Suricata 4.1 + Ubuntu 18.04 – Binary Installation

This post is part of a learning series on leveraging Suricata IDS for Network Security Monitoring. I will cover Suricata configuration, architecture, rules management, log analysis and advanced topics including rule writing and intrusion investigation throughout the series.

Suricata IDS is available in the default repository and the package is maintained by members of Ubuntu MOTU Developers community. Unfortunately, it’s not always the latest stable release. As of writing, it offered v3.2 and the official stable release is v4.1, that’s a huge delay in packaging. 

ubuntu@ubuntu:~$ sudo apt list -a suricata
Listing… Done
suricata/bionic,now 3.2-2ubuntu3 amd64


“Check out the Ubuntu Packaging Guide if you are interested in contributing to the community by maintaining packages.”

However, Open InfoSec Foundation (OISF) the developers of Suricata do maintain an official repository for Ubuntu and that is the preferred way to source the latest stable release. Installing the repository is simple.

ubuntu@ubuntu:~$ sudo add-apt-repository ppa:oisf/suricata-stable
[sudo] password for ubuntu:
Suricata IDS/IPS/NSM stable packages
http://www.openinfosecfoundation.org/
http://planet.suricata-ids.org/
http://suricata-ids.org/
Suricata IDS/IPS/NSM - Suricata is a high performance Intrusion Detection and Prevention System and Network Security Monitoring engine.
Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
This Engine supports:
Multi-Threading - provides for extremely fast and flexible operation on multicore systems.
Multi Tenancy - Per vlan/Per interface
TLS/SSL certificate matching/logging
JA3 TLS client fingerprinting
IEEE 802.1ad (QinQ) and IEEE 802.1Q (VLAN) support
All JSON output/logging capability
IDS runmode
IPS runmode
IDPS runmode
NSM runmode
Automatic Protocol Detection and logging - IPv4/6, TCP, UDP, ICMP, HTTP, SMTP, TLS, SSH, FTP, SMB, DNS, NFS, TFTP, KRB5, DHCP, IKEv2
SCADA automatic protocol detection - ENIP/DNP3/MODBUS
File Extraction HTTP/SMTP/FTP/NFS/SMB - over 4000 file types recognized and extracted from live traffic.
File MD5/SHA1/SHA256 matching
Gzip Decompression
Fast IP Matching
Rustlang enabled protocol detection
Lua scripting
and many more great features -
http://suricata-ids.org/features/all-features/
More info: https://launchpad.net/~oisf/+archive/ubuntu/suricata-stable
Press [ENTER] to continue or Ctrl-c to cancel adding it.
Get:1 http://security.ubuntu.com/ubuntu bionic-security InRelease [83.2 kB]
Hit:2 http://archive.ubuntu.com/ubuntu bionic InRelease
Get:3 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu bionic InRelease [15.4 kB]
Get:4 http://archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Get:5 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu bionic/main amd64 Packages [1,564 B]
Get:6 http://archive.ubuntu.com/ubuntu bionic-backports InRelease [74.6 kB]
Get:7 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu bionic/main Translation-en [1,272 B]
Fetched 265 kB in 2s (111 kB/s)
Reading package lists… Done

ubuntu@ubuntu:~$ sudo apt update
Get:1 http://security.ubuntu.com/ubuntu bionic-security InRelease [83.2 kB]
Hit:2 http://archive.ubuntu.com/ubuntu bionic InRelease
Hit:3 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu bionic InRelease
Get:4 http://archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Get:5 http://archive.ubuntu.com/ubuntu bionic-backports InRelease [74.6 kB]
Fetched 247 kB in 2s (103 kB/s)
Reading package lists… Done
Building dependency tree
Reading state information… Done
120 packages can be upgraded. Run 'apt list --upgradable' to see them.

The OISF repository will make available the latest stable release that’s v4.1.0 as of today.

ubuntu@ubuntu:~$ sudo apt list -a suricata
Listing… Done
suricata/bionic 4.1.0-0ubuntu1 amd64
suricata/bionic,now 3.2-2ubuntu3 amd64

