Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Server \ How to Install Suricata IDS on a Linux system     - Ubuntu to install systems Indicator Sticky Notes 0.4.4 (Linux)

- CentOS7 install MySQL 5.5 (Database)

- Linux System Getting Started Learning: The Linux anacron command (Linux)

- MySQL in order by inaccurate results in problems and solutions (Database)

- Ubuntu 14.04 installation and configuration environment variable JDK1.8.0_25 (Linux)

- Oracle 11g dataguard main library backup and recovery to the test environment in one database error (Database)

- Fragment Android developers learning to resolve (Programming)

- PL / SQL data types (Database)

- Shell generated using automated configuration script Orabbix (Database)

- linux remote control software (Linux)

- Compile and install the latest version of Redis Stable (Database)

- Teach you to diagnose problems with strace (Linux)

- 10 tips daily Docker (Server)

- a virtual machine created migrated to host RHEL6.4 on Ubuntu 14.04 (Linux)

- Create your own YUM repository (Linux)

- WinSCP to transfer text files will automatically convert the format (Linux)

- Linux how to view the graphics models notebook (Linux)

- Zabbix monitoring of the switch (Server)

- Linux, Eclipse flash back and reinstall the JDK methods (Linux)

- Ubuntu How to install screen recording tool Simple Screen Recorder 0.3.1 (Linux)

  How to Install Suricata IDS on a Linux system
  Add Date : 2018-11-21      
  With the continued security threats, intrusion detection system (IDS) is particularly necessary in today's data center environments. However, as more and more servers to upgrade their card to 10GB / 40GB Ethernet hardware on the line so the calculation-intensive intrusion detection more difficult. Wherein a way to enhance the performance of intrusion detection system intrusion detection system is a multi-threaded, deep packet inspection work will CPU-intensive parallel assigned to multiple concurrent tasks to complete. Such parallel detection can take full advantage of multi-core hardware advantages to easily enhance the throughput of intrusion detection system. There are two well-known open source projects in this regard, namely Suricata and Bro.

For this tutorial, I will show you how to install and configure Suricata IDS on a Linux server.


Suricata IDS installation on Linux

Let us from the source files to build Suricata, but before that, you need to install several as follows dependencies.


Install dependencies on Debian, Ubuntu or Linux Mint operating system

$ Sudoapt-get install wget build-essential libpcre3-dev libpcre3-dbg automake autoconf libtool libpcap-dev libnet1-dev libyaml-dev zlib1g-dev libcap-ng-dev libjansson-dev

Install dependencies on CentOS, Fedora or RHEL operating system

$ Sudoyum install wget libpcap-devel libnet-devel pcre-devel gcc-c ++ automake autoconf libtool make libyaml-devel zlib-devel file-devel jansson-devel nss-devel
Once all the dependencies installed, we can proceed with the installation of Suricata.

First, download the source code from Suricata http://suricata-ids.org/download/, then build it. The time of this writing, the latest version number is 2.0.8.

$ Wget http://www.openinfosecfoundation.org/download/suricata-2.0.8.tar.gz
$ Tar-xvf suricata-2.0.8.tar.gz
$ Cd suricata-2.0.8
$ ./configure --sysconfdir = / Etc --localstatedir = / var
The following is a sample configuration information.

AF_PACKET support: yes
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: no
DAG enabled: no
Napatech enabled: no
Unix socket enabled: yes
Detection enabled: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
Prelude support: no
PCRE jit: yes
LUA support: no
libluajit: no
libgeoip: no
Non-bundled htp: no
Old barnyard2 support: no
CUDA enabled: no
You can now compile installed.

$ Make
$ Sudomake install
Suricata source code with the default configuration file. These default installation configuration files as follows.

$ Sudomake install-conf
As you would expect, if not the words of IDS rule sets, Suricata what did not. Fortunately Makefile provides us with the option to install IDS rule sets. Installation is as follows.

$ Sudomake install-rules
Rules above installation command downloads available from EmergingThreats.net Community Rules set snapshot, and stored in the / etc / suricata / rules directory.


First Time Suricata IDS

Now the configuration Suricata time. Location profile is /etc/suricata/suricata.yaml. Reference to the following command to open the file with a text editor.

$ Sudovi / etc / suricata / suricata.yaml
There are a number of files needed to run the basic configuration.

Suricata specify the location where the log files for the default-log-dir keywords.

default-log-dir: / var / log / suricata /
Vars section below, you will find a number of very important variables for Suricata. HOME_NET variables need to specify Suricata check network. Is assigned to the variable EXTERNAL_NET! $ HOME_NET representatives of other networks in addition to the local network. XXX_PORTS variable is used to distinguish the different services used by the port number. Note that regardless of what port, Suricata can automatically detect HTTP traffic. It is not correctly specified port becomes less important.

HOME_NET: "[]"
host-os-policy section for defense use operating system network stack of its own behavior to avoid some of the well-known means of attack detection (for example: TCP reassembly). As a countermeasure, by the target operating system and fine-tune the algorithm for the detection engine, IDC provides a modern means of detection, "based on objectives". So, if you know what running a host operating system, it will provide this information to Suricata can significantly improve the success rate of detection. This is the host-os-policy exists. In this example, the default policy is to IDC Linux systems. If you do not specify the operating system for information about an IP address, Suricata default application-based detection strategies Linux system. As follows, when captured on and communications, Suricata policy will be applied based on the detection of the Windows system.

