How to Install Suricata IDS on Rocky Linux 8

Suricata is a free, open-source, independent threat detection engine developed by the Open Information Security Foundation. It is a flexible, high-performance intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) tool that can detect and block attacks against your network. The IDS analyses network traffic and detects known attacks by matching signatures, while the IPS has the ability to stop a packet from being delivered depending on the attack detected.

In this post, we will show you how to install Suricata IDS on Rocky Linux 8.

Step 1- Install Suricata on Rocky Linux 8

By default, Suricata is not included in the Rocky Linux default repo, so you will need to install it from the EPEL repo.

You can install the EPEL repo using the following command:

dnf install epel-release -y

After the installation, verify the Suricata package information using the following command:

dnf info suricata

You will get the following output:

Available Packages
Name         : suricata
Version      : 5.0.8
Release      : 1.el8
Architecture : x86_64
Size         : 2.3 M
Source       : suricata-5.0.8-1.el8.src.rpm
Repository   : epel
Summary      : Intrusion Detection System
URL          : https://suricata-ids.org/
License      : GPLv2
Description  : The Suricata Engine is an Open Source Next Generation Intrusion
             : Detection and Prevention Engine. This engine is not intended to
             : just replace or emulate the existing tools in the industry, but
             : will bring new ideas and technologies to the field. This new Engine
             : supports Multi-threading, Automatic Protocol Detection (IP, TCP,
             : UDP, ICMP, HTTP, TLS, FTP and SMB! ), Gzip Decompression, Fast IP
             : Matching, and GeoIP identification.

Next, install Suricata with the following command:

dnf install suricata -y

Once Suricata is installed, you can proceed to the next step.

Also Read

How to Install Config Server Firewall (CSF) on Oracle Linux 8

Step 2 – Configure Suricata

Suricata uses several rules to alert matching threats. All rules are located inside the /etc/suricata/rules/ directory. You can see them with the following command:

ls /etc/suricata/rules/

You will get the following output:

app-layer-events.rules  dnp3-events.rules  http-events.rules      modbus-events.rules  smb-events.rules     tls-events.rules
decoder-events.rules    dns-events.rules   ipsec-events.rules     nfs-events.rules     smtp-events.rules
dhcp-events.rules       files.rules        kerberos-events.rules  ntp-events.rules     stream-events.rules

You can update all rules using the following command:

suricata-update

You will get the following output:

16/3/2022 -- 05:22:20 -  -- Loading distribution rule file /usr/share/suricata/rules/smb-events.rules
16/3/2022 -- 05:22:20 -  -- Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules
16/3/2022 -- 05:22:20 -  -- Loading distribution rule file /usr/share/suricata/rules/stream-events.rules
16/3/2022 -- 05:22:20 -  -- Loading distribution rule file /usr/share/suricata/rules/tls-events.rules
16/3/2022 -- 05:22:20 -  -- Ignoring file rules/emerging-deleted.rules
16/3/2022 -- 05:22:23 -  -- Loaded 32324 rules.
16/3/2022 -- 05:22:23 -  -- Disabled 14 rules.
16/3/2022 -- 05:22:23 -  -- Enabled 0 rules.
16/3/2022 -- 05:22:23 -  -- Modified 0 rules.
16/3/2022 -- 05:22:23 -  -- Dropped 0 rules.
16/3/2022 -- 05:22:23 -  -- Enabled 131 rules for flowbit dependencies.
16/3/2022 -- 05:22:23 -  -- Creating directory /var/lib/suricata/rules.
16/3/2022 -- 05:22:23 -  -- Backing up current rules.
16/3/2022 -- 05:22:23 -  -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 32324; enabled: 24930; added: 32324; removed 0; modified: 0
16/3/2022 -- 05:22:23 -  -- Testing with suricata -T.
16/3/2022 -- 05:22:36 -  -- Done.

Next, you will need to configure Suricata to define the network interface and IP address for the network interface.

First, find the network interface and IP address of your server with the following command:

ip --brief add

You can see that the interface is eth0 and IP address is 209.23.8.4.

lo               UNKNOWN        127.0.0.1/8 ::1/128 
eth0             UP             209.23.8.4/22 fe80::200:d1ff:fe17:804/64 
eth1             UP             fe80::200:aff:fe17:804/64 

Now, edit the Suricata configuration file:

nano /etc/suricata/suricata.yaml

Define your IP address and network interface as shown below:

HOME_NET: "[209.23.8.4]"
EXTERNAL_NET: "!$HOME_NET"


af-packet:
  - interface: eth0

default-rule-path: /var/lib/suricata/rules
rule-files:
  - suricata.rules

Save and close the file, then disable the packet offloading in Suricata using the following command:

ethtool -K eth0 gro off lro off

Next, you will need to edit the /etc/sysconfig/suricata file and define the network interface on which Suricata is listening.

nano /etc/sysconfig/suricata

Change the following line:

OPTIONS="-i eth0 --user suricata "

Save and close the file when you are finished. Then, start and enable the Suricata service with the following command:

systemctl enable --now suricata

Next, check the status of Suricata using the following command:

systemctl status suricata

You will get the following output:

● suricata.service - Suricata Intrusion Detection Service
   Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2022-03-16 05:25:20 UTC; 5s ago
     Docs: man:suricata(1)
  Process: 24047 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
 Main PID: 24049 (Suricata-Main)
    Tasks: 1 (limit: 23696)
   Memory: 232.9M
   CGroup: /system.slice/suricata.service
           └─24049 /sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -i eth0 --user suricata

Mar 16 05:25:20 rockylinux systemd[1]: Starting Suricata Intrusion Detection Service...
Mar 16 05:25:20 rockylinux systemd[1]: Started Suricata Intrusion Detection Service.
Mar 16 05:25:20 rockylinux suricata[24049]: 16/3/2022 -- 05:25:20 -  - This is Suricata version 5.0.8 RELEASE running in SYSTEM mode

Also Read

How to Install Fail2ban with Firewalld on Oracle Linux 8

Step 3 – Check Suricata Logs

Suricata provides various log files to check the Suricata process, alerts, and stats.

