How to Install And Setup Suricata IDS on Ubuntu

Suricata is a free, open-source, robust network threat detection engine developed by the Open Security Foundation. It is capable of real-time intrusion detection, intrusion prevention, and network security monitoring. Suricata comes with a powerful rule set that inspects the network traffic and detects complex threats. It supports all major operating systems including Linux, Windows, FreeBSD, and macOS, and also supports IPv4, IPv6, SCTP, ICMPv4, ICMPv6, and GRE.

In this tutorial, we will show you how to install and configure Suricata IDS on Ubuntu. This procedure is compatible with Ubuntu 20.04 and Ubuntu 22.04.

Step 1 – Install Required Dependencies

First, you will need to install some dependencies required to compile Suricata from the source. You can install all of them with the following command:

apt-get update -y

apt-get install rustc cargo make libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libpcre2-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libjansson4 pkg-config -y

By default, Suricata functions as an intrusion detection system (IDS). If you want to include intrusion prevention system (IPS) functionality, then you will need to install some more packages in your system. You can install them with the following command:

apt-get install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 -y

Once all the packages are installed, you will need to install the suricata-update tool to update the Suricata rules. You can install it with the following commands:

apt-get install python3-pip pip3 install --upgrade suricata-update ln -s /usr/local/bin/suricata-update /usr/bin/suricata-update

Step 2 – Install Suricata

First, download the latest version of Suricata from their official website with the following command:

wget https://www.openinfosecfoundation.org/download/suricata-5.0.3.tar.gz

Once the download is completed, extract the downloaded file with the following command:

tar -xvzf suricata-5.0.3.tar.gz

Next, change the directory to the extracted directory and configure it with the following command:

cd suricata-5.0.3
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var

Next, install the Suricata with the following command:

make
make install-full

Note: This process will take over 10 minutes

Next, install all rules with the following command:

make install-rules

By default, all rules are located at /var/lib/suricata/rules/suricata.rules:

You can see it with the following command:

cat /var/lib/suricata/rules/suricata.rules

Step 3 – Configure Suricata

The default Suricata configuration file is located at /etc/suricata/suricata.yaml. You will need to configure it to protect your internal network. You can do it by editing the file:

nano /etc/suricata/suricata.yaml

Change the following lines:

    HOME_NET: "[192.168.1.0/24]"
    EXTERNAL_NET: "!$HOME_NET"

Save and close the file when you are finished.

Note: In the command above, replace 192.168.1.0/24 with your internal network.

Step 4 – Test Suricata Against DDoS

Before starting, you will need to disable packet offload features on the network interface on which Suricata is listening.

First, install ethtool package with the following command:

apt-get install ethtool -y

Next, disable packet offload with the following command:

ethtool -K eth0 gro off lro off

Next, run the Suricata in NFQ mode with the following command:

suricata -c /etc/suricata/suricata.yaml -q 0 &

Next, go to the remote system and perform a simple DDoS attack test against the Suricata server using the hping3 tool as shown below:

hping3 -S -p 80 --flood --rand-source your-server-ip

On the Suricata server, check the Suricata logs with the following command:

tail -f /var/log/suricata/fast.log

You should see the following output:

09/17/2020-07:29:52.934009  [**] [1:2402000:5670] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 167.248.133.70:18656 -> your-server-ip:9407

Conclusion

Congratulations! You have successfully installed and configured Suricata IDS and IPS on Ubuntu 20.04 server. You can now explore the Suricata and create your own rules to protect your server from DDoS attack. Get started with Suricata on VPS Hosting from Atlantic.Net, and for more information, visit the Suricata documentation page.