Suricata Quick Start for Fedora 21 and 22

Fedora Linux 21 and 22 have Suricata 2.0.8 in their default repositories making it very easy to get started.  The following was done on Fedora 22, but should be applicable to Fedora 21 as well.

Install Suricata

yum install suricata

Configure Interface

By default, Suricata will be configured to run on eth0, if you need to change this, edit /etc/sysconfig/suricata and change eth0 to your desired interface.

Start Suricata

To start Suricata one time:

systemctl start suricata

To have it restarted on each boot:

systemctl enable suricata

But you’ll probably want to have it started after your network is ready. This can be done by including network-online.target in the unit file /usr/lib/systemd/system/suricata.service

[Unit]
Description=Suricata Intrusion Detection Service
After=syslog.target network-online.target

[Service]
ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml $OPTIONS
EnvironmentFile=-/etc/sysconfig/suricata

[Install]
WantedBy=multi-user.target

Verify That Suricata is Running

Even though we have not downloaded any rules yet, Suricata will still log HTTP requests, DNS requests, TLS certificates and SSH connection by default. These can be observed by monitoring /var/log/suricata/eve.log.

tail -f /var/log/suricata/eve.log

Download Some Rules

To get the most out of Suricata you will want to download some rules. The Emerging Threats Open rules are freely available and can be installed with the following commands:

cd /etc/suricata
curl http://rules.emergingthreats.net/open/suricata-2.0/emerging.rules.tar.gz | tar zxvf -
systemctl restart suricata
Suricata Quick Start for Fedora 21 and 22

Another IDS rule downloader – rulecat

I didn’t mean to do it, but I created yet another tool to download IDS rules, with a specific focus on Suricata.  Like some other people, I’ve always used my own scripts for downloading rules instead of using existing tools, and I finally pulled some of that together and dropped it into my idstools project.

Installation

With pip (as its written in Python):

pip install idstools

From source, https://github.com/jasonish/py-idstools/releases/download/0.5.0/idstools-0.5.0.tar.gz, where idstools-rulecat can be run from the exploded tarball without installing (also works with a git clone).

Usage

Probably the simplest usage, assuming you have Suricata already installed is something like:

idstools-rulecat --rules-dir /etc/suricata/rules

This will download the ET Open rules for your version of Suricata and drop them in /etc/suricata/rules.

Other useful output options include:

  • –merged to merge all the rules into a single file making it easier to include into your suricata.yaml.
  • –yaml-fragment to dump a fragment of YAML for inclusion in your suricata.yaml that lists each rule file downloaded.

Of course you can also disable, enable and modify rules.  To get sample configuration files for doing so, run:

idstools-rulecat --dump-sample-configs

which will drop the following files into your current directory:

  • disable.conf – allows disabling of rules by ID or regular expression.
  • enable.conf – allows enabling of rules by ID or regular expression.
  • modify.conf – rule modifications
  • threshold.in – an input threshold.conf that idstools-rulecat will expand (experimental)

As with many Python programs using the argparse module, a configuration file can be created by dropping command line arguments in a file and calling idstools-rulecat like:

idstools-rulecat @/path/to/rulecat.conf

For example, I use a rulecat.conf like:

--suricata=/usr/bin/suricata
--merged=rules/merged.rules
--disable=disable.conf
--enable=enable.conf
--modify=modify.conf
--threshold-in=threshold.in
--threshold-out=etc/threshold.config
--post-hook=sudo kill -USR2 $(cat /var/run/suricata.pid)
--etpro=ETPRO_CODE

Note the –etpro which will ET Pro rules instead of the ET Open rules.

For full usage, head over to http://idstools.readthedocs.org/en/latest/tools/rulecat.html.

This is a work in progress, and is primarily being developed to satisfy my needs, perhaps it will be useful to others as well.

Another IDS rule downloader – rulecat

Suricata with EveBox on a Honeypot

I recently installed some honeypot software and am logging the traffic with Suricata into Elastic Search with Logstash. I know its a bit of a risk to expose Elastic Search like this, but I thought it could make a good demo for EveBox.

To check it out head over to http://evebox.codemonkey.net/ with the username “evebox” with the same as the password.

This probably won’t be up for too long, it will depend on how useful the honeypot is to me at this time.

Suricata with EveBox on a Honeypot

Suricata RPM for EL and CentOS 7

I’ve taken the Suricata package as found in Fedora and rebuilt it for CentOS 7. This should be similar to how the package would exist in EPEL (and hopefully it makes its way there).

To get the package with yum, first install the yum repository package (note: you must already have EPEL installed):

rpm -Uvh http://codemonkey.net/files/rpm/suricata/el7/suricata-release-el-7-1.el7.noarch.rpm

then install Suricata:

yum install suricata

To just get the package, head over to http://codemonkey.net/files/rpm/suricata/el7/.

Suricata RPM for EL and CentOS 7

Suricata + ELK in Docker

While getting familiar the very popular Docker Linux container tool, I went against best practice and put Suricata, Logstash, Elastic Search and Kibana into a container that is looking promising for demonstration purposes. If you already run this stack on one machine, it might be suitable for real use as well.

What you get is a very simple to run application container that abstracts all the tools above into a single application.

Assuming you have Docker already installed, you can get a feel for Suricata + ELK with a couple commands:

git pull https://github.com/jasonish/docker-suricata-elk.git
cd docker-suricata-elk
./launcher start -i eth0

The first time ./launcher start is run, Docker will pull down the container file system layers so it may take a while. Subsequent starts will be much quicker.

Once it looks like it is up and running, point your browser at http://localhost:7777.

A few notes:

  • Docker containers are more or less stateless. Changes to the filesystem inside the container are not persisted over a restart. Instead any data that needs to be persisted will end up in the ./data directory where you started the launcher.
  • This container uses host networking instead of the usual isolated network you find with Docker containers. This is to give the container access to your physical interfaces. This alone has me questioning Docker for network monitoring deployments.
  • As host networking is used, the container will probably fail if you have existing applications bound to port 7777 or 9200. Making these ports configurable is on the todo.
  • The containers log directory is available from the host system. Take a look in ./data/log.
  • Suricata is built from git master.
  • ./launcher enter will give you a shell inside the running container. This is useful to take a look around the runtime environment. Just remember that any changes you make will not be persistent.
  • ./launcher bash will start a new container with the bash shell and nothing running. This is mostly useul for development.
  • If running a VM, allocate 2GB of memory and/or create a swap file. These are not lightweight applications.

Suricata + ELK Docker Container

Project links:

Suricata + ELK in Docker