTPUT -j NFQUEUE

sudo iptables -A FORWARD -j NFQUEUE




To test if it work or not :



sudo suricata -c /etc/suricata/suricata.yaml -q 0



Step 5 :



sudo apt-get install oinkmaster



sudo nano /etc/oinkmaster.conf



Append the following line :



url = https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz



sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules



Step 6 :



When everything is working fine, you can put them in the /etc/rc.local just right above "exit 0" :



iptables -A INPUT -j NFQUEUE --queue-balance 0:3

iptables -A OUTPUT -j NFQUEUE --queue-balance 0:3

iptables -A FORWARD -j NFQUEUE --queue-balance 0:3


/etc/suricata/ips



Then create a file /etc/suricata/ips :



sudo nano /etc/suricata/ips

suricata -D -c /etc/suricata/suricata.yaml -q 0 -q 1 -q 2 -q 3



chmod +x /etc/suricata/ips



Then create the update-rule



sudo nano /etc/suricata/update-rules



oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

kill -USR2 `pidof suricata`



sudo chmod +x /etc/suricata/update-rules





Step 7 :



Whenever you want to update the rules, you can :



sudo /etc/suricata/update-rules



That's all! See you.