HOWTO : Suricata on SSD and Ubuntu 12.04 LTS Desktop
Hardware
Laptop : Lenovo ThinkPad X201s Type 5397-G9B
Processor : Intel Core i7 CPU L640 @ 2.13GHz (2-core with 4 HT)
Memory : 8GB DDR3 RAM
Storage : AData SX900 512GB SSD
Software
Operating System : Ubuntu Desktop 12.04 LTS x86_64
Intrusion Prevention System : Suricata 1.4 (inline mode)
Introduction
Suricata is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field.
There is an Ubuntu PPA of Suricata for Ubuntu 10.04 to 13.04 and the Ubuntu 13.04 is included Suricata in her repositories too. Meanwhile, those packages have IPS mode through NFQUEUE enabled. In addition, Suricata supports nVidia CUDA which requires to recompile the source code with suitable parameter.
Suricata not only can installed on servers but also on desktops and laptops. It performs quiet well on an Intel Atom ITX machine.
For the features, please read here for details.
Installation
Step 0 :
This step is for SSD only and make sure you have enough memory.
Add the following to the "
To make it look like :
Then, add the following :
After that, edit the following :
Add the following right before the "
Step 1 :
Step 2 :
To get the Emerging Threats rules :
*** You can use reference.config and classification.config at /etc/suricata/rules.
Step 3 :
Locate the following lines :
Replace with the following lines :
To test if it work or not :
Several minutes later, check the
Step 4 :
To test if it work or not :
Step 5 :
Append the following line :
Step 6 :
When everything is working fine, you can put them in the
Then create a file /etc/suricata/ips :
Then create the
Step 7 :
Whenever you want to update the rules, you can :
That's all! See you.
Laptop : Lenovo ThinkPad X201s Type 5397-G9B
Processor : Intel Core i7 CPU L640 @ 2.13GHz (2-core with 4 HT)
Memory : 8GB DDR3 RAM
Storage : AData SX900 512GB SSD
Software
Operating System : Ubuntu Desktop 12.04 LTS x86_64
Intrusion Prevention System : Suricata 1.4 (inline mode)
Introduction
Suricata is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field.
There is an Ubuntu PPA of Suricata for Ubuntu 10.04 to 13.04 and the Ubuntu 13.04 is included Suricata in her repositories too. Meanwhile, those packages have IPS mode through NFQUEUE enabled. In addition, Suricata supports nVidia CUDA which requires to recompile the source code with suitable parameter.
Suricata not only can installed on servers but also on desktops and laptops. It performs quiet well on an Intel Atom ITX machine.
For the features, please read here for details.
Installation
Step 0 :
This step is for SSD only and make sure you have enough memory.
sudo nano /etc/fstab
Add the following to the "
/
" (or "/home
" and "/
" or alike) :discard,noatime,nodiratime
To make it look like :
UUID=99f0925f-badc-4939 .... -7df6eca0c720 / ext4 discard,noatime,nodiratime,errors=remount-ro 0 1
Then, add the following :
tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0
tmpfs /var/spool tmpfs defaults,noatime,mode=1777 0 0
tmpfs /var/log tmpfs defaults,noatime,mode=0755 0 0
tmpfs /var/log/suricata tmpfs defaults,noatime,mode=0755 0 0
After that, edit the following :
sudo nano /etc/rc.local
Add the following right before the "
exit 0
" :echo deadline > /sys/block/sda/queue/scheduler
echo 1 > /sys/block/sda/queue/iosched/fifo_batch
Step 1 :
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install suricata htp
Step 2 :
To get the Emerging Threats rules :
cd /etc/suricata/
sudo wget https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz
sudo tar -xvzf emerging.rules.tar.gz
sudo ln -s /etc/suricata/rules/reference.config /etc/suricata/reference.config
sudo ln -s /etc/suricata/UbuntuPPA-configs/classification.config /etc/suricata/classification.config
sudo cp /etc/suricata/UbuntuPPA-configs/suricata-ppa-1.4-6ubuntu6.yaml /etc/suricata/suricata.yaml
*** You can use reference.config and classification.config at /etc/suricata/rules.
sudo touch /etc/suricata/threshold.config
Step 3 :
sudo nano /etc/suricata/suricata.yaml
Locate the following lines :
default-log-dir: /usr/local/var/log/suricata/
default-rule-path: /usr/local/etc/suricata/rules
classification-file: /usr/local/etc/suricata/classification.config
reference-config-file: /usr/local/etc/suricata/reference.config
#pid-file: /var/run/suricata.pid
#- rule-reload: true
#threshold-file: /usr/local/etc/suricata/threshold.config
- drop
enable: no
Replace with the following lines :
default-log-dir: /var/log/suricata/
default-rule-path: /etc/suricata/rules
classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config
pid-file: /var/run/suricata.pid
- rule-reload: true
threshold-file: /usr/local/etc/suricata/threshold.config
- drop
enable: yes
To test if it work or not :
sudo suricata -c /etc/suricata/suricata.yaml -i eth0
Several minutes later, check the
/var/log/suricata/stats.log
and /var/log/suricata/http.log
to see if there are some entries or not.Step 4 :
sudo iptables -A INPUT -j NFQUEUE
sudo iptables -A OUTPUT -j NFQUEUE
sudo iptables -A FORWARD -j NFQUEUE
To test if it work or not :
sudo suricata -c /etc/suricata/suricata.yaml -q 0
Step 5 :
sudo apt-get install oinkmaster
sudo nano /etc/oinkmaster.conf
Append the following line :
url = https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz
sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
Step 6 :
When everything is working fine, you can put them in the
/etc/rc.local
just right above "exit 0
" :iptables -A INPUT -j NFQUEUE --queue-balance 0:3
iptables -A OUTPUT -j NFQUEUE --queue-balance 0:3
iptables -A FORWARD -j NFQUEUE --queue-balance 0:3
/etc/suricata/ips
Then create a file /etc/suricata/ips :
sudo nano /etc/suricata/ips
suricata -D -c /etc/suricata/suricata.yaml -q 0 -q 1 -q 2 -q 3
chmod +x /etc/suricata/ips
Then create the
update-rule
sudo nano /etc/suricata/update-rules
oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
kill -USR2 `pidof suricata`
sudo chmod +x /etc/suricata/update-rules
Step 7 :
Whenever you want to update the rules, you can :
sudo /etc/suricata/update-rules
That's all! See you.