Installing Suricata 4.1.2 from source on CentOS 7

This post is part of a learning series on leveraging Suricata IDS for Network Security Monitoring. I will cover Suricata configuration, architecture, rules management, log analysis and advanced topics including rule writing and intrusion investigation throughout the series.

Suricata IDS binary package is available in the EPEL repository for CentOS 7 but it’s not always the latest stable release. At the time of writing the v4.1.2 is the latest stable release and v4.0.6 is available in the EPEL repo.

We’ll proceed with installing from the source tar.gz.

Installing pre-requisite

Prepare the system by installing all the dependencies required for a full working Suricata v4.2 installation.

$ sudo yum -y install epel-release
$ sudo yum -y install jq cargo openssl-devel PyYAML lz4-devel gcc libpcap-devel pcre-devel libyaml-devel file-devel zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar make libnetfilter_queue-devel lua-devel

Download & Unpack Suricata v4.2

$ wget https://www.openinfosecfoundation.org/download/suricata-4.1.2.tar.gz
$ tar xzvf suricata-4.1.2.tar.gz
$ cd suricata-4.1.2

Compile & Install Suricata v4.2

$ ./configure --libdir=/usr/lib64 --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua
$ make
$ sudo make install-full

Verify Suricata Installation

$ suricata -V
This is Suricata version 4.1.2 RELEASE

ASCIInema Walk-through

Following is the asciinema walk-through of the above steps.

Advertisements

Suricata 4.1 + Ubuntu 18.04 – Binary Installation

This post is part of a learning series on leveraging Suricata IDS for Network Security Monitoring. I will cover Suricata configuration, architecture, rules management, log analysis and advanced topics including rule writing and intrusion investigation throughout the series.

Suricata IDS is available in the default repository and the package is maintained by members of Ubuntu MOTU Developers community. Unfortunately, it’s not always the latest stable release. As of writing, it offered v3.2 and the official stable release is v4.1, that’s a huge delay in packaging. 

ubuntu@ubuntu:~$ sudo apt list -a suricata
Listing… Done
suricata/bionic,now 3.2-2ubuntu3 amd64


“Check out the Ubuntu Packaging Guide if you are interested in contributing to the community by maintaining packages.”

However, Open InfoSec Foundation (OISF) the developers of Suricata do maintain an official repository for Ubuntu and that is the preferred way to source the latest stable release. Installing the repository is simple.

Continue reading

Stop playing Whack’a Mole with Security Incidents

Last month I delivered a talk at CyberSecurePakistan’15 conference and made an attempt to shed light on a blackspot in our corporate network security monitoring (NSM) practices.

Companies are playing Whack-a-Mole with security incidents.

In the face of ever growing sophisticated and targeted attacks the Network Security Monitoring (NSM) practices are becoming less concerned about intrusion analysis and more about playing Whac’a Mole.

The Problem

The following stats which are derived from real life security incident response operations depicts a clear version of the problem.


Verizon DBIR 2015

The above graph from Verizon Data Breach Investigation Report (DBIR) report maps compromise and discovery activities which took days or less. Around 80% of intrusions took days or less to compromise a network but only 20% were discovered in days or less of time frame.

In 60% of cases, attackers are able to compromise an organization within MINUTES – Verizon DBIR 2015

What’s the norm for rest of 80% discoveries which didn’t take place in days or less?

Mandiant M-Trends 2015

According to Mandiant’s incident response experience in fortunate 100 companies it takes roughly 7 months to just discover the breach. The longest intrusion discovery time is 8 years (2,982 days).

Question to ask!

Where the heck are we disposing forensic artifacts for these intrusions?

The only reason we aren’t able to detect an intrusion for months is that either we aren’t acquiring enough artifacts or we are not processing them the right way.

Continue reading

SANS FOR408 here I come…

I will be taking FOR408 course at SANS first Digital Forensics and Incident Response (DFIR) themed training conference  dē-‘fәr-‘kän / DFIRCON 2014.  I will be participating via Simulcast as I don’t have the luxury to attend the conference live in Monterey, CA.

However, the best news I’ve heard is that SANS Institute has recently announced the new version of their Digital Forensics course FOR408 Computer Forensic Investigations – Windows in-depth.

The training is now renamed to “Windows Forensic Analysis” , however, new title isn’t the only change. Here is what SANS says about it

This course utilizes a brand-new Windows 8.1 based case exercise that took over 6 months to create the data. Realistic example case data takes months to create in real time correctly. The example case is a Windows 8.1 based image that has the subject utilize Windows Phone, Office 365, Sharepoint, MS Portal Online, Skydrive/Onedrive, Dropbox, and USB external devices. Our development team spent months creating an incredibly realistic scenario. The case demonstrates the latest technologies an investigator would encounter analyzing a Windows operating system. The brand new case workbook, will detail the step-by-step each investigator could follow to examine the latest technologies including Windows 8.1.

So, I believe I’m right on time :) Course material arrived yesterday and I’m feeling excited to get onto the training.

FOR408 Student Kit