Suricata is a high performance, open source network analysis and threat detection software used by most private and public organizations, and embedded by major vendors to protect their assets.
Topology
I'll be using a Debian 11 container running on Proxmox for this.
Installation
Download the latest version of Suricata from this link.
Don't worry if you run into this error, you will fix it in Signatures
Setting Up
Config
Now that we have Suricata installed, let's give it an interface to listen on. Run ifconfig or ip a to find your IP and subnet, then edit your suricata.yaml file to include it.
eth0@if44:inet192.168.100.173/24brd192.168.100.255scopeglobaldynamiceth0sudovim/etc/suricata/suricata.yaml# Suricata configuration file. In addition to the comments describing all# options in this file, full documentation can be found at:# https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#### Step 1: Inform Suricata about your network##vars:# more specific is better for alert accuracy and performanceaddress-groups:HOME_NET:"[192.168.100.0/24]"# My subnet and mask#HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"#HOME_NET: "[192.168.0.0/16]"#HOME_NET: "[10.0.0.0/8]"#HOME_NET: "[172.16.0.0/12]"#HOME_NET: "any"# Scroll down to Port Groups<..>port-groups:HTTP_PORTS:"80,8000"# Add 8000 for SplunkSHELLCODE_PORTS:"!80"ORACLE_PORTS:1521SSH_PORTS:22DNP3_PORTS:20000MODBUS_PORTS:502FILE_DATA_PORTS:"[$HTTP_PORTS,110,143]"FTP_PORTS:21GENEVE_PORTS:6081VXLAN_PORTS:4789TEREDO_PORTS:3544<..># Find af-packet## Step 3: Configure common capture settings#### See "Advanced Capture Options" below for more options, including Netmap## and PF_RING.### Linux high speed capture supportaf-packet:-interface:eth0# Change this to your interfacecluster-type:cluster_flowdefrag:yesuse-mmap:yestpacket-v3:yes# Leave everything else as default
Signatures
Suricata uses Signatures to trigger alerts so it’s necessary to install those and keep them updated. Signatures are also called rules, thus the name rule-files. With the tool suricata-update rules can be fetched, updated and managed to be provided for Suricata.
In this guide we just run the default mode which fetches the ET Open ruleset:
suricata-update
Afterwards the rules are installed at /var/lib/suricata/rules which is also the default at the config and uses the sole suricata.rules file.
Running Suricata
# With the rules installed, Suricata can run properly and thus we restart it:sudosystemctlrestartsuricata# To make sure Suricata is running check the Suricata log:sudotail/var/log/suricata/suricata.log# The last line will be similar to this:<Notice> - all 4 packet processing threads, 4 management threads initialized, engine started.# The actual thread count will depend on the system and the configuration.# Linux high speed capture support#af-packet:# - interface: eth0@if44# Number of receive threads. "auto" uses the number of cores#threads: auto <-- change this in suricata.yaml# To see statistics, check the stats.log file:sudotail-f/var/log/suricata/stats.log# By default, it is updated every 8 seconds to show updated values with the current state, like how many packets have been processed and what type of traffic was decoded.
Optional - Web Interface
Click on the free option then sign up
Activate your account then follow this guide to install it
Rules & Rule Management
Rules Upkeep with PulledPork
The good thing with Suricata is it can utilise Snort rules, this lets us use the Snort tool - Pulled Pork to have access to a larger ruleset, as well as having the advantage of transitioning from Snort to Suricata easily.
The script downloaded pulledpork in your /opt/pulledpork3 directory. We will use the default ruleset from ET OPEN Rule-set
# Edit your pulledpork config filevim/opt/pulledpork3/etc/pulledpork.conf# and add this linerule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open# It should look like this# Which Snort/Talos rulesets do you want to download (recomended: choose only one)community_ruleset=falseregistered_ruleset=falseLightSPD_ruleset=false# Your Snort oinkcode is required for snort/talos Subscription, Light_SPD, and Registered rulesetsoinkcode=xxxxx# which blocklists to downloadsnort_blocklist=falseet_blocklist=false# additional blocklists to download from a URL, comma-separated#blocklist_urls = http://a.b.com/list.list# Where to write the blocklist file (single file containing all blocklists downloaded)blocklist_path=/usr/local/etc/lists/default.blocklist# Custom Rulesrule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open<..># Now, run this to pull the ruleset and have it autoupdate/opt/pulledpork/pulledpork.pl-Ssuricata-6.0.1-c/opt/pulledpork/etc/pulledpork.conf
