top of page

How to Setup a Suricata IPS: Part 1

4,100. That is the number of disclosed data breaches that occurred in 2022 worldwide. The average data breach cost organizations around $4.35 million, a 2.6% rise compared to 2021. Preventing threat actors from gaining access to valuable and confidential data has become highly sought in most organizations. Enterprises are spending thousands of dollars on security tools, software, and hardware to support the confidentiality, availability, and integrity of their data.


A security measure that is widely implemented in enterprises is Intrusion Detection & Prevention Systems. Intrusion Detection & Prevention Systems (IDS/IPS) use defined rules that detect and prevent malicious network activity. An IDS detects network anomalies and sends out alerts. Whereas an IPS actively defends the network by dropping malicious network packets. Detecting and preventing malicious network activity will generate thousands of logs hourly; therefore, there needs to be some type of tool to index logs for event correlation, network analytics, and data visualization. That tool is called a Security Information and Event Management (SIEM) solution.

In this two-part series, we will be using two open-source tools. One being an IDS/IPS system and the other being a SIEM solution. Suricata will be utilized as our IDS and IPS, while the Elastic Stack will be utilized for visualizing and monitoring the Suricata logs. At the end of part-2 of this blog, you will have your own cybersecurity lab that will help you gain essential skills that can be applied in the network security & cybersecurity landscape.


Lab Scope

This lab is for security professionals and individuals who want to enhance their cybersecurity skill set. Now is the perfect time to start learning cybersecurity skills. The cybersecurity industry is rapidly growing each year, with more organizations in demand for security and network professionals.


Note: For this lab, it is recommended that you have a basic foundation of the following technologies:

  • Networking

  • Hypervisors & Virtualization technologies (VMware, XCP-ng/Xen Center, VirtualBox, etc.)

  • Linux

  • Security concepts

Don’t hesitate to follow along if you don't have much knowledge in one of those areas. This blog will guide you step-by-step and provide links to helpful documentation. It will be up to you to take from what you learned and expand upon what you have gained. I will not be going in depth with each component in this lab.


Lab Prerequisites

The only prerequisite involved with this lab is knowing how to create a virtual machine with an ISO image. I won't be covering this since every virtualization software has different user interfaces and options to create virtual machines. There are plenty of tutorials and guides that provide step-by-step’s on how to create a VM with ISO.

In this lab, you'll create two Ubuntu 22.04 virtual machines and one Kali Linux virtual machine on your selected virtualization software. I chose to use XCP-ng to manage my virtual machines. Below is the lab topology and the virtual machine specs to help guide you.


Lab Design

Suricata Host IDS/IPS

  • Ubuntu 22.04.1 LTS Jammy JellyFish – ISO https://ubuntu.com/download/desktop

  • We will be deploying Suricata as a host intrusion detection & prevention system. Suricata by default is installed as a passive IDS to simply scan for suspicious traffic and generate alerts on the host. We will be configuring Suricata to work as an IPS too, so it will have functionality to drop packets and completely block malicious network traffic that matches defined rules.

  • Auditbeat and Filebeat will be configured on the Suricata virtual machine. - Auditbeat: Collects your Linux audit framework data and monitor the integrity of your files. - Filebeat: A lightweight shipper for forwarding and centralizing log data.

Elastic Stack

  • Ubuntu 22.04.1 LTS Jammy JellyFish – ISO https://ubuntu.com/download/desktop

  • The Elastic Stack is a free and opensource SIEM solution. The Elastic Stack consists of four components: Elasticsearch, Kibana, Beats & Logstash. We will be configuring Kibana & Elasticsearch on this Ubuntu virtual machine. Elastic has great documentation and user support forums. - Kibana: Provides search and data visualization capabilities for data indexed in Elasticsearch. - Elasticsearch: Is a search and analytics engine for all types of data.

