Suricata is a free and open-source intrusion detection (IDS), intrusion prevention (IPS), and network security monitoring (NSM) tool for Linux. It uses a set of signatures and rules to examine and process network traffic. When it detects suspicious packets for any number of services on a server, they are blocked immediately. By default, Suricata works as a passive intrusion detection system that scans traffic on a server for suspicious packets. However, you can also use it as an active intrusion prevention system (IPS) to log, report, and completely block network traffic that conforms to certain rules.
This tutorial will show how I installed Suricata IDS on my Rocky Linux server.
Requirements
- A server running Rocky Linux 8 or 9
- A root password is configured on the server.
Install Suricata on Rocky Linux
Suricata is not included in the Rocky Linux default repository. Therefore, you need to install it from the EPEL repository.
First, install the EPEL repository using the following command:
dnf install epel-release -y
Once EPEL is installed, check the Suricata package information with the following command:
dnf info suricata
You will get the following output:
Available Packages
Name : suricata
Version : 5.0.8
Release : 1.el8
Architecture : x86_64
Size : 2.3 M
Source : suricata-5.0.8-1.el8.src.rpm
Repository : epel
Summary : Intrusion Detection System
URL : https://suricata-ids.org/
License : GPLv2
Description : The Suricata Engine is an Open Source Next Generation Intrusion
: Detection and Prevention Engine. This engine is not intended to
: just replace or emulate the existing tools in the industry, but
: will bring new ideas and technologies to the field. This new Engine
: supports Multi-threading, Automatic Protocol Detection (IP, TCP,
: UDP, ICMP, HTTP, TLS, FTP and SMB! ), Gzip Decompression, Fast IP
: Matching, and GeoIP identification.
Next, install Suricata with the following command:
dnf install suricata -y
After the successful installation, you can proceed to the next step.
Configure Suricata
Suricata contains many rules called signatures to detect threats. All rules are located in the directory /etc/suricata/rules/.
Run the following command to list all the rules:
ls /etc/suricata/rules/
You will get the following output:
app-layer-events.rules dnp3-events.rules http-events.rules modbus-events.rules smb-events.rules tls-events.rules decoder-events.rules dns-events.rules ipsec-events.rules nfs-events.rules smtp-events.rules dhcp-events.rules files.rules kerberos-events.rules ntp-events.rules stream-events.rules
Next, run the following command to update all rules:
suricata-update
You will get the following output:
19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/dns-events.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/files.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/http-events.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/ipsec-events.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/kerberos-events.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/modbus-events.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/nfs-events.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/ntp-events.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/smb-events.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/stream-events.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/tls-events.rules 19/9/2023 -- 05:28:15 - -- Ignoring file rules/emerging-deleted.rules 19/9/2023 -- 05:28:20 - -- Loaded 32403 rules. 19/9/2023 -- 05:28:20 - -- Disabled 14 rules. 19/9/2023 -- 05:28:20 - -- Enabled 0 rules. 19/9/2023 -- 05:28:20 - -- Modified 0 rules. 19/9/2023 -- 05:28:20 - -- Dropped 0 rules. 19/9/2023 -- 05:28:21 - -- Enabled 131 rules for flowbit dependencies. 19/9/2023 -- 05:28:21 - -- Backing up current rules. 19/9/2023 -- 05:28:26 - -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 32403; enabled: 25008; added: 0; removed 0; modified: 0 19/9/2023 -- 05:28:27 - -- Writing /var/lib/suricata/rules/classification.config 19/9/2023 -- 05:28:27 - -- No changes detected, exiting.
Next, edit the Suricata configuration file and define your server IP, rule path, and network interface:
nano /etc/suricata/suricata.yaml
Change the following lines:
#HOME_NET: "[192.198.0.0/19,10.0.0.0/8,172.19.0.0/12]"
HOME_NET: "[192.198.1.48]"
#HOME_NET: "[192.198.0.0/19]"
#HOME_NET: "[10.0.0.0/8]"
#HOME_NET: "[172.19.0.0/12]"
#HOME_NET: "any"
EXTERNAL_NET: "!$HOME_NET"
#EXTERNAL_NET: "any"
af-packet:
- interface: eth0
default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rules
Save and close the file when you are done, and disable offloading with the following command:
ethtool -K eth0 gro off lro off
Manage Suricata Service
Next, start the Suricata service and enable it with the following command so that it starts when the system is rebooted:
systemctl start suricata systemctl enable suricata
You can check the status of Suricata with the following command:
systemctl status suricata
You will get the following output:
? suricata.service - Suricata Intrusion Detection Service
Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2022-03-19 10:06:20 UTC; 5s ago
Docs: man:suricata(1)
Process: 24047 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
Main PID: 24049 (Suricata-Main)
Tasks: 1 (limit: 23696)
Memory: 232.9M
CGroup: /system.slice/suricata.service
??24049 /sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -i eth0 --user suricata
Sep 19 10:06:20 rockylinux systemd[1]: Starting Suricata Intrusion Detection Service...
