Atlantic.Net Blog

How to Install And Setup Suricata IDS on Ubuntu 20.04

September 28, 2020 by ( 553 ) under VPS Hosting

0 Comments

Suricata is a free, open-source, robust network threat detection engine developed by the Open Security Foundation. It is capable of real-time intrusion detection, intrusion prevention, and network security monitoring. Suricata comes with a powerful rule set that inspects the network traffic and detects complex threats. It supports all major operating systems including Linux, Windows, FreeBSD, and macOS, and also supports IPv4, IPv6, SCTP, ICMPv4, ICMPv6, and GRE.

In this tutorial, we will show you how to install and configure Suricata IDS on Ubuntu 20.04.

Prerequisites

  • A fresh Ubuntu 20.04 VPS on the Atlantic.net Cloud Platform
  • A root password is configured on your server

Step 1 – Create Atlantic.Net Cloud Server

First, log in to your Atlantic.Net Cloud Server.  Create a new server, choosing Ubuntu 20.04 as the operating system, with at least 2GB RAM. Connect to your Cloud Server via SSH and log in using the credentials highlighted at the top of the page.

Once you are logged in to your Ubuntu 20.04 server, run the following command to update your base system with the latest available packages.

apt-get update -y

Step 2 – Install Required Dependencies

First, you will need to install some dependencies required to compile Suricata from the source. You can install all of them with the following command:

apt-get install rustc cargo make libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libjansson4 pkg-config -y

By default, Suricata functions as an intrusion detection system (IDS). If you want to include intrusion prevention system (IPS) functionality, then you will need to install some more packages in your system. You can install them with the following command:

apt-get install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 -y

Once all the packages are installed, you will need to install the suricata-update tool to update the Suricata rules. You can install it with the following commands:

apt-get install python3-pip
pip3 install --upgrade suricata-update
ln -s /usr/local/bin/suricata-update /usr/bin/suricata-update

Once you are finished, you can proceed to the next step.

Step 3 – Install Suricata

First, download the latest version of Suricata from their official website with the following command:

wget https://www.openinfosecfoundation.org/download/suricata-5.0.3.tar.gz

Once the download is completed, extract the downloaded file with the following command:

tar -xvzf suricata-5.0.3.tar.gz

Next, change the directory to the extracted directory and configure it with the following command:

cd suricata-5.0.3
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var

Next, install the Suricata with the following command:

make
make install-full

Note: This process will take over 10 minutes

Next, install all rules with the following command:

make install-rules

By default, all rules are located at /var/lib/suricata/rules/suricata.rules:

You can see it with the following command:

cat /var/lib/suricata/rules/suricata.rules

Step 4 – Configure Suricata

The default Suricata configuration file is located at /etc/suricata/suricata.yaml. You will need to configure it to protect your internal network. You can do it by editing the file:

nano /etc/suricata/suricata.yaml

Change the following lines:

    HOME_NET: "[192.168.1.0/24]"
    EXTERNAL_NET: "!$HOME_NET"

Save and close the file when you are finished.

Note: In the command above, replace 192.168.1.0/24 with your internal network.

Step 5 – Test Suricata Against DDoS

Before starting, you will need to disable packet offload features on the network interface on which Suricata is listening.

First, install ethtool package with the following command:

apt-get install ethtool -y

Next, disable packet offload with the following command:

ethtool -K eth0 gro off lro off

Next, run the Suricata in NFQ mode with the following command:

suricata -c /etc/suricata/suricata.yaml -q 0 &

Next, go to the remote system and perform a simple DDoS attack test against the Suricata server using the hping3 tool as shown below:

hping3 -S -p 80 --flood --rand-source your-server-ip

On the Suricata server, check the Suricata logs with the following command:

tail -f /var/log/suricata/fast.log

You should see the following output:

09/17/2020-07:29:52.934009  [**] [1:2402000:5670] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 167.248.133.70:18656 -> your-server-ip:9407

Conclusion

Congratulations! You have successfully installed and configured Suricata IDS and IPS on Ubuntu 20.04 server. You can now explore the Suricata and create your own rules to protect your server from DDoS attack. Get started with Suricata on VPS Hosting from Atlantic.Net, and for more information, visit the Suricata documentation page.

Free Tier Includes:
G3.2GB Cloud VPS a Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year

Get A Free To Use Cloud VPS

Looking for a Hosting Solution?

We Provide Cloud, Dedicated, & Colocation.

  • Seven Global Data Center Locations.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Us Now!

Get started with 12 months of free cloud VPS hosting

Free Tier includes:
G3.2GB Cloud VPS Server Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year

Get a Free-to-Use Cloud VPS