Kali Linux

Hardware Requirements

Don’t worry, for this lab your personal computer should be sufficient to power this lab. Utilizing virtualization software such as VMWare, VirtualBox, etc. on your local machine will work fine if you have around 8 GB of RAM and at least 500 GB of local storage on your host. Suricata will be storing thousands of logs that are generated daily, so it is important to have enough storage, so you don’t run into any issues. In summary, it is recommended that the host you are running this lab on has the following requirements:

  • Minimum of 8 GB of RAM

  • At least 500 GB of storage

  • Virtualization Software

  • CPU has at least 4 cores

In my lab, I will be utilizing an Intel NUC as a Type 1 bare-metal hypervisor utilizing XenServer that has the following specs:

  • 64 GB RAM

  • 1TB of storage

  • CPU: Intel(R) Core(TM) i7-10710U CPU @ 1.10GHz with 6 cores

  • Virtualization Software: XCP-ng

Installing Suricata

Installing Suricata is simple and only takes 3 commands. I will be following exactly from Suricata’s installation guide for Ubuntu.


To get started, we will add the Open Information Security Foundation’s (OSIF) repository to our Ubuntu machine.

$ sudo add-apt-repository ppa:oisf/suricata-stable

Next, we will update the repository we just added.

$ sudo apt-get update

Now, we can install Suricata by using the following command below.

$ sudo apt-get install suricata

Just like that you now have Suricata installed on your Ubuntu machine. Now, this is where the fun stuff comes into play. The next steps will show how to configure Suricata.

First, we will enable the suricata.service to boot when your system starts up. This will allow Suricata to run whenever the machine restarts.

$ sudo systemctl enable suricata.service

Run the following command to verify the Suricata service is running.

$ sudo systemctl status suricata.service

As you can see Suricata is in IDS (af-packet) mode right now.


Configuring Suricata

Suricata installed out-of-the-box will be enabled in IDS mode only. This means that Suricata will not drop or block malicious network traffic. It will only provide alerts and logs since it’s originally configured in passive mode. We will be configuring Suricata to be an IPS as well to drop malicious network packets. Also, we will be configuring Suricata to include Community ID in JSON output. This will help when we install the Elastic Stack since the Community ID will make it easier to find event logs. Lastly, we will take a look at Suricata’s rules.

The first thing we want to do is find the network interface we will be configuring Suricata on. The ifconfig command will show all the available interfaces. I will be working with eth0 and the IP address is 192.168.1.70. We will use this information to configure suricata.yaml file. Note that Suricata by default will inspect traffic on eth0. If your system uses a different default interface, then you will need to change this value.

$ ifconfig 

Another alternative command is to show your default network interface is the following:

$ ip -p -j route show default 

As you can see the default interface is eth0.

Navigate to the Suricata’s configuration file.

$ sudo nano /etc/suricata/suricata.yaml

In the nano text editor, enter ^W and type “community-id:” This will take you to the line that reads community-id:false. We will change that line to community-id:true.

While in the nano text editor enter ^W again type “af-packet” and verify that the interface matches your default interface. If it doesn’t make sure to change it to the correct interface.

Now we will configure live rule reloading, which means you can add, remove, and edit rules without having to restart the Suricata service. You should still be in the nano text editor for suricata.yaml, so now you need to scroll to the last line in the editor (ctrl+v) and type the following:

detect-engine:
           - rule-reload: true 

After adding detect-engine you can save the suricata.yaml file by entering ^X.


Notify the Suricata process to reload its rulesets without restarting the process and restart the Suricata service with the following commands:

$ sudo kill -usr2 $(pidof suricata)
$ sudo service suricata restart 

Suricata-update is a tool that will fetch rulesets from external providers and update your rules. You can see the full capabilities of suricata-update here. Note that the version of Suricata 6.0.10.

$ sudo suricata-update 

You should see at the end of the output the number of rules that have been loaded.

Next, we will run the command to update all Suricata’s ruleset providers. The no-check-certificate ignores validating for a certificate authority.

$ sudo suricata-update --no-check-certificate update sources 

Now we will run the command to list all Suricata’s ruleset providers.

$ sudo suricata-update list-sources 

The rules that have a commercial license will require money to use them. You can specifically use any of these rules by fetching them with the following command below. You can find more information on the Emerging Threats Open Ruleset here. We will fetch the et/open rule.

$ sudo suricata-update enable-source et/open 

Run the suricata-update command again to load et/open ruleset and then run the kill command to update the rules without restarting.

$ sudo suricata-update 
$ sudo kill -usr2 $(pidof suricata)

Test Suricata has zero errors once more.