#These Are Windows machines.
windows: [,]
bsd: []
bsd-right: []
old-linux: []
#Make The default policy Linux.
linux: []
old-solaris: []
solaris: [ ":: 1"]
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []
In threading section, you can specify the CPU affinity for different Suricata threads. By default, CPU association is prohibited (set-cpu-affinity: no), which means that its thread Suricata assigned to all of the available CPU core. Suricata default for each CPU core to create a detection thread. You can specify the detect-thread-ratio: N to adjust this behavior. Here it will create N * M detectors threads, M representative of the total number of CPU cores.

set-cpu-affinity: no
detect-thread-ratio: 1.5
Through the above set of threads, Suricata creates 1.5 * M detectors threads, M is the total number of CPU core system.

If you want to know more about Suricata configuration, you can go read the default configuration file. Inside with a large number of comments for your clear understanding.


Use Suricata intrusion monitoring

Now is the time Suricata run up, but before that there is a step needs to be done.

When you use the pcap capture mode, it is strongly advised to turn off any uninstalled packages (such as LRO / GRO) Suricata monitor function on the card. These features can interfere with the behavior of real-time capture packets.

According to the following method to close the eth0 interface LRO / GRO function.

$ Sudo ethtool -K eth0 gro off lro off
Here we must note that in the case of certain network cards, you will see the following warning message. Ignore them on the line, this information just to tell you that your card does not support the LRO function only.

Can not change large-receive-offload
Suricata supports a number of operating modes. Operating mode determines which IDC uses threads. Following command to see all the available operating modes.

$ Sudo / usr / local / bin / suricata --list-runmodes

The default operating mode Suricata using autofp (auto flow pinned load balancing (automatic flow bound load balancing) Abbreviation). In this mode, packets from a particular stream will be assigned to a separate detection thread. These streams will be allocated according to the corresponding thread minimum number of packets unprocessed.

Finally, let Suricata up and running, to see how it appears.

$ Sudo / usr / local / bin / suricata -c /etc/suricata/suricata.yaml -i eth0 --init-errors-fatal

In this example, we monitor the eth0 network interface in an 8-core system. As shown above, Suricata creates 13 threads and three packet processing thread management. Packet processing threads includes a PCAP packet capture thread 12 to detect thread (derived from 8 * 1.5). This indicates that a packet capture thread IDS load balancing within 12 to detect thread. Thread management includes a workflow management and 2 count / statistics related thread.

The following is a screenshot on Suricata processing threads (drawn by htop).

Suricata detection logs are stored in / var / log under / suricata directory.

$ Tail-f /var/log/suricata/fast.log
04/01 / 2015-15: 47: 12.559075 [**] [1: 2200074: 1] SURICATA TCPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {TCP} ->
04/01 / 2015-15: 49: 06.565901 [**] [1: 2200074: 1] SURICATA TCPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {TCP} ->
04/01 / 2015-15: 49: 06.566759 [**] [1: 2200074: 1] SURICATA TCPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {TCP} ->
Logs can also provide Json format for import:

$ Tail-f /var/log/suricata/eve.json
{ "Timestamp": "2015-04-01T15: 49: 06.565901", "event_type": "alert", "src_ip": "", "src_port": 22, "dest_ip": "" , "dest_port": 46317, "proto": "TCP", "alert": { "action": "allowed", "gid": 1, "signature_id": 2200074, "rev": 1, "signature": "SURICATA TCPv4 invalid checksum", "category": "", "severity": 3}}
{ "Timestamp": "2015-04-01T15: 49: 06.566759", "event_type": "alert", "src_ip": "", "src_port": 22, "dest_ip": "" , "dest_port": 46317, "proto": "TCP", "alert": { "action": "allowed", "gid": 1, "signature_id": 2200074, "rev": 1, "signature": "SURICATA TCPv4 invalid checksum", "category": "", "severity": 3}}

Sum up

For this tutorial, I show you how to install Linux on a multi-core server Suricata intrusion detection system. Unlike the benefits of single-threaded Snort IDS, Suricata can easily from the multi-process multi-core hardware brings benefit. Custom Suricata to maximize its effectiveness and detection range is a good idea. Suricata fans maintains an online Wiki, if you intend to deploy Suricata to your environment, I strongly suggest you go to learn to take there.
- Binder began to talk about inter-process communication mechanism from Android AIDL (Programming)
- Use this one-time password via SSH secure login Linux (Programming)
- C language files update in real time (Programming)
- Use MD5 transform algorithm to prevent exhaustive decipher passwords (Linux)
- Configuring VMWare FreeBSD9.2 remote debugging kernel source code (Linux)
- MySQL configuration file my.cnf increase the log file parameter error (Database)
- How to upgrade to Ubuntu 14.04 Ubuntu 14.10 (Linux)
- Simple security measures to reinforce the Linux kernel (Linux)
- Linux user login ban (Linux)
- Linux serial debugging tools xgcom install (Linux)
- CentOS 7 Docker build private warehouse registry (Linux)
- CentOS7 install JDK (Linux)
- Use the dd command to the hard disk I / O performance test (Linux)
- Embedded Linux Optimization (Programming)
- MySQL fuzzy query: LIKE and REGEXP pattern mode (Database)
- C + + secondary pointer memory model (pointer array) (Programming)
- Github inventory objects Algorithm (Linux)
- Install JDK 1.7 + Eclipse in CentOS 6.4 in (Linux)
- JBoss7 configuration - Supports IPv4 and IPv6 dual-stack environment (Server)
- CentOS 6 / Linux su: Unable to set user ID: Resource temporarily unavailable (Linux)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.