How To Install Suricata On Ubuntu 16.04

How To Install Suricata On Ubuntu 16.04

Suricata is an open source Network IDS, IPS and Network Security Monitoring engine, developed by the Open Information Security Foundation (OISF). This tutorial covers the installation procedure of Suricata on Ubuntu 16.04.

Installing Suricata

First to install the Suricata in your system add the repositories of suricata by entering the following command. 

root@linuxhelp1:~# add-apt-repository ppa:oisf/suricata-stable
Suricata IDS/IPS/NSM stable packages
http://www.openinfosecfoundation.org/
http://planet.suricata-ids.org/
http://suricata-ids.org/
Suricata IDS/IPS/NSM - Suricata is a high performance Intrusion Detection and Prevention System and Network Security Monitoring engine.
Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

This Engine supports:
- Multi-Threading - provides for extremely fast and flexible operation on multicore systems.
- Multi Tenancy
- File Extraction, MD5 matching - over 4000 file types recognized and extracted from live traffic.
.
.
.
gpg: keyring `/tmp/tmpft11pvb6/secring.gpg'  created
gpg: keyring `/tmp/tmpft11pvb6/pubring.gpg'  created
gpg: requesting key 66EB736F from hkp server keyserver.ubuntu.com
gpg: /tmp/tmpft11pvb6/trustdb.gpg: trustdb created
gpg: key 66EB736F: public key " Launchpad PPA for Peter Manev"  imported
gpg: Total number processed: 1
gpg:imported: 1(RSA: 1)
OK

After installing the repositories, update the newly added repositories. 

root@linuxhelp1:~# apt-get update
Get:1 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu xenial InRelease [17.5 kB]
Hit:2 http://in.archive.ubuntu.com/ubuntu xenial InRelease
Hit:3 http://security.ubuntu.com/ubuntu xenial-security InRelease
Hit:4 http://in.archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:5 http://in.archive.ubuntu.com/ubuntu xenial-backports InRelease
Get:6 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu xenial/main amd64 Packages [1,248 B]
Get:7 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu xenial/main i386 Packages [1,248 B]
Get:8 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu xenial/main Translation-en [1,080 B]
Fetched 21.1 kB in 1s (12.4 kB/s)
Reading package lists... Done

The repositories has been installed. Now install the package of suricata by running the following command. 

root@linuxhelp1:~# apt-get install suricata -y
Reading package lists... Done=
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
libhiredis0.13 libhtp1 libjansson4 libluajit-5.1-2 libluajit-5.1-common libluajit-5.1-dev libnet1 libnetfilter-queue1
The following NEW packages will be installed:
libhiredis0.13 libhtp1 libjansson4 libluajit-5.1-2 libluajit-5.1-common libluajit-5.1-dev libnet1 libnetfilter-queue1 suricata
0 upgraded, 9 newly installed, 0 to remove and 455 not upgraded.
Need to get 1,581 kB of archives.
After this operation, 4,753 kB of additional disk space will be used.
Get:1 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu xenial/main amd64 libhtp1 amd64 0.5.x.201611021617~ubuntu16.04.1 [47.9 kB]
Get:2 http://in.archive.ubuntu.com/ubuntu xenial/main amd64 libnet1 amd64 1.1.6+dfsg-3 [42.1 kB]
Get:3 http://in.archive.ubuntu.com/ubuntu xenial/universe amd64 libhiredis0.13 amd64 0.13.3-2 [25.0 kB]
Get:4 http://in.archive.ubuntu.com/ubuntu xenial/main amd64 libjansson4 amd64 2.7-3 [26.9 kB]
Get:5 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu xenial/main amd64 suricata amd64 3.2-0ubuntu6 [968 kB]
Get:6 http://in.archive.ubuntu.com/ubuntu xenial/universe amd64 libluajit-5.1-common all 2.0.4+dfsg-1 [35.3 kB]
.
.
.
Setting up libhiredis0.13:amd64 (0.13.3-2) ...
Setting up libjansson4:amd64 (2.7-3) ...
Setting up libluajit-5.1-common (2.0.4+dfsg-1) ...
Setting up libluajit-5.1-2:amd64 (2.0.4+dfsg-1) ...
Setting up libluajit-5.1-dev:amd64 (2.0.4+dfsg-1) ...
Setting up libnetfilter-queue1 (1.0.2-2) ...
Setting up libhtp1 (0.5.x.201611021617~ubuntu16.04.1) ...
Setting up suricata (3.2-0ubuntu6) ...
Download and install the latest Emerging Threats Open ruleset
Downloading...
Latest ET Open rule set deployed in /etc/suricata/rules !
Processing triggers for libc-bin (2.23-0ubuntu3) ...
Processing triggers for ureadahead (0.100.0-19) ...
Processing triggers for systemd (229-4ubuntu4) ...