To check the Suricata process log, run the following command:

tail /var/log/suricata/suricata.log

You should see the following output:

16/3/2022 -- 05:25:20 -  - Running in live mode, activating unix socket
16/3/2022 -- 05:25:20 -  - SSSE3 support not detected, disabling Hyperscan for SPM
16/3/2022 -- 05:25:21 -  - 1 rule files processed. 24930 rules successfully loaded, 0 rules failed
16/3/2022 -- 05:25:21 -  - Threshold config parsed: 0 rule(s) found
16/3/2022 -- 05:25:21 -  - 24933 signatures processed. 1283 are IP-only rules, 4109 are inspecting packet payload, 19340 inspect application layer, 105 are decoder event only
16/3/2022 -- 05:25:30 -  - Going to use 2 thread(s)
16/3/2022 -- 05:25:30 -  - Running in live mode, activating unix socket
16/3/2022 -- 05:25:30 -  - Using unix socket file '/var/run/suricata/suricata-command.socket'
16/3/2022 -- 05:25:30 -  - all 2 packet processing threads, 4 management threads initialized, engine started.
16/3/2022 -- 05:25:30 -  - All AFP capture threads are running.

To check the Suricata alert log, run the following command:

tail -f /var/log/suricata/fast.log

You should see the following output:

03/16/2022-05:25:53.059177  [**] [1:2402000:6215] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 45.155.205.43:54612 -> 209.23.8.4:14381
03/16/2022-05:25:53.059177  [**] [1:2403342:73004] ET CINS Active Threat Intelligence Poor Reputation IP group 43 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 45.155.205.43:54612 -> 209.23.8.4:14381

To check the Suricata stats log, run the following command:

tail -f /var/log/suricata/stats.log

You should see the following output:

------------------------------------------------------------------------------------
Counter                                       | TM Name                   | Value
------------------------------------------------------------------------------------
capture.kernel_packets                        | Total                     | 651
decoder.pkts                                  | Total                     | 651
decoder.bytes                                 | Total                     | 51754
decoder.ipv4                                  | Total                     | 398
decoder.ipv6                                  | Total                     | 251
decoder.ethernet                              | Total                     | 651

Step 4 – Test Suricata IDS

At this point, Suricata IDS is installed and configured. Now, it’s time to test whether the Suricata IDS is working or not. To test it, log in to another system and install the hping3 utility to perform a DDoS attack.

dnf install hping3

After installing hping3, perform a DDoS attack with the following command:

hping3 -S -p 22 --flood --rand-source 209.23.8.4

Now, go to the Suricata system and check the alert log using the following command:

tail -f /var/log/suricata/fast.log

You should see the following output:

03/16/2022-05:29:11.007980  [**] [1:2402000:6215] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 45.155.205.56:43288 -> 209.23.8.4:1336
03/16/2022-05:29:18.049526  [**] [1:2402000:6215] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 89.248.163.164:44217 -> 209.23.8.4:37394
03/16/2022-05:29:18.049526  [**] [1:2403393:73004] ET CINS Active Threat Intelligence Poor Reputation IP group 94 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 89.248.163.164:44217 -> 209.23.8.4:37394
03/16/2022-05:30:52.933947  [**] [1:2402000:6215] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 167.248.133.173:24721 -> 209.23.8.4:9307
03/16/2022-05:31:52.284374  [**] [1:2402000:6215] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 89.248.165.202:57104 -> 209.23.8.4:6061
03/16/2022-05:31:52.284374  [**] [1:2403393:73004] ET CINS Active Threat Intelligence Poor Reputation IP group 94 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 89.248.165.202:57104 -> 209.23.8.4:6061
03/16/2022-05:32:19.951353  [**] [1:2403341:73004] ET CINS Active Threat Intelligence Poor Reputation IP group 42 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 45.137.21.208:42694 -> 209.23.8.4:57335
03/16/2022-05:32:21.477358  [**] [1:2403369:73004] ET CINS Active Threat Intelligence Poor Reputation IP group 70 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 61.160.237.40:48539 -> 209.23.8.4:2375
03/16/2022-05:33:07.307152  [**] [1:2403399:73004] ET CINS Active Threat Intelligence Poor Reputation IP group 100 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 97.74.81.123:55652 -> 209.23.8.4:3389
03/16/2022-05:33:13.355428  [**] [1:2402000:6215] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {UDP} 146.88.240.4:41296 -> 209.23.8.4:69

The above output confirms that Suricata is working well.

Conclusion

In this guide, we explained how to install Suricata IDS on Rocky Linux 8. We also configured Suricata IDS and tested it with a DDoS attack. You can now implement the Suricata IDS on the production server to secure it from the DDoS attack. Try it on dedicated servers from Atlantic.Net!