Suricata is a high performance, open source network analysis and threat detection software used by most private and public organizations, and embedded by major vendors to protect their assets.
Topology
I'll be using a Debian 11 container running on Proxmox for this.
Now that we have Suricata installed, let's give it an interface to listen on. Run ifconfig or ip a to find your IP and subnet, then edit your suricata.yaml file to include it.
eth0@if44: inet 192.168.100.173/24 brd 192.168.100.255 scope global dynamic eth0
sudo vim /etc/suricata/suricata.yaml
# Suricata configuration file. In addition to the comments describing all
# options in this file, full documentation can be found at:
# https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html
##
## Step 1: Inform Suricata about your network
##
vars:
# more specific is better for alert accuracy and performance
address-groups:
HOME_NET: "[192.168.100.0/24]" # My subnet and mask
#HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
#HOME_NET: "[192.168.0.0/16]"
#HOME_NET: "[10.0.0.0/8]"
#HOME_NET: "[172.16.0.0/12]"
#HOME_NET: "any"
# Scroll down to Port Groups
<..>
port-groups:
HTTP_PORTS: "80,8000" # Add 8000 for Splunk
SHELLCODE_PORTS: "!80"
ORACLE_PORTS: 1521
SSH_PORTS: 22
DNP3_PORTS: 20000
MODBUS_PORTS: 502
FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
FTP_PORTS: 21
GENEVE_PORTS: 6081
VXLAN_PORTS: 4789
TEREDO_PORTS: 3544
<..>
# Find af-packet
## Step 3: Configure common capture settings
##
## See "Advanced Capture Options" below for more options, including Netmap
## and PF_RING.
##
# Linux high speed capture support
af-packet:
- interface: eth0 # Change this to your interface
cluster-type: cluster_flow
defrag: yes
use-mmap: yes
tpacket-v3: yes
# Leave everything else as default
Signatures
Suricata uses Signatures to trigger alerts so it’s necessary to install those and keep them updated. Signatures are also called rules, thus the name rule-files. With the tool suricata-update rules can be fetched, updated and managed to be provided for Suricata.
In this guide we just run the default mode which fetches the ET Open ruleset:
suricata-update
Afterwards the rules are installed at /var/lib/suricata/rules which is also the default at the config and uses the sole suricata.rules file.
Running Suricata
# With the rules installed, Suricata can run properly and thus we restart it:
sudo systemctl restart suricata
# To make sure Suricata is running check the Suricata log:
sudo tail /var/log/suricata/suricata.log
# The last line will be similar to this:
<Notice> - all 4 packet processing threads, 4 management threads initialized, engine started.
# The actual thread count will depend on the system and the configuration.
# Linux high speed capture support
#af-packet:
# - interface: eth0@if44
# Number of receive threads. "auto" uses the number of cores
#threads: auto <-- change this in suricata.yaml
# To see statistics, check the stats.log file:
sudo tail -f /var/log/suricata/stats.log
# By default, it is updated every 8 seconds to show updated values with the current state, like how many packets have been processed and what type of traffic was decoded.
Optional - Web Interface
Click on the free option then sign up
Activate your account then follow this guide to install it
Rules & Rule Management
Rules Upkeep with PulledPork
The good thing with Suricata is it can utilise Snort rules, this lets us use the Snort tool - Pulled Pork to have access to a larger ruleset, as well as having the advantage of transitioning from Snort to Suricata easily.
The script downloaded pulledpork in your /opt/pulledpork3 directory. We will use the default ruleset from ET OPEN Rule-set
# Edit your pulledpork config file
vim /opt/pulledpork3/etc/pulledpork.conf
# and add this line
rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open
# It should look like this
# Which Snort/Talos rulesets do you want to download (recomended: choose only one)
community_ruleset = false
registered_ruleset = false
LightSPD_ruleset = false
# Your Snort oinkcode is required for snort/talos Subscription, Light_SPD, and Registered rulesets
oinkcode = xxxxx
# which blocklists to download
snort_blocklist = false
et_blocklist = false
# additional blocklists to download from a URL, comma-separated
#blocklist_urls = http://a.b.com/list.list
# Where to write the blocklist file (single file containing all blocklists downloaded)
blocklist_path = /usr/local/etc/lists/default.blocklist
# Custom Rules
rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open
<..>
# Now, run this to pull the ruleset and have it autoupdate
/opt/pulledpork/pulledpork.pl -S suricata-6.0.1 -c /opt/pulledpork/etc/pulledpork.conf
Managing Rules with suricata-update
Download the latest version of Suricata from .
Don't worry if you run into this error, you will fix it in
