Saturday, January 26, 2013

HOWTO : Suricata on SSD and Ubuntu 12.04 LTS Desktop

Hardware

Laptop : Lenovo ThinkPad X201s Type 5397-G9B
Processor : Intel Core i7 CPU L640 @ 2.13GHz (2-core with 4 HT)
Memory : 8GB DDR3 RAM
Storage : AData SX900 512GB SSD

Software

Operating System : Ubuntu Desktop 12.04 LTS x86_64
Intrusion Prevention System : Suricata 1.4 (inline mode)

Introduction

Suricata is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field.

There is an Ubuntu PPA of Suricata for Ubuntu 10.04 to 13.04 and the Ubuntu 13.04 is included Suricata in her repositories too. Meanwhile, those packages have IPS mode through NFQUEUE enabled. In addition, Suricata supports nVidia CUDA which requires to recompile the source code with suitable parameter.

Suricata not only can installed on servers but also on desktops and laptops. It performs quiet well on an Intel Atom ITX machine.

For the features, please read here for details.

Installation

Step 0 :

This step is for SSD only and make sure you have enough memory.

sudo nano /etc/fstab

Add the following to the "/" (or "/home" and "/" or alike) :

discard,noatime,nodiratime

To make it look like :

UUID=99f0925f-badc-4939 .... -7df6eca0c720 / ext4 discard,noatime,nodiratime,errors=remount-ro 0 1

Then, add the following :

tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0
tmpfs /var/spool tmpfs defaults,noatime,mode=1777 0 0
tmpfs /var/log tmpfs defaults,noatime,mode=0755 0 0
tmpfs /var/log/suricata tmpfs defaults,noatime,mode=0755 0 0


After that, edit the following :

sudo nano /etc/rc.local

Add the following right before the "exit 0" :

echo deadline > /sys/block/sda/queue/scheduler
echo 1 > /sys/block/sda/queue/iosched/fifo_batch


Step 1 :

sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install suricata htp


Step 2 :

To get the Emerging Threats rules :

cd /etc/suricata/

sudo wget https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz

sudo tar -xvzf emerging.rules.tar.gz

sudo ln -s /etc/suricata/rules/reference.config /etc/suricata/reference.config

sudo ln -s /etc/suricata/UbuntuPPA-configs/classification.config /etc/suricata/classification.config

sudo cp /etc/suricata/UbuntuPPA-configs/suricata-ppa-1.4-6ubuntu6.yaml /etc/suricata/suricata.yaml


*** You can use reference.config and classification.config at /etc/suricata/rules.

sudo touch /etc/suricata/threshold.config

Step 3 :

sudo nano /etc/suricata/suricata.yaml

Locate the following lines :

default-log-dir: /usr/local/var/log/suricata/
default-rule-path: /usr/local/etc/suricata/rules
classification-file: /usr/local/etc/suricata/classification.config
reference-config-file: /usr/local/etc/suricata/reference.config
#pid-file: /var/run/suricata.pid
#- rule-reload: true
#threshold-file: /usr/local/etc/suricata/threshold.config

- drop
enable: no


Replace with the following lines :

default-log-dir: /var/log/suricata/
default-rule-path: /etc/suricata/rules
classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config
pid-file: /var/run/suricata.pid
- rule-reload: true
threshold-file: /usr/local/etc/suricata/threshold.config

- drop
enable: yes


To test if it work or not :

sudo suricata -c /etc/suricata/suricata.yaml -i eth0

Several minutes later, check the /var/log/suricata/stats.log and /var/log/suricata/http.log to see if there are some entries or not.

Step 4 :

sudo iptables -A INPUT -j NFQUEUE
sudo iptables -A OUTPUT -j NFQUEUE
sudo iptables -A FORWARD -j NFQUEUE


To test if it work or not :

sudo suricata -c /etc/suricata/suricata.yaml -q 0

Step 5 :

sudo apt-get install oinkmaster

sudo nano /etc/oinkmaster.conf

Append the following line :

url = https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz

sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

Step 6 :

When everything is working fine, you can put them in the /etc/rc.local just right above "exit 0" :

iptables -A INPUT -j NFQUEUE --queue-balance 0:3
iptables -A OUTPUT -j NFQUEUE --queue-balance 0:3
iptables -A FORWARD -j NFQUEUE --queue-balance 0:3

/etc/suricata/ips

Then create a file /etc/suricata/ips :

sudo nano /etc/suricata/ips
suricata -D -c /etc/suricata/suricata.yaml -q 0 -q 1 -q 2 -q 3

chmod +x /etc/suricata/ips

Then create the update-rule

sudo nano /etc/suricata/update-rules

oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
kill -USR2 `pidof suricata`

sudo chmod +x /etc/suricata/update-rules


Step 7 :

Whenever you want to update the rules, you can :

sudo /etc/suricata/update-rules

That's all! See you.