Suricata: The Snort Replacer (Part 1: Intro & Install)

E

Eric Hansen

Guest
If you haven’t heard yet, Source Fire is being bought by Cisco for ~$2.7b. While I love Source Fire and their product line, Cisco leaves a sour taste in my mouth. With that said, I decided to write a series of articles talking about Suricata. That wonderful program that will no doubt gain a lot of traction in the IDS/IPS community since the eventual end of Source Fire is coming along.

This entry will cover a little bit of overview of Suricata as well as how to install it on Ubuntu, and further down the series we’ll discuss other aspects about it as well.

From the Suricata website: “The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field. “ So, what we’re looking at here is where Snort left off before it went commercial. It aims to essentially revolutionize the IDS & IPS fields in IT security, and make do with what it can as well.

Perhaps, however, the biggest advantage Suricata has over the competition (i.e.: Snort) is that it is multithreaded. This can be viewed similar to web servers. You can build a simple web server that serves 1 page a request, or you can build a slightly more advanced one that serves 1+ page a request, and doesn’t interrupt other requests in doing so. Suricata is able to process multiple events at once without interrupting another and also load balance itself across how many cores your CPU has. This often leads to better performance across the board.

To start, the building process is going to be on Ubuntu 12.04.2 LTS (Precise) with 700 MB of available RAM and a AMD Sempron 3100+ processor (single-core @ 1.8GHz). So if this runs on the server provided, this can run on virtually anything (Raspberry Pi perhaps?). Also, note that I will be doing this through a LXC container (something else I’ll write up about too), so I will do my best to negate container-specific information.
Prepping the System


First thing we need to do is install some packages since we’ll be installing from source (like real system admins!):

Code:
sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0

The last 4 packages (libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0) are actually used to make Suricata useful as both an IDS and IPS (otherwise it’ll just be an IDS, and what fun would that be?). Since I’m writing this in the mindset of replacing Snort, this is the way I feel Suricata should be taken.
Download and Install


With those packages installed, we’ll get to installing Suricata+HTP (HTP is a HTTP parser and normalizer library Suricata requires, which comes bundled with Linux sources). At the time, 1.4.4 is the newest version:

Code:
cd /tmp && wget http://www.openinfosecfoundation.org/download/suricata-1.4.4.tar.gz -O suricata.tar.gz && tar -xf suricata.tar.gz && cd suricata-1.4.4

Easy enough so far, right? Good! Now, I personally prefer to see all possible options available when compiling programs from source:

Code:
./configure --help
There’s too many options to go through them all, but here’s what I’m using to get Suricata usable as an IPS:

Code:
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var

The only difference between IPS and IDS-only config settings is the “--enable-nfqueue” switch, which is described as: “Enable NFQUEUE support for inline IDP”. NFQUEUE is essentially a replacement for iptables which claims to have better performance than iptables itself, while “IDP” from what I can gather is short for “intrusion detection & prevention”.

The rest is basically saying “drop the config files into /etc, state and data files to /var and the rest in /usr”, mostly to follow with normal structures of other programs. Once configure completes you’ll see a message like this:

To build and install run 'make' and 'make install'.

You can run 'make install-conf' if you want to install initial configuration
files to /etc/suricata/. Running 'make install-full' will install configuration
and rules and provide you a ready-to-run suricata.

To install Suricata into /usr/bin/suricata, have the config in
/etc/suricata and use /var/log/suricata as log dir, use:
Code:
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/

We’ll be doing the install-full option because we need them there anyways, so run this:

Code:
make && make install-full

What his does is set up the config files for you so you can start editing them as well as pull down the latest standard rules from emergingthreats.net.

If you’ve configured Snort in the past then configuring Suricata should be second nature to you by now, but I’m going through this like a new person is trying to follow the guide. However, changing the configuration will be in the next part, so I can explain and explore of this without ending up breaking it into two separate parts in itself.
 

Attachments

  • slide.jpg
    slide.jpg
    28.2 KB · Views: 142,461


Thank you for this tutorial. I am still using Snort. I am willing to try something new.
 
Thank you for this tutorial. I am still using Snort. I am willing to try something new.
If you have any questions feel free to ask. From what I've seen moving from Snort to Suricata is pretty seemless minus the configuration. But the rules were intended from the beginning to work with one another, just I think Suricata adds some newer features, not sure (haven't used Snort in a while).
 
I have a question now...Is it possible to make Suricata an IPS? Or maybe give it some offensive capabilities?
 
Yeah, I went over this in another part or something but it has to be set at compile time.
 
Yeah, I went over this in another part or something but it has to be set at compile time.
Hi
I know its been few months since Eric's last comment on this thread, but thought I should share this latest news from CounterSnipe.

We have just released a Suricata based all singing and dancing IDS/IPS solution with asset detection, alert management, automated risk data updates and easy to install/use interface.

Please visit countersnipe website and follow the free evaluation link to POC.

Clare
 
Last edited:
Eric,

Love your work! Thank you very much for all your tutorials. Awesome!

Nick.
 
Thank you for this tutorial. it's helpful for me.
 

Members online


Latest posts

Top