Install and Configure Suricata on Ubuntu/Centos/Linux

☰ In this chapter, you will learn

How to Install Suricata on Linux
Suricata Configuration
Important Suricata Commands

Suricata is also a Network Intrusion Detection System, like Snort , which scans and filters the packages in a network system and blocks them immediately if found suspicious.

This tool finds threats in real-time and immediately blocks them if malicious activity is detected.

If you are running a VPS server with any Linux distribution such as Ubuntu, CentOS, or any other distro, you must install and configure Suricata IDS (Intrusion Detection System) to protect your server network.

Some more about Suricata

Suricata is an open-source, popular, and widely used intrusion detection and prevention system that helps improve security on Linux servers. It generates log events, triggers alerts, and drops traffic if it detects suspicious packets traveling inside the network.

After being well-configured, Suricata can convert into an Intrusion Prevention System that automatically blocks suspicious packets, drops traffic, and generates log files. Just configure Suricata and forget it. It will automatically handle the rest and keep protecting your network.

How to Install and Configure Suricata on Ubuntu, CentOS, and other Linux Distribution?

Installation

Ubuntu:

Step 1: Update Repositories

sudo apt update && sudo apt upgrade

Step 2: Installation

sudo apt install -y suricata

CentOS

Option 1: Install from OISF Provided RPMs

yum install epel-release yum-plugin-copr
$yum copr enable @oisf/suricata-7.0
$yum install suricata

Option 1: Install from EPEL

sudo yum -y install epel-release
$sudo yum -y install suricata

Check Suricata Version.

suricata -V

Configure Suricata

To configure Suricata, open /etc/suricata/suricata.yaml in your desired text editor and Configure it as follows:

Step 1: Find your network IP and Ethernet port. Execute following command in terminal to gather necessary network information.

ip -p -j route show default
Output:
[ {
        "dst": "default",
        "gateway": "172.17.224.1",
        "dev": "eth0",
        "protocol": "kernel",
        "flags": [ ]
    } ]

Step 2: Open Suricata configuration file.

sudo nano /etc/suricata/suricata.yaml

Step 3: Find the following settings and change according to example.

sudo nano /etc/suricata/suricata.yaml
af-packet:
    - interface: eth0
      cluster-id: 99
      cluster-type: cluster_flow
      defrag: yes
      use-mmap: yes
      tpacket-v3: yes

Step 4: Update the Rules

sudo suricata-update

Step 5: Restart Suricata

sudo systemctl restart suricata

Check Log Files

Make sure Suricata is running and working, check the log files.

Step 1: Check suricata.log file

sudo tail /var/log/suricata/suricata.log
4/4/2024 -- 10:14:58 -  - eve-log output device (regular) initialized: eve.json
4/4/2024 -- 10:14:58 -  - stats output device (regular) initialized: stats.log
4/4/2024 -- 10:14:58 -  - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/suricata.rules
4/4/2024 -- 10:14:58 -  - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rules were loaded!
4/4/2024 -- 10:14:58 -  - Threshold config parsed: 0 rule(s) found
4/4/2024 -- 10:14:58 -  - 0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
4/4/2024 -- 10:14:58 -  - Going to use 8 thread(s)
4/4/2024 -- 10:14:58 -  - Using unix socket file '/var/run/suricata-command.socket'
4/4/2024 -- 10:14:58 -  - all 8 packet processing threads, 4 management threads initialized, engine started.
4/4/2024 -- 10:14:59 -  - All AFP capture threads are running.

To see Statistics, execute the following command:

Step 2: Check stats.log file

sudo tail -f /var/log/suricata/stats.log
flow.mgr.full_hash_pass                       | Total                     | 4
flow.spare                                    | Total                     | 9213
flow.mgr.rows_maxlen                          | Total                     | 1
flow.mgr.flows_checked                        | Total                     | 19
flow.mgr.flows_notimeout                      | Total                     | 6
flow.mgr.flows_timeout                        | Total                     | 13
flow.mgr.flows_evicted                        | Total                     | 13
tcp.memuse                                    | Total                     | 4849664
tcp.reassembly_memuse                         | Total                     | 786432
flow.memuse                                   | Total                     | 7474304

Test Suricata

After configuring the Suricata IDS, it's important to test it to ensure it is working properly.

Step 1: Execute the following command in the terminal. This command will send an HTTP request and receive a response that triggers the alert rule.

curl http://testmynids.org/uid/index.htmluid=0(root) gid=0(root) groups=0(root)

Step 2: Check log file.

grep 2100498 /var/log/suricata/fast.log

For IPv6:

10/21/2021-18:35:54.950106  [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 2600:9000:2000:4400:0018:30b3:e400:93a1:80 -> 2001:DB8::1:34628

For IPv4:

10/21/2021-18:35:57.247239  [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 204.246.178.81:80 -> 203.0.113.1:36364

Some important Suricata commands.

#	Title	Command
1	Check Status	`sudo systemctl status suricata.service`
2	Enable services	`sudo systemctl enable suricata.service`
3	Start services	`sudo systemctl start suricata.service`
4	Stop services	`sudo systemctl stop suricata.service`
5	Update	`sudo suricata-update`
6	Validate	`sudo suricata -T -c /etc/suricata/suricata.yaml -v`
7	Configuration File	`sudo nano /etc/suricata/suricata.yaml`
8	Log File	`/var/log/suricata/suricata.log $/var/log/suricata/fast.log $/var/log/suricata/stats.log`

Summary

In this tutorial, I've explained how to install and configure Suricata on your Ubuntu or CentOS server. Suricata is a powerful intrusion detection tool that protects server networks from various threats. It filters network packets in real-time, blocks suspicious packets when detected, and immediately suspend the source traffic.