Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Server \ How to Install Suricata IDS on a Linux system     - C ++ casts New Standard Comments (Programming)

- To install HDRMerge 0.4.3 under ubuntu (Linux)

- Approach the next Linux shared interrupts (Linux)

- 12 novice Linux command must learn (Linux)

- Installation Android IDE development tools, Android Studio 1.5 under Ubuntu (Linux)

- Linux monitoring tools introduced series --smem (Server)

- IDS Intrusion Detection System built (Linux) (Linux)

- iOS9 new feature - stacked view UIStackView (Programming)

- Use Ganglia to monitor your cluster (Server)

- Ubuntu 12.04 installation NVIDIA GTX750 graphics driver (Linux)

- Using Lua implement various operations list (Programming)

- Linux group account deletion, and other related operations (Linux)

- Close and limit unused ports computer server security protection (Linux)

- Linux operating process information (Linux)

- RedHat6.4 installation tutorial --- Minimal Edition (Linux)

- Kafka cluster deployment (Server)

- Implicit conversion from Java type conversion compare MySQL and Oracle (Database)

- CentOS 7 update source - the use of domestic sources 163 yum (Linux)

- To install PXE + Kickstart under CentOS 6.x operating system (Linux)

- C ++ Supplements - locates the new expression (Programming)

  How to Install Suricata IDS on a Linux system
  Add Date : 2018-11-21      
  With the continued security threats, intrusion detection system (IDS) is particularly necessary in today's data center environments. However, as more and more servers to upgrade their card to 10GB / 40GB Ethernet hardware on the line so the calculation-intensive intrusion detection more difficult. Wherein a way to enhance the performance of intrusion detection system intrusion detection system is a multi-threaded, deep packet inspection work will CPU-intensive parallel assigned to multiple concurrent tasks to complete. Such parallel detection can take full advantage of multi-core hardware advantages to easily enhance the throughput of intrusion detection system. There are two well-known open source projects in this regard, namely Suricata and Bro.

For this tutorial, I will show you how to install and configure Suricata IDS on a Linux server.


Suricata IDS installation on Linux

Let us from the source files to build Suricata, but before that, you need to install several as follows dependencies.


Install dependencies on Debian, Ubuntu or Linux Mint operating system

$ Sudoapt-get install wget build-essential libpcre3-dev libpcre3-dbg automake autoconf libtool libpcap-dev libnet1-dev libyaml-dev zlib1g-dev libcap-ng-dev libjansson-dev

Install dependencies on CentOS, Fedora or RHEL operating system

$ Sudoyum install wget libpcap-devel libnet-devel pcre-devel gcc-c ++ automake autoconf libtool make libyaml-devel zlib-devel file-devel jansson-devel nss-devel
Once all the dependencies installed, we can proceed with the installation of Suricata.

First, download the source code from Suricata http://suricata-ids.org/download/, then build it. The time of this writing, the latest version number is 2.0.8.

$ Wget http://www.openinfosecfoundation.org/download/suricata-2.0.8.tar.gz
$ Tar-xvf suricata-2.0.8.tar.gz
$ Cd suricata-2.0.8
$ ./configure --sysconfdir = / Etc --localstatedir = / var
The following is a sample configuration information.

AF_PACKET support: yes
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: no
DAG enabled: no
Napatech enabled: no
Unix socket enabled: yes
Detection enabled: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
Prelude support: no
PCRE jit: yes
LUA support: no
libluajit: no
libgeoip: no
Non-bundled htp: no
Old barnyard2 support: no
CUDA enabled: no
You can now compile installed.

$ Make
$ Sudomake install
Suricata source code with the default configuration file. These default installation configuration files as follows.

$ Sudomake install-conf
As you would expect, if not the words of IDS rule sets, Suricata what did not. Fortunately Makefile provides us with the option to install IDS rule sets. Installation is as follows.

$ Sudomake install-rules
Rules above installation command downloads available from EmergingThreats.net Community Rules set snapshot, and stored in the / etc / suricata / rules directory.


First Time Suricata IDS

Now the configuration Suricata time. Location profile is /etc/suricata/suricata.yaml. Reference to the following command to open the file with a text editor.

$ Sudovi / etc / suricata / suricata.yaml
There are a number of files needed to run the basic configuration.

Suricata specify the location where the log files for the default-log-dir keywords.

default-log-dir: / var / log / suricata /
Vars section below, you will find a number of very important variables for Suricata. HOME_NET variables need to specify Suricata check network. Is assigned to the variable EXTERNAL_NET! $ HOME_NET representatives of other networks in addition to the local network. XXX_PORTS variable is used to distinguish the different services used by the port number. Note that regardless of what port, Suricata can automatically detect HTTP traffic. It is not correctly specified port becomes less important.

HOME_NET: "[]"
host-os-policy section for defense use operating system network stack of its own behavior to avoid some of the well-known means of attack detection (for example: TCP reassembly). As a countermeasure, by the target operating system and fine-tune the algorithm for the detection engine, IDC provides a modern means of detection, "based on objectives". So, if you know what running a host operating system, it will provide this information to Suricata can significantly improve the success rate of detection. This is the host-os-policy exists. In this example, the default policy is to IDC Linux systems. If you do not specify the operating system for information about an IP address, Suricata default application-based detection strategies Linux system. As follows, when captured on and communications, Suricata policy will be applied based on the detection of the Windows system.

