jedi.sh#> Adding Suricata, An Intrusion Detection System

6 min read Original article ↗
  • Install the Suricata dependencies.
    • sudo apt-get install libjansson-dev rustc cargo libmagic-dev libnspr4-dev  \
libcap-ng-dev python3-yaml liblz4-dev libnss3-dev libpcre3-dev libyaml-dev \
libevent-core-2.1-6 libevent-pthreads-2.1-6 libhtp2 libltdl7 libnet1 \
libnetfilter-log1 libnetfilter-queue1 libnspr4 libnss3 libprelude23 libpython-stdlib \
libpython2-stdlib libpython2.7-minimal libpython2.7-stdlib libyaml-0-2 python python-minimal \
python-simplejson python2 python2-minimal python2.7 python2.7-minimal
  • Download and extract the latest Suricata.
    • wget https://www.openinfosecfoundation.org/download/suricata-6.0.2.tar.gz && tar -zxf suricata-6.0.2.tar.gz
  • Configure and compile Suricata.
    • cd suricata-6.0.2 && ./configure && sudo make -j6 install-full
  • Create a symbolic link so Suricata can find the rules.
    • ln -s /usr/local/var/lib/suricata/rules /usr/local/etc/suricata/rules
  • Run LD_LIBRARY_PATH=/usr/local/lib sudo suricata-update to download the latest free rulesets. Note we need to set the LD_LIBRARY_PATH so Suricata runs it's tests successfully.
    • 
nanopi-r4s:~/suricata-6.0.2# LD_LIBRARY_PATH=/usr/local/lib sudo suricata-update
21/6/2021 -- 21:24:53 -  -- Using data-directory /usr/local/var/lib/suricata.
   21/6/2021 -- 21:24:53 -  -- Using Suricata configuration /usr/local/etc/suricata/suricata.yaml
   21/6/2021 -- 21:24:53 -  -- Using /usr/local/share/suricata/rules for Suricata provided rules.
   21/6/2021 -- 21:24:53 -  -- Found Suricata version 6.0.2 at /usr/local/bin/suricata.
   21/6/2021 -- 21:24:53 -  -- Loading /usr/local/etc/suricata/suricata.yaml
   21/6/2021 -- 21:24:53 -  -- Disabling rules for protocol http2
   21/6/2021 -- 21:24:53 -  -- Disabling rules for protocol modbus
   21/6/2021 -- 21:24:53 -  -- Disabling rules for protocol dnp3
   21/6/2021 -- 21:24:53 -  -- Disabling rules for protocol enip
   21/6/2021 -- 21:24:53 -  -- No sources configured, will use Emerging Threats Open
   21/6/2021 -- 21:24:53 -  -- Last download less than 15 minutes ago. Not downloading https://rules.emergingthreats.net/open/suricata-6.0.2/emerging.rules.tar.gz.
   21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/app-layer-events.rules
   21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/decoder-events.rules
   21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/dhcp-events.rules
   21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/dnp3-events.rules
   21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/dns-events.rules
   21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/files.rules
   21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/http-events.rules
   21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/ipsec-events.rules
   21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/kerberos-events.rules
   21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/modbus-events.rules
   21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/nfs-events.rules
   21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/ntp-events.rules
   21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/smb-events.rules
   21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/smtp-events.rules
   21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/stream-events.rules
   21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/tls-events.rules
   21/6/2021 -- 21:24:54 -  -- Ignoring file rules/emerging-deleted.rules
   21/6/2021 -- 21:25:00 -  -- Loaded 30134 rules.
   21/6/2021 -- 21:25:01 -  -- Disabled 14 rules.
   21/6/2021 -- 21:25:01 -  -- Enabled 0 rules.
   21/6/2021 -- 21:25:01 -  -- Modified 0 rules.
   21/6/2021 -- 21:25:01 -  -- Dropped 0 rules.
   21/6/2021 -- 21:25:02 -  -- Enabled 147 rules for flowbit dependencies.
   21/6/2021 -- 21:25:02 -  -- Backing up current rules.
   21/6/2021 -- 21:25:10 -  -- Writing rules to /usr/local/var/lib/suricata/rules/suricata.rules: total: 30134; enabled: 22688; added: 6; removed 45; modified: 1206
   21/6/2021 -- 21:25:10 -  -- Writing /usr/local/var/lib/suricata/rules/classification.config
   21/6/2021 -- 21:25:10 -  -- Testing with suricata -T.
   21/6/2021 -- 21:25:47 -  -- Done.
  • Create a systemd unit file for Suricata. Note we only want to monitor one of the interfaces, not the bridge. sudo nano /etc/systemd/system/suricata.service
    • [Unit]
Description=Suricata IDS/IDP daemon
After=network.target
Requires=network.target
Documentation=man:suricata(8) man:suricatasc(8)
Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki

[Service]
Type=simple
User=root
Group=root
Environment=LD_LIBRARY_PATH=/usr/local/lib
Environment=CFG=/usr/local/etc/suricata/suricata.yaml
ExecStart=/usr/local/bin/suricata -c $CFG -i eth0
ExecReload=/bin/kill -HUP $MAINPID
ExecStop=/bin/kill $MAINPID
PrivateTmp=yes
TimeoutStartSec=300

[Install]
WantedBy=multi-user.target

  • Enable and start Suricata. systemctl enable suricata && systemctl start suricata
  • Check the startup status of suricata with journalctl -fu suricata
    • root@nanopi-r4s:~# journalctl -fu suricata
   Jun 21 21:53:33 nanopi-r4s systemd[1]: Started Suricata IDS/IDP daemon.
   Jun 21 21:53:33 nanopi-r4s suricata[13445]: 21/6/2021 -- 21:53:33 -  - This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
   Jun 21 21:54:01 nanopi-r4s suricata[13445]: 21/6/2021 -- 21:54:01 -  - all 6 packet processing threads, 4 management threads initialized, engine started.

