DEV Community

Carrie
Carrie

Posted on

Open Source IDS/IPS Suricata for Beginners

About the Author

I'm Carrie, a cybersecurity engineer and writer, working for SafeLine Team. SafeLine is a free and open source web application firewall, self-hosted, very easy to use.

I'm writing this to introduce another robust open source cybersecurity tool for beginners and welcome any enthusiast to integrate SafeLine WAF with Suricata if possible and achieve better security performance for the environment.


Suricata is a high-performance network threat detection, intrusion detection, and prevention system (IDS/IPS) developed by the Open Information Security Foundation (OISF). This guide will introduce you to the basics of Suricata, including installation steps, basic configuration, and usage.

What is Suricata?

Suricata is an open-source network security engine that can perform the following functions:

  • Intrusion Detection System (IDS)
  • Intrusion Prevention System (IPS)
  • Network Security Monitoring (NSM)
  • Offline pcap file analysis

Suricata supports multi-threading, which allows it to utilize the performance advantages of multi-core processors. It also has a powerful rule set that can identify and respond to various network threats.

Installing Suricata

The method for installing Suricata varies depending on the operating system. Below are the installation steps for Ubuntu and CentOS.

Installing Suricata on Ubuntu

  1. Update system packages:

    sudo apt update
    
  2. Install necessary dependencies:

    sudo apt install software-properties-common
    
  3. Add the Suricata PPA repository:

    sudo add-apt-repository ppa:oisf/suricata-stable
    sudo apt update
    
  4. Install Suricata:

    sudo apt install suricata
    
  5. Verify the installation:

    suricata --build-info
    

Installing Suricata on CentOS

  1. Update system packages:

    sudo yum update
    
  2. Install the EPEL repository:

    sudo yum install epel-release
    
  3. Install Suricata:

    sudo yum install suricata
    
  4. Verify the installation:

    suricata --build-info
    

Configuring Suricata

After installation, you need to configure Suricata to ensure it operates correctly.

Configuration File Path

The main configuration file for Suricata is typically located at /etc/suricata/suricata.yaml. It is recommended to back up the original configuration file before editing it:

sudo cp /etc/suricata/suricata.yaml /etc/suricata/suricata.yaml.bak
Enter fullscreen mode Exit fullscreen mode

Editing the Configuration File

Open the configuration file for editing:

sudo nano /etc/suricata/suricata.yaml
Enter fullscreen mode Exit fullscreen mode

In the configuration file, you can set parameters such as the network interface, log output location, and rule paths. Here are some key configuration items:

  • interface: Specify the network interface that Suricata will monitor. For example:

    af-packet:
      - interface: eth0
    
  • default-rule-path: Specify the path to the rule files. For example:

    default-rule-path: /etc/suricata/rules
    
  • output-directory: Specify the log output directory. For example:

    output-directory: /var/log/suricata/
    

Testing the Configuration File

After editing, you can test if the configuration file is correct:

sudo suricata -T -c /etc/suricata/suricata.yaml -v
Enter fullscreen mode Exit fullscreen mode

Running Suricata

After configuration, you can start Suricata using the following command:

sudo systemctl start suricata
Enter fullscreen mode Exit fullscreen mode

To enable Suricata to start at boot:

sudo systemctl enable suricata
Enter fullscreen mode Exit fullscreen mode

Using Rules to Detect Threats

Suricata uses rules to detect network threats. You can obtain the latest rule sets from Emerging Threats.

Downloading Rule Sets

Use the following commands to download rule sets:

wget https://rules.emergingthreats.net/open/suricata-5.0/emerging.rules.tar.gz
tar -xzvf emerging.rules.tar.gz -C /etc/suricata/rules/
Enter fullscreen mode Exit fullscreen mode

Updating Rule Paths

Ensure the correct rule path is specified in /etc/suricata/suricata.yaml. For example:

rule-files:
  - /etc/suricata/rules/emerging-threats.rules
Enter fullscreen mode Exit fullscreen mode

Restarting Suricata

After updating the rules, restart Suricata to apply the changes:

sudo systemctl restart suricata
Enter fullscreen mode Exit fullscreen mode

Viewing Logs and Alerts

Suricata records detected threat logs in the specified log directory. For example, the default log path is /var/log/suricata/. You can view the logs using the following command:

cat /var/log/suricata/fast.log
Enter fullscreen mode Exit fullscreen mode

Conclusion

This guide introduces the basics of Suricata, including installation steps, configuration methods, and basic usage. By correctly configuring and using Suricata, you can effectively detect and prevent network threats, enhancing network security. We hope this guide helps you understand and use Suricata better. For any questions or further assistance, please refer to the Suricata official documentation.


By following this guide, you should have a good starting point for working with Suricata. Happy monitoring!

Top comments (0)