Christian WellsSuricata is a powerful Network Monitoring tool that allows you to examine and process every packet of internet traffic that flows through your server. With its ability to generate log events, trigger alerts, and drop traffic upon detecting any suspicious activity, Suricata is an essential component of any robust security infrastructure.
In this tutorial, we will guide you through the installation and configuration process of Suricata IDS (Intrusion Detection System) along with Elastic Stack on a Rocky Linux 8 server. Elastic Stack includes Elasticsearch, Kibana, and Filebeat, which work synergistically with Suricata to create a comprehensive Security Information and Event Management (SIEM) tool.
The installation and configuration of Suricata and Elastic Stack will be performed on separate servers, but they can also be installed on the same server if desired. Before we begin, let’s ensure that we have met the necessary prerequisites.
Prerequisites
Before proceeding with the installation, ensure that you have the following prerequisites in place:
- Servers: You will need two servers, each with a minimum of 4GB RAM and 2 CPU cores. These servers should be able to communicate with each other using private IP addresses.
- Operating System: Both servers should be running Rocky Linux 8 with a non-root sudo user.
- Domain Setup: If you want to access Kibana dashboards from anywhere, set up a domain (e.g., kibana.example.com) pointing to the server where Suricata will be installed.
- Essential Packages: Install essential packages on both servers using the following command:
$ sudo dnf install yum-utils nano curl
Now that we have the prerequisites in place, let’s proceed with the installation and configuration of Suricata.
Part 1: Installing and Configuring Suricata
Step 1 – Install Suricata
To install Suricata, we need to add the Open Information Security Foundation’s (OISF) package repository to our server. Run the following commands to add the repository:
$ sudo dnf install 'dnf-command(copr)' $ sudo dnf copr enable @oisf/suricata-6.0 $ sudo dnf install epel-release $ sudo dnf install suricata
After installing Suricata, enable the Suricata service using the following command:
$ sudo systemctl enable suricata
Step 2 – Configure Suricata
Suricata stores its configuration in the /etc/suricata/suricata.yaml file. Open the file for editing using the following command:
$ sudo nano /etc/suricata/suricata.yaml
By default, Suricata operates in the IDS (Intrusion Detection System) mode, where it only logs traffic without taking any action. We recommend keeping the default mode unchanged if you are new to Suricata. However, you can switch to the IPS (Intrusion Prevention System) mode once you are familiar with the tool.
Enable Community ID:
The Community ID feature in Suricata makes it easier to correlate data between records generated by different monitoring tools. To enable Community ID, locate the following line in the suricata.yaml file:
# Community Flow ID # Adds a 'community_id' field to EVE records. These are meant to give # records a predictable flow ID that can be used to match records to # output of other tools such as Zeek (Bro). # # Takes a 'seed' that needs to be same across sensors and tools # to make the id less predictable. # enable/disable the community id feature. community-id: true
Uncomment the line and set the value of community-id to true as shown above. This will enable the Community ID feature in Suricata.
Select Network Interface:
The default Suricata configuration file inspects traffic on the eth0 network interface. If your server uses a different network interface, you will need to update it in the configuration. To find the device name of your network interface, use the following command:
$ ip -p -j route showd efault
Locate the dev variable in the output, which refers to the networking device. Open the Suricata configuration file again:
$ sudo nano /etc/suricata/suricata.yaml
Find the following line in the configuration file:
af-packet: - interface: eth0
Replace eth0 with the device name of your network interface.
Live Rule Reload:
By enabling Live Rule Reload, Suricata can process any rule changes without restarting. To enable live reloading, add the following lines at the bottom of the configuration file:
detect-engine: - rule-reload: true
With live reloading enabled, you can use the following command to reload rules without restarting Suricata:
$ sudo kill -usr2 $ (pidof suricata)
Configure Directory Permissions:
Suricata automatically creates a system user and group named suricata during the installation process. To ensure proper directory permissions, run the following commands:
$ sudo chgrp -R suricata /etc/suricata $ sudo chgrp -R suricata /var/lib/suricata/rules $ sudo chgrp -R suricata /var/lib/suricata/update $ sudo chgrp -R suricata /var/log/suricata $ sudo chmod -R g+r /etc/suricata/ $ sudo chmod -R g+rw /var/lib/suricata/rules $ sudo chmod -R g+rw /var/lib/suricata/update $ sudo chmod -R g+rw /var/log/suricata $ sudo usermod -a -G suricata shapehost
Note: Replace shapehost with your username.
Step 3 – Configure Suricata Rules
Suricata comes with a limited set of default rules to detect network traffic. You can enhance its capabilities by adding more rulesets from external providers. To do this, we will use a tool called suricata-update. Run the following command to include additional rules:
$ suricata-update
This command will fetch the latest rules from the default provider. You can also add more providers to expand Suricata’s rules. To list the available providers, use the following command:
$ suricata-update list-sources
To enable a specific provider, use the following command:
$ suricata-update enable-source provider_name
Replace provider_name with the name of the provider you wish to enable.
Step 4 – Validate Suricata Configuration
It is crucial to validate the Suricata configuration before running it. Suricata ships with a validation tool that checks the configuration file and rules for errors. Run the following command to validate the configuration:
$ sudo suricata -T -c /etc/suricata/suricata.yaml
If the configuration is valid, you will see a success message. Otherwise, review the error message and make the necessary changes to the configuration file.
Step 5 – Running Suricata
Now that Suricata is configured, start the Suricata service using the following command:
$ sudo systemctl start suricata
To check the status of the Suricata process, use the following command:
$ sudo systemctl status suricata
If Suricata is running correctly, you should see a status message indicating that it is active.
Step 6 – Testing Suricata Rules
To test whether Suricata is detecting any suspicious traffic, we will use a sample command. Run the following command:
$ curl http://testmynids.org/uid/index.html
This command pretends to return the output of the id command that can be run on a compromised system. To check if Suricata detected the traffic, use the following command:
$ sudo tail -f /var/log/suricata/suricata.log
If Suricata detected the traffic, you will see a log entry indicating the detection.
Congratulations! You have successfully installed and configured Suricata IDS on Rocky Linux 8. In the next part of this tutorial, we will install and configure the Elastic Stack components, including Elasticsearch, Kibana, and Filebeat, to visualize Suricata and its logs.
Stay tuned for Part 2 of this tutorial, where we will guide you through the installation and configuration of Elastic Stack on a separate server.