Details of the package can be viewed using apt show

ubuntu@ubuntu:~$ sudo apt show suricata
Package: suricata
Version: 4.1.0-0ubuntu1
Priority: optional
Section: net
Maintainer: Peter Manev petermanev@gmail.com
Installed-Size: 5,469 kB
Depends: python (<< 2.8), python (>= 2.7), python:any (>= 2.6.6-7~), libc6 (>= 2.27), libcap-ng0, libevent-2.1-6 (>= 2.1.8-stable), libevent-pthreads-2.1-6 (>= 2.1.8-stable), libgcc1 (>= 1:4.2), libgeoip1, libhiredis0.13 (>= 0.13.1), libhtp2 (>= 0.5.24+1git0439eed), libhyperscan4, libjansson4 (>= 2.2), libluajit-5.1-2 (>= 2.0.4+dfsg), liblz4-1 (>= 0.0~r127), liblzma5 (>= 5.1.1alpha+20120614), libmagic1 (>= 5.12), libnet1 (>= 1.1.5), libnetfilter-queue1, libnfnetlink0, libnspr4 (>= 2:4.9-2~), libnss3 (>= 2:3.13.4-2~), libpcap0.8 (>= 1.0.0), libpcre3, libyaml-0-2, zlib1g (>= 1:1.1.4), lsb-base (>= 3.0-6), wget, python-yaml, libluajit-5.1-common, liblzma-dev
Conflicts: libhtp1 (<< 0.5.16)
Replaces: libhtp1 (<< 0.5.16)
Download-Size: 1,675 kB
APT-Sources: http://ppa.launchpad.net/oisf/suricata-stable/ubuntu bionic/main amd64 Packages
Description: Suricata open source multi-thread IDS/IPS/NSM system.
Suricata IDS/IPS/NSM
http://www.openinfosecfoundation.org/
http://planet.suricata-ids.org/
http://suricata-ids.org/
Suricata IDS/IPS/NSM - Suricata is a high performance Intrusion Detection and Prevention System and Network Security Monitoring engine.
Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
This Engine supports:
Multi-Threading - provides for extremely fast and flexible operation on multicore systems.
File Extraction, MD5 matching - over 4000 file types recognized and extracted from live traffic.
TLS/SSL certificate matching/logging
IEEE 802.1ad (QinQ) and IEEE 802.1Q (VLAN) support
All JSON output/logging capability
NSM runmode
Automatic Protocol Detection (IPv4/6, TCP, UDP, ICMP, HTTP, TLS, FTP, SMB, DNS )
Gzip Decompression
Fast IP Matching
Hardware acceleration on CUDA GPU cards
and many more great features -
http://suricata-ids.org/features/all-features/
N: There is 1 additional record. Please use the '-a' switch to see it

Installing package using apt is always a breeze.

