How to install Suricata on Ubuntu 17.04
To install Suricata on Ubuntu 17.04
Suricata is an open source Network IDS, IPS and Network Security Monitoring engine, developed by the Open Information Security Foundation (OISF). It includes features such as Multi-threading, Gzip decompression, independent HTP library, Flow Variables, Fast IP matching, HTTP log module and IP reputation. This tutorial explains the installation procedure of Suricata on Ubuntu 17.04.
Installation procedure
To procced with the installation procedure, add the required repository to the target system by executing the following command.
root@linuxhelp:~# add-apt-repository ppa:oisf/suricata-stable
Suricata IDS/IPS/NSM stable packages
http://www.openinfosecfoundation.org/
http://planet.suricata-ids.org/
http://suricata-ids.org/
Suricata IDS/IPS/NSM - Suricata is a high performance Intrusion Detection and Prevention System and Network Security Monitoring engine.
Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.
This Engine supports:
- Multi-Threading - provides for extremely fast and flexible operation on multicore systems.
- Multi Tenancy
- File Extraction, MD5 matching - over 4000 file types recognized and extracted from live traffic.
- TLS/SSL certificate matching/logging
- IEEE 802.1ad (QinQ) and IEEE 802.1Q (VLAN) support
- All JSON output/logging capability
- NSM runmode
- Automatic Protocol Detection (IPv4/6, TCP, UDP, ICMP, HTTP, TLS, FTP, SMB, DNS )
- Gzip Decompression
- Fast IP Matching
- Hardware acceleration on CUDA GPU cards
- Lua scripting
and many more great features -
http://suricata-ids.org/features/all-features/
More info: https://launchpad.net/~oisf/+archive/ubuntu/suricata-stable
Press [ENTER] to continue or ctrl-c to cancel adding it
gpg: keybox ' /tmp/tmplf_spub_/pubring.gpg' created
gpg: /tmp/tmplf_spub_/trustdb.gpg: trustdb created
gpg: key D7F87B2966EB736F: public key " Launchpad PPA for Peter Manev" imported
gpg: Total number processed: 1
gpg: imported: 1
OK
After adding the repositories, update the system by executing the following apt-get update command.
root@linuxhelp:~# apt-get update
Hit:1 http://security.ubuntu.com/ubuntu zesty-security InRelease
Get:2 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu zesty InRelease [15.4 kB]
Hit:3 http://in.archive.ubuntu.com/ubuntu zesty InRelease
Hit:4 http://in.archive.ubuntu.com/ubuntu zesty-updates InRelease
Hit:5 http://in.archive.ubuntu.com/ubuntu zesty-backports InRelease
Get:6 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu zesty/main i386 Packages [1,472 B]
Get:7 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu zesty/main amd64 Packages [1,472 B]
Get:8 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu zesty/main Translation-en [1,276 B]
Fetched 19.6 kB in 6s (3,059 B/s)
Reading package lists... Done
The target system has been updated with the required repositories. Next install the Suricata application by running the following command and press y to continue with the installation process.
root@linuxhelp:~# apt-get install suricata -y
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
libhiredis0.13 libhtp-0.5.25-1 libhyperscan4 libluajit-5.1-2
libluajit-5.1-common libnet1 libnetfilter-queue1
The following NEW packages will be installed:
libhiredis0.13 libhtp-0.5.25-1 libhyperscan4 libluajit-5.1-2
libluajit-5.1-common libnet1 libnetfilter-queue1 suricata
0 upgraded, 8 newly installed, 0 to remove and 286 not upgraded.
Need to get 3,355 kB of archives.
After this operation, 17.4 MB of additional disk space will be used.
Get:1 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu zesty/main amd64 libhtp-0.5.25-1 amd64 4.0.1-0ubuntu3 [45.8 kB]
Get:2 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu zesty/main amd64 suricata amd64 4.0.1-0ubuntu3 [975 kB]
Get:3 http://in.archive.ubuntu.com/ubuntu zesty/universe amd64 libhyperscan4 amd64 4.4.1-1 [2,015 kB]
Get:4 http://in.archive.ubuntu.com/ubuntu zesty/main amd64 libnet1 amd64 1.1.6+dfsg-3 [42.1 kB]
Get:5 http://in.archive.ubuntu.com/ubuntu zesty/universe amd64 libhiredis0.13 amd64 0.13.3-2 [25.0 kB]
Get:6 http://in.archive.ubuntu.com/ubuntu zesty/universe amd64 libluajit-5.1-common all 2.0.4+dfsg-1 [35.3 kB]
Get:7 http://in.archive.ubuntu.com/ubuntu zesty/universe amd64 libluajit-5.1-2 amd64 2.0.4+dfsg-1 [205 kB]
.
.
.
.
.
Downloading...
Please check your connection - could not download ruleset from:
https://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
Skipping download
Processing triggers for libc-bin (2.24-9ubuntu2) ...
Processing triggers for ureadahead (0.100.0-19) ...
Processing triggers for systemd (232-21ubuntu2) ...
The Suricata application has been installed successfully. To use Suricata' s functions and features, type suricata command on the terminal. The list of Suricata' s functions and features will be listed below.
root@linuxhelp:~# suricata
Suricata 4.0.1
USAGE: suricata [OPTIONS] [BPF FILTER]
-c < path> : path to configuration file
-T : test configuration file (use with -c)
-i < dev or ip> : run in pcap live mode
-F < bpf filter file> : bpf filter file
-r < path> : run in pcap file/offline mode
-q < qid> : run in inline nfqueue mode
-s < path> : path to signature file loaded in addition to suricata.yaml settings (optional)
-S < path> : path to signature file loaded exclusively (optional)
-l < dir> : default log directory
-D : run as daemon
-k [all|none] : force checksum check (all) or disabled it (none)
-V : display Suricata version
-v[v] : increase default Suricata verbosity
--list-app-layer-protos : list supported app layer protocols
--list-keywords[=all|csv|< kword> ] : list keywords implemented by the engine
--list-runmodes : list supported runmodes
.
.
.
--user < user> : run suricata as this user after init
--group < group> : run suricata as this group after init
--erf-in < path> : process an ERF file
--unix-socket[=< file> ] : use unix socket to control suricata work
--set name=value : set a configuration value
To run the engine with default configuration on interface eth0 with signature file " signatures.rules" , run the command as:
suricata -c suricata.yaml -s signatures.rules -i eth0
Thus we conclude the installation procedure of Suricata on Ubuntu 17.04.
Q
What are the features of Suricata?
A
Suricata features are as follows, Multi-threading, Gzip decompression, independent HTTP library, Flow Variables, Fast IP matching, HTTP log module, and IP reputation.
Q
What is Suricata?
A
Suricata is an open source Network IDS, IPS and Network Security Monitoring engine, developed by the Open Information Security Foundation (OISF). It includes features such as Multi-threading, Gzip decompression, independent HTTP library, Flow Variables, Fast IP matching, HTTP log module, and IP reputation.
Q
Suricata is not alerting on attacks against TCP sessions. How to check it?
A
This might be an issue of packets with broken TCP checksums check that by "tail -f /var/log/suricata/stats.log | grep "tcp.invalid_checksum"
Q
I found a problem in an older version of Suricata, what should I do?
A
Update to its latest version and if the problem persist please do report to "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs"
Q
What is the stable repository to be used for Suricata?
A
The stable PPA to be used for Suricata
# add-apt-repository ppa:oisf/suricata-stable
# add-apt-repository ppa:oisf/suricata-stable