#These Are Windows machines.
windows: [,]
bsd: []
bsd-right: []
old-linux: []
#Make The default policy Linux.
linux: []
old-solaris: []
solaris: [ ":: 1"]
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []
In threading section, you can specify the CPU affinity for different Suricata threads. By default, CPU association is prohibited (set-cpu-affinity: no), which means that its thread Suricata assigned to all of the available CPU core. Suricata default for each CPU core to create a detection thread. You can specify the detect-thread-ratio: N to adjust this behavior. Here it will create N * M detectors threads, M representative of the total number of CPU cores.

set-cpu-affinity: no
detect-thread-ratio: 1.5
Through the above set of threads, Suricata creates 1.5 * M detectors threads, M is the total number of CPU core system.

If you want to know more about Suricata configuration, you can go read the default configuration file. Inside with a large number of comments for your clear understanding.


Use Suricata intrusion monitoring

Now is the time Suricata run up, but before that there is a step needs to be done.

When you use the pcap capture mode, it is strongly advised to turn off any uninstalled packages (such as LRO / GRO) Suricata monitor function on the card. These features can interfere with the behavior of real-time capture packets.

According to the following method to close the eth0 interface LRO / GRO function.

$ Sudo ethtool -K eth0 gro off lro off
Here we must note that in the case of certain network cards, you will see the following warning message. Ignore them on the line, this information just to tell you that your card does not support the LRO function only.

Can not change large-receive-offload
Suricata supports a number of operating modes. Operating mode determines which IDC uses threads. Following command to see all the available operating modes.

$ Sudo / usr / local / bin / suricata --list-runmodes

The default operating mode Suricata using autofp (auto flow pinned load balancing (automatic flow bound load balancing) Abbreviation). In this mode, packets from a particular stream will be assigned to a separate detection thread. These streams will be allocated according to the corresponding thread minimum number of packets unprocessed.

Finally, let Suricata up and running, to see how it appears.

$ Sudo / usr / local / bin / suricata -c /etc/suricata/suricata.yaml -i eth0 --init-errors-fatal

In this example, we monitor the eth0 network interface in an 8-core system. As shown above, Suricata creates 13 threads and three packet processing thread management. Packet processing threads includes a PCAP packet capture thread 12 to detect thread (derived from 8 * 1.5). This indicates that a packet capture thread IDS load balancing within 12 to detect thread. Thread management includes a workflow management and 2 count / statistics related thread.

The following is a screenshot on Suricata processing threads (drawn by htop).

Suricata detection logs are stored in / var / log under / suricata directory.

$ Tail-f /var/log/suricata/fast.log
04/01 / 2015-15: 47: 12.559075 [**] [1: 2200074: 1] SURICATA TCPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {TCP} ->
04/01 / 2015-15: 49: 06.565901 [**] [1: 2200074: 1] SURICATA TCPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {TCP} ->
04/01 / 2015-15: 49: 06.566759 [**] [1: 2200074: 1] SURICATA TCPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {TCP} ->
Logs can also provide Json format for import:

$ Tail-f /var/log/suricata/eve.json
{ "Timestamp": "2015-04-01T15: 49: 06.565901", "event_type": "alert", "src_ip": "", "src_port": 22, "dest_ip": "" , "dest_port": 46317, "proto": "TCP", "alert": { "action": "allowed", "gid": 1, "signature_id": 2200074, "rev": 1, "signature": "SURICATA TCPv4 invalid checksum", "category": "", "severity": 3}}
{ "Timestamp": "2015-04-01T15: 49: 06.566759", "event_type": "alert", "src_ip": "", "src_port": 22, "dest_ip": "" , "dest_port": 46317, "proto": "TCP", "alert": { "action": "allowed", "gid": 1, "signature_id": 2200074, "rev": 1, "signature": "SURICATA TCPv4 invalid checksum", "category": "", "severity": 3}}

Sum up

For this tutorial, I show you how to install Linux on a multi-core server Suricata intrusion detection system. Unlike the benefits of single-threaded Snort IDS, Suricata can easily from the multi-process multi-core hardware brings benefit. Custom Suricata to maximize its effectiveness and detection range is a good idea. Suricata fans maintains an online Wiki, if you intend to deploy Suricata to your environment, I strongly suggest you go to learn to take there.
- Linux input and output redirection (Linux)
- Install Java on RHEL6 (Linux)
- Easy to install Ubuntu 15.04 and Ubuntu 15.04 GNOME on Wayland trial (Linux)
- CentOS install Redis (Database)
- Which file system is most suitable for your Linux system (Linux)
- Workspace Go language and environment variables GOPATH (Linux)
- Based on a complete solution RMI service to transfer large files (Programming)
- 20 open source / commercial Linux server management control panel (Server)
- Executable file format Explanation under Linux (Linux)
- Vim simple configuration (Linux)
- Red Flag Linux Desktop 6.0 hard disk installation guide (Programming)
- RVM installation instructions (Linux)
- Copy files between two Linux hosts (Linux)
- Adjustment expand VMDK format VirtualBox disk space (Linux)
- Linux server alarms using Java (Server)
- Linux operating system must know the security command (Linux)
- hadoop 2.7.1 High Availability Setup Deployment (Server)
- Use Markdown editor for document work under Linux (Linux)
- Java integrated development environment common set of operations (Linux)
- Ubuntu comes with gedit editor to add Markdown preview widget (Linux)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.