ubuntu@ubuntu:~$ sudo apt -y install suricata
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following packages were automatically installed and are no longer required:
fonts-lato javascript-common libauthen-sasl-perl libdata-dump-perl libencode-locale-perl
libfile-listing-perl libfont-afm-perl libhtml-form-perl libhtml-format-perl
libhtml-parser-perl libhtml-tagset-perl libhtml-tree-perl libhtp-0.5.23-1
libhttp-cookies-perl libhttp-daemon-perl libhttp-date-perl libhttp-message-perl
libhttp-negotiate-perl libio-html-perl libio-socket-ssl-perl libjs-jquery libltdl7
liblwp-mediatypes-perl liblwp-protocol-https-perl libmailtools-perl libnet-http-perl
libnet-smtp-ssl-perl libnet-ssleay-perl libnetfilter-log1 libprelude23 libruby2.5
libtimedate-perl libtry-tiny-perl liburi-perl libwww-perl libwww-robotrules-perl oinkmaster
perl-openssl-defaults prelude-utils rake ruby ruby-did-you-mean ruby-minitest
ruby-net-telnet ruby-power-assert ruby-test-unit ruby2.5 rubygems-integration
snort-rules-default unzip zip
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
libevent-core-2.1-6 libevent-pthreads-2.1-6 libhtp2 libhyperscan4 liblzma-dev python-yaml
Suggested packages:
liblzma-doc
The following NEW packages will be installed:
libevent-core-2.1-6 libevent-pthreads-2.1-6 libhtp2 libhyperscan4 liblzma-dev python-yaml
suricata
0 upgraded, 7 newly installed, 0 to remove and 119 not upgraded.
Need to get 4,287 kB of archives.
After this operation, 22.4 MB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu bionic/universe amd64 libhyperscan4 amd64 4.7.0-1 [2,208 kB]
Get:2 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu bionic/main amd64 libhtp2 amd64 1:0.5.28-0ubuntu2 [52.5 kB]
Get:3 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu bionic/main amd64 suricata amd64 4.1.0-0ubuntu1 [1,675 kB]
Get:4 http://archive.ubuntu.com/ubuntu bionic/main amd64 libevent-core-2.1-6 amd64 2.1.8-stable-4build1 [85.9 kB]
Get:5 http://archive.ubuntu.com/ubuntu bionic/main amd64 libevent-pthreads-2.1-6 amd64 2.1.8-stable-4build1 [5,228 B]
Get:6 http://archive.ubuntu.com/ubuntu bionic/main amd64 python-yaml amd64 3.12-1build2 [115 kB]
Get:7 http://archive.ubuntu.com/ubuntu bionic/main amd64 liblzma-dev amd64 5.2.2-1.3 [145 kB]
Fetched 4,287 kB in 8s (514 kB/s)
Preconfiguring packages …
Selecting previously unselected package libhyperscan4.
(Reading database … 105189 files and directories currently installed.)
Preparing to unpack …/0-libhyperscan4_4.7.0-1_amd64.deb …
Unpacking libhyperscan4 (4.7.0-1) …
Selecting previously unselected package libevent-core-2.1-6:amd64.
Preparing to unpack …/1-libevent-core-2.1-6_2.1.8-stable-4build1_amd64.deb …
Unpacking libevent-core-2.1-6:amd64 (2.1.8-stable-4build1) …
Selecting previously unselected package libevent-pthreads-2.1-6:amd64.
Preparing to unpack …/2-libevent-pthreads-2.1-6_2.1.8-stable-4build1_amd64.deb …
Unpacking libevent-pthreads-2.1-6:amd64 (2.1.8-stable-4build1) …
Selecting previously unselected package libhtp2.
Preparing to unpack …/3-libhtp2_1%3a0.5.28-0ubuntu2_amd64.deb …
Unpacking libhtp2 (1:0.5.28-0ubuntu2) …
Selecting previously unselected package python-yaml.
Preparing to unpack …/4-python-yaml_3.12-1build2_amd64.deb …
Unpacking python-yaml (3.12-1build2) …
Selecting previously unselected package liblzma-dev:amd64.
Preparing to unpack …/5-liblzma-dev_5.2.2-1.3_amd64.deb …
Unpacking liblzma-dev:amd64 (5.2.2-1.3) …
Selecting previously unselected package suricata.
Preparing to unpack …/6-suricata_4.1.0-0ubuntu1_amd64.deb …
Unpacking suricata (4.1.0-0ubuntu1) …
Setting up python-yaml (3.12-1build2) …
Setting up libevent-core-2.1-6:amd64 (2.1.8-stable-4build1) …
Processing triggers for ureadahead (0.100.0-20) …
Setting up libevent-pthreads-2.1-6:amd64 (2.1.8-stable-4build1) …
Processing triggers for libc-bin (2.27-3ubuntu1) …
Processing triggers for systemd (237-3ubuntu10.9) …
Processing triggers for man-db (2.8.3-2) …
Setting up liblzma-dev:amd64 (5.2.2-1.3) …
Setting up libhyperscan4 (4.7.0-1) …
Setting up libhtp2 (1:0.5.28-0ubuntu2) …
Setting up suricata (4.1.0-0ubuntu1) …
Download and install the latest Emerging Threats Open ruleset
Downloading…
Latest ET Open rule set deployed in /etc/suricata/rules !

Processing triggers for libc-bin (2.27-3ubuntu1) …
Processing triggers for systemd (237-3ubuntu10.9) …
Processing triggers for ureadahead (0.100.0-20) …

Do notice that it also loads the popular free IDS rules from Emerging Threat commonly knows as ET Public. Emerging Threat also sells premium rules called ET Pro.

At this point, Suricata IDS is already running with ET Public rules set.

ubuntu@ubuntu:~$ sudo service suricata status
● suricata.service - LSB: Next Generation IDS/IPS
Loaded: loaded (/etc/init.d/suricata; generated)
Active: active (running) since Thu 2018-11-22 10:29:30 UTC; 7min ago
Docs: man:systemd-sysv-generator(8)
Tasks: 0 (limit: 2321)
CGroup: /system.slice/suricata.service
Nov 22 10:29:30 ubuntu systemd[1]: Starting LSB: Next Generation IDS/IPS…
Nov 22 10:29:30 ubuntu suricata[3044]: Starting suricata in IDS (af-packet) mode… done.
Nov 22 10:29:30 ubuntu systemd[1]: Started LSB: Next Generation IDS/IPS.

ubuntu@ubuntu:~$ suricata -V
This is Suricata version 4.1.0 RELEASE

Notice that it’s running in af-packet mode. I’ll compose more detailed notes on af-packet and IDS rules in future but the quick comment is that af-packet is a feature built into newer Linux kernels that enable capturing network traffic at high throughput rates like 100 Gbps and greater using high-performance network interface cards.

What’s Next?

We’ll delve into the configuration and basic architecture of Suricata in follow-up posts.

Stay tuned!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.