$ sudo suricata -T -c /etc/suricata/suricata.yaml -v

At this point, we can test to see if Suricata is running in IDS mode. We can do that by using TestMyNIDS website with the following command:

$ curl http://testmynids.org/uid/index.html

The output data is designed to trigger an alert pretending to be root user. Now you can check Suricata’s logs for the corresponding alert with the following command:

$ tail /var/log/suricata/fast.log 

As you can see, Suricata is working as it should by logging the GPL ATTACK_RESPONSE alert.

Suricata also logs events in JSON format at /var/log/suricata/eve.log. The JSON format provides the logs in a better readable format. To view logs in this format, we will need to install the jq utility.

$ sudo apt install jq

Once, you have the jq utility installed, we can search for the specific log above with the following command:

$ jq 'select(.alert .signature=="GPL ATTACK_RESPONSE id check returned root")' /var/log/suricata/eve.json

As you can see, this format is easier to read, and provides more information on what fields are being logged. As I mentioned before, JSON format works better when logs are shipped to the Elastic Stack.


Configuring Suricata to IPS

It’s time to configure Suricata to start dropping malicious network traffic. We will need to navigate to the following file:

$ sudo nano /etc/default/suricata

Find the LISTENMODE=af-packet and comment it out with a #. Then add the following line:


LISTENMODE=nfqueue


Save and close the file. Then, restart Suricata by using the following command:

$ sudo service suricata restart 

Now check the status of the Suricata service. We will see that Suricata is running in IPS mode now.

$ sudo service suricata status 

The next step is to direct incoming network traffic to Suricata’s NFQUEUE. Open IPv4 rules with the following command:

$ sudo nano /etc/ufw/before.rules

Add the following lines:


-I INPUT -j NFQUEUE -I OUTPUT -j NFQUEUE

Save and close the file.

Enable the firewall to load the new rules we just configured.

$ sudo ufw enable 

Now we will create a custom rule to see if the traffic will get dropped. To do this, we will need to create our own Rules file. You can create your rules file anywhere, but for organization's sake I will create mine in the following directory:

$ sudo nano /var/lib/suricata/rules/local.rules 

Create the following rule – the rule we made will drop any ICMP request to our host.


drop ICMP any any -> $HOME_NET any (msg: “ICMP Request Blocked”; sid:2; rev:1;)

Save the file.


If you want to dig deeper on the Suricata’s rules format visit this link here. The documentation explains the signatures, how to read, adjust, and create rules.


Make sure to add your newly created rules to Suricata’s config file.

$ sudo nano /etc/suricata/suricata.yaml 

Enter ^W and type “rule-files” and insert the directory path of the rules file we created called local.rules

- /var/lib/suricata/rules/local.rules

Save the suricata.yaml file and then reload Suricata’s rules without restarting with the following command:

$ sudo kill -usr2 $(pidof suricata)

Test your configuration again to verify there were no issues when making your rule.

$ sudo suricata -T -c /etc/suricata/suricata.yaml -v

At this time of our lab, since we have our host configured in IDS & IPS mode we can hop on over to our Kali Linux Machine. The kali Linux machine represents a threat actor attacking our Suricata machine. You can play around with the Kali Linux machine and use all different types hacking tools packaged in Kali.

On our Kali machine, we will run a simple ping request to our Suricata host. The following command will send 10 packets to our Suricata host ip address. We should expect every packet to be dropped.

$ ping -c 10 192.168.1.70

Success! Suricata is acting as an IPS and dropped all the ping requests. Now let’s take a look at our Suricata logs to see which rules were activated.


Hop back over to your Suricata machine and type the following command to see your logs:

$ tail /var/log/suricata/fast.log

As you can see, the custom rule we created was the rule that blocked our Kali Linux machine for being able to ping our Suricata host. Now, you can use Kali Linux’s hacking tools to put Suricata to the test.


Summary

At this point of the blog, Suricata is configured as a host IPS & IDS. We also have verified that network logs are being generated by Suricata. Before moving to part 2 of the blog, practice with Kali Linux and try to trigger alerts in Suricata. You can create your own specific Suricata rules that fit your specific lab environment and needs.


Part 2 of this blog will show how to configure the Elastic Stack to store, index, correlate, and visualize the Suricata logs to complete the security lab setup.


Still have questions or want to discuss your Suricata environment Reach out to us at CDA. We’d love to discuss how we can help you with your cybersecurity needs!




Comments


bottom of page