The suricata has been installed. To use suricata' s functions and features type suricata on the terminal.

root@linuxhelp1:~# suricata
Suricata 3.2
USAGE: suricata [OPTIONS] [BPF FILTER]
-c < path> : path to configuration file
-T: test configuration file (use with -c)
-i < dev or ip> : run in pcap live mode
-F < bpf filter file> : bpf filter file
-r < path> : run in pcap file/offline mode
-q < qid> : run in inline nfqueue mode
-s < path> : path to signature file loaded in addition to suricata.yaml settings (optional)
-S < path> : path to signature file loaded exclusively (optional)
-l < dir> : default log directory
-D: run as daemon
-k [all|none]: force checksum check (all) or disabled it (none)
-V: display Suricata version
-v[v]: increase default Suricata verbosity
--list-app-layer-protos: list supported app layer protocols
--list-keywords[=all|csv|< kword> ]: list keywords implemented by the engine
--list-runmodes: list supported runmodes
--runmode < runmode_id> : specific runmode modification the engine should run.The argument supplied should be the id for the runmode obtained by running
--list-runmodes
--engine-analysis: print reports on analysis of different sections in the engine and exit.

Please have a look at the conf parameter engine-analysis on what reports can be printed
--pidfile < file> : write pid to this file
--init-errors-fatal: enable fatal failure on signature init error
--disable-detection: disable detection engine
--dump-config: show the running configuration
--build-info: display build information
--pcap[=< dev> ]: run in pcap mode, no value select interfaces from suricata.yaml
--pcap-buffer-size: size of the pcap buffer value from 0 - 2147483647
--af-packet[=< dev> ]: run in af-packet mode, no value select interfaces from suricata.yaml
--simulate-ips: force engine into IPS mode. Useful for QA
--user < user> : run suricata as this user after init
--group < group> : run suricata as this group after init
--erf-in < path> : process an ERF file
--unix-socket[=< file> ]: use unix socket to control suricata work
--set name=value: set a configuration value

To run the engine with default configuration on interface eth0 with signature file " signatures.rules" , run the command as:
suricata -c suricata.yaml -s signatures.rules -i eth0

For removing suricata from Ubuntu 16.04

root@linuxhelp1:~# apt-get remove suricata -y
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
libhiredis0.13 libhtp1 libjansson4 libluajit-5.1-2 libluajit-5.1-common libluajit-5.1-dev libnet1 libnetfilter-queue1
Use ' sudo apt autoremove'  to remove them.
The following packages will be REMOVED:
suricata
0 upgraded, 0 newly installed, 1 to remove and 455 not upgraded.
After this operation, 2,940 kB disk space will be freed.
(Reading database ... 173960 files and directories currently installed.)
Removing suricata (3.2-0ubuntu6) ...
Processing triggers for man-db (2.7.5-1)
Tag : Suricata
FAQ
Q
How does dsize work with reassembly in Suricata?
A
It doesn't. Sigs using dsize will inspect packet only using Suricata.
Q
What option is used for UNIX-socket?
A
To use Unix socket to control Suricata work

Syntax: "--unix-socket[=]: "
Q
How to write pid to a particular file in Suricata?
A
To write the PID file in Suricata
use option --pidfile : write pid to this file
Q
Does Suricata have something like PAF to do intelligent application layer reassembly and flushing?
A
We have a similar approach for HTTP, but not for others yet in the application layer of Suricata.