Protecting your network with the Suricata intrusion detection system
Guard on Duty
Snort isn't the only free intrusion detection tool in the barnyard. We'll show you a powerful and promising alternative known as Suricata.
When most Linux users think of an open source IDS/IPS (intrusion detection|prevention system), they think of Snort. But Linux users have another option for intrusion detection and prevention: Suricata [1]. Suricata is developed by the Open Information Security Foundation (OISF), which is tasked "to build a next generation IDS/IPS engine." The funding for the OISF comes from several US government agencies and private firms, but since Suricata is licensed under the common "GPLv2 and later" license, it is true open source and also freely available.
Why Suricata?
Why choose Suricata instead of Snort? Suricata uses Snort-compatible rulesets, which is good for compatibility, but if you're already using Snort rulesets, why not just use Snort? For one thing, Suricata is multithreaded, meaning it can easily take advantage of multiple cores, so you can more easily examine large volumes of traffic without having to make sacrifices like reducing the number of rules. Suricata can also do protocol inspection, so you don't have to rely on port numbers to identify traffic – you can easily examine HTTP traffic no matter what port it is on. Suricata also allows you to look inside of the protocol streams and extract the files, so they can then be examined. You can also block files based on their MD5 signature (more on this later). Suricata also allows you to examine TSL/SSL certificates and match them based on their fingerprints (a SHA1 hash of the certificate typically), so even if you can't intercept the TLS/SSL connection, you can still exert some control over it. However the main advantage of Suricata over Snort is that it isn't Snort. Don't get me wrong, Snort is awesome and I really like it, but Snort is also showing its age and some of the design decisions are less than optimal in the modern world (e.g., 10Gb Ethernet is cheap now) – things that Suricata addresses. Note: The latest version of Snort addresses some of these problems – see the article on Snort elsewhere in this issue.
Suricata Install
The three primary options for installing Suricata [2] are from a package, from a source tarball, and from Git. I would only recommend using the Git version if you are a developer or need access to some bleeding-edge feature that hasn't yet made it into a release tarball. The package installation is less than optimal; at the time of this writing, Debian has a really old version of Suricata (1.2, current is 2.0.2), so unless you can get at least version 2.0.x, I would recommend installing from the release tarball. But first you're going to need some build dependencies: libpcap-devel
, libnet-devel
, pcre-devel
, libyaml-devel
, zlib-devel
, libcap-ng-devel
, and file-devel
. If you want to use the IPS mode to block attacks, you're also going to need libnfnetlink-devel
and libnetfilter_queue-devel
(on RHEL and CentOS you can find these in EPEL). Then, grab the tarball and execute the usual configure, make, and make install:
wget http://www.openinfosecfoundation.org/download/suricata-2.0.2.tar.gz tar -xvzf suricata-2.0.2.tar.gz cd suricata-2.0.2 ./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var make sudo make install sudo ldconfig
You also have some options when installing; by using make install-conf
, you can install the configuration files into /etc/
, the make install-rules
command will get the latest emerging threat rules from Suricata and install them, and make install-full
will do both. You'll then need to create the Suricata log directory:
sudo mkdir /var/log/suricata
At this point, you might also need to get the Snort rules – more on this later.
Suricata Configuration
Configuring Suricata is a lot like configuring Snort, except with even more options. The primary configuration file is /etc/suricata/suricata.yaml
, with several sections you'll certainly want to configure, including outputs
(logging and output of data), vars
(variables), and host-os-policy
(allows you to specify the IP/network of operating systems, which helps Suricata determine how best to defragment and reassemble the TCP stream). Your choice of output log will largely depend on how you want to process the data (if at all). The vars
section allows you to specify various network and service configurations (such as your DNS, SMTP, and SQL servers), which are used by various signatures. The cuda
section even allows you to configure a GPU to accelerate Suricata.
The final section is the app-layer
configuration. Suricata understands a wide variety of protocols, and you have the option of detecting the traffic only, detecting and parsing the traffic, and not detecting or parsing it (e.g., you might want to ignore DNS traffic since you can easily log and firewall it).
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.
-
ZorinOS 17.1 Released, Includes Improved Windows App Support
If you need or desire to run Windows applications on Linux, there's one distribution intent on making that easier for you and its new release further improves that feature.
-
Linux Market Share Surpasses 4% for the First Time
Look out Windows and macOS, Linux is on the rise and has even topped ChromeOS to become the fourth most widely used OS around the globe.
-
KDE’s Plasma 6 Officially Available
KDE’s Plasma 6.0 "Megarelease" has happened, and it's brimming with new features, polish, and performance.
-
Latest Version of Tails Unleashed
Tails 6.0 is based on Debian 12 and includes GNOME 43.
-
KDE Announces New Slimbook V with Plenty of Power and KDE’s Plasma 6
If you're a fan of KDE Plasma, you'll be thrilled to hear they've announced a new Slimbook with an AMD CPU and the latest version of KDE Plasma desktop.
-
Monthly Sponsorship Includes Early Access to elementary OS 8
If you want to get a glimpse of what's in the pipeline for elementary OS 8, just set up a monthly sponsorship to help fund its continued existence.
-
DebConf24 to be Held in South Korea
Busan will be the location of the latest DebConf running July 28 through August 4
-
Fedora Unleashes Atomic Desktops
Fedora has combined its solid distribution with rpm-ostree system to make it possible to deliver a new family of Fedora spins, called Fedora Atomic Desktops.
-
Bootloader Vulnerability Affects Nearly All Linux Distributions
The developers of shim have released a version to fix numerous security flaws, including one that could enable remote control execution of malicious code under certain circumstances.