  • We can now inspect the log directory to see what is being output by Suricata. These files can get large quite quickly.
    • root@nanopi-r4s:/usr/local/var/log/suricata# ls
   certs  eve.json  fast.log  files  stats.log  suricata.log
  • To setup log rotation, create the following file. Add more files and tune to your needs. sudo nano /etc/logrotate.d/suricata_log
    • /usr/local/var/log/suricata/eve.json
{
    daily
    rotate 3
    missingok
    nocompress
    create
    dateext
    dateformat .%Y-%m-%d
    sharedscripts
    postrotate
            /bin/kill -HUP `ps aux | grep /usr/local/bin/suricata | grep eth0 | grep -v grep | awk '{print $2}'` 2>/dev/null || true
    endscript
}
/usr/local/var/log/suricata/stats.log
{
    daily
    rotate 3
    missingok
    nocompress
    create
    dateext
    dateformat .%Y-%m-%d
    sharedscripts
    postrotate
            /bin/kill -HUP `ps aux | grep /usr/local/bin/suricata | grep eth0 | grep -v grep | awk '{print $2}'` 2>/dev/null || true
    endscript
}

    Note: You can test your logrotate script with the following: logrotate -d /etc/logrotate.d/suricata_log
  • Inspecting our alerts file sudo tail -f /usr/local/var/log/suricata/fast.log we begin to see various anomalies if there's live traffic.
    • 06/19/2021-22:30:37.747150  [**] [1:2210007:2] SURICATA STREAM 3way handshake SYNACK with wrong ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3]
   06/19/2021-22:30:37.903141  [**] [1:2230002:1] SURICATA TLS invalid record type [**] [Classification: Generic Protocol Command Decode] [Priority: 3]
   06/19/2021-22:30:37.903141  [**] [1:2230010:1] SURICATA TLS invalid record/traffic [**] [Classification: Generic Protocol Command Decode] [Priority: 3]
   06/19/2021-22:30:37.903141  [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3]
   06/19/2021-22:30:37.917964  [**] [1:2230002:1] SURICATA TLS invalid record type [**] [Classification: Generic Protocol Command Decode] [Priority: 3]
   06/19/2021-22:30:37.917964  [**] [1:2230010:1] SURICATA TLS invalid record/traffic [**] [Classification: Generic Protocol Command Decode] [Priority: 3]
   06/19/2021-22:42:04.001392  [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3]
   06/19/2021-22:59:04.001581  [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3]
   06/19/2021-23:08:03.002276  [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3]
   06/20/2021-04:09:49.358670  [**] [1:2224003:1] SURICATA IKEv2 weak cryptographic parameters (PRF) [**] [Classification: Generic Protocol Command Decode] [Priority: 3]
   06/20/2021-04:09:49.358670  [**] [1:2224004:2] SURICATA IKEv2 weak cryptographic parameters (Auth) [**] [Classification: Generic Protocol Command Decode] [Priority: 3]

  • Now if you wish to setup audible alerting, connect your USB sound card, speaker, and run the following.
    • sudo apt-get install alsa-utils sox libsox-fmt-all
sudo sed -i 's/defaults.ctl.card 0/defaults.ctl.card 1/' /usr/share/alsa/alsa.conf
sudo sed -i 's/defaults.pcm.card 0/defaults.pcm.card 1/' /usr/share/alsa/alsa.conf

  • Create an executable script to watch the file and the related service. aplay will kickoff our alarm when it finds a match. You will have to customize this to find alerts you are interested in. The alert sound I used can be found here [X] sudo curl -o /root/eminyildirim_futuristic-alarm.wav https://jedi.sh/eminyildirim_futuristic-alarm.wav

    • sudo nano /usr/local/bin/watcher.sh 
    #!/bin/bash

while tail -f /usr/local/var/log/suricata/fast.log -n0 | egrep -m 1 'protocol only one direction|weak cryptographic'
do
	aplay /root/eminyildirim_futuristic-alarm.wav &
done

    sudo nano /etc/systemd/system/suricata-alert.service 
    [Unit]
Description=Suricata Log Watcher
After=network.target

[Service]
Type=simple
User=root
Group=root
ExecStart=/usr/local/bin/watcher.sh
Restart=on-failure

    sudo chmod +x /usr/local/bin/watcher.sh
sudo systemctl enable suricata-alert
sudo systemctl start suricata-alert

    Thoughts:

    *************

    Now we can summarize data on the network, and act on that information. This is just the start of what you can do while inline (or out of band on a mirrored port) on the network. Outside of the home setting we could scale this up on actual hardware and ingest our logs to ELK stack to provide a less opaque pane of glass for security and network monitoring.