Sep 19 10:06:20 rockylinux systemd[1]: Started Suricata Intrusion Detection Service.
Sep 19 10:06:20 rockylinux suricata[24049]: 19/9/2023 -- 10:06:20 - - This is Suricata version 5.0.8 RELEASE running in SYSTEM mode
To check the Suricata process log, run the following command:
tail /var/log/suricata/suricata.log
You should see the following output:
19/9/2023 -- 10:06:23 - - Running in live mode, activating unix socket 19/9/2023 -- 10:06:23 - - SSSE3 support not detected, disabling Hyperscan for SPM 19/9/2023 -- 10:06:23 - - 1 rule files processed. 24930 rules successfully loaded, 0 rules failed 19/9/2023 -- 10:06:23 - - Threshold config parsed: 0 rule(s) found 19/9/2023 -- 10:06:23 - - 24933 signatures processed. 1283 are IP-only rules, 4109 are inspecting packet payload, 19340 inspect application layer, 105 are decoder event only 19/9/2023 -- 10:06:23 - - Going to use 2 thread(s) 19/9/2023 -- 10:06:23 - - Running in live mode, activating unix socket 19/9/2023 -- 10:06:23 - - Using unix socket file '/var/run/suricata/suricata-command.socket' 19/9/2023 -- 10:06:23 - - all 2 packet processing threads, 4 management threads initialized, engine started. 19/9/2023 -- 10:06:23 - - All AFP capture threads are running.
You can check the Suricata alert log with the following command:
tail -f /var/log/suricata/fast.log
You should see the following output:
19/19/2022-10:06:23.059177 [**] [1:2402000:6215] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 45.155.205.43:54612 -> 209.23.8.4:14381
09/19/2023-10:06:23.059177 [**] [1:2403342:73004] ET CINS Active Threat Intelligence Poor Reputation IP group 43 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 45.155.205.43:54612 -> 209.23.8.4:14381
To check the Suricata statistics log, use the following command:
tail -f /var/log/suricata/stats.log
You should see the following output:
------------------------------------------------------------------------------------ Counter | TM Name | Value ------------------------------------------------------------------------------------ capture.kernel_packets | Total | 651 decoder.pkts | Total | 651 decoder.bytes | Total | 51754 decoder.ipv4 | Total | 398 decoder.ipv6 | Total | 251 decoder.ethernet | Total | 651
Test Suricata IDS
After installing Suricata IDS, you also need to test if Suricata IDS is working or not. To do this, log into another system and install the hping3 utility to perform a DDoS attack.
dnf install hping3
After installing hping3, run the following command to perform a DDoS attack:
hping3 -S -p 22 --flood --rand-source suricata-ip
Now go to the Suricata system and check the alert log using the following command:
tail -f /var/log/suricata/fast.log
You should see the following output:
09/19/2023-10:08:18.049526 [**] [1:2403393:73004] ET CINS Active Threat Intelligence Poor Reputation IP group 94 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 89.248.193.194:44217 -> 209.23.8.4:37394
09/19/2023-10:08:52.933947 [**] [1:2402000:6215] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 197.248.133.173:24721 -> 209.23.8.4:9307
09/19/2023-10:09:52.284374 [**] [1:2402000:6215] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 89.248.195.202:57104 -> 209.23.8.4:6061
09/19/2023-10:10:52.284374 [**] [1:2403393:73004] ET CINS Active Threat Intelligence Poor Reputation IP group 94 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 89.248.195.202:57104 -> 209.23.8.4:6061
09/19/2023-10:10:19.951353 [**] [1:2403341:73004] ET CINS Active Threat Intelligence Poor Reputation IP group 42 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 45.137.21.208:42694 -> 209.23.8.4:57335
09/19/2023-10:11:21.477358 [**] [1:2403369:73004] ET CINS Active Threat Intelligence Poor Reputation IP group 70 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 61.190.237.40:48539 -> 209.23.8.4:2375
Conclusion
Congratulations! You have successfully installed and configured Suricata IDS on Rocky Linux. Now, you know how to install Suricata and use it as an IDS and IPS system to detect and block malicious requests.