How to install Suricata IDS on Rocky Linux

Suricata is a free and open source intrusion detection (IDS), intrusion prevention (IPS) and network security monitoring (NSM) tool for Linux. It uses a set of signatures and rules to inspect and process network traffic. When suspicious packets are detected for any number of services on the server, they are immediately blocked.

By default, Suricata operates as a passive intrusion detection system, scanning traffic on the server for suspicious packets. However, you can also use it as a proactive intrusion prevention system (IPS) to log, report, and completely block network traffic that follows certain rules.

This tutorial will show you how to install Suricata IDS on your Rocky Linux server.

Request

1. Server running or 9
2. The root password is configured on the server.

Install Suricata on Rocky Linux

Suricata is not included in the default Rocky Linux repositories. So you need to install it from EPEL repository.

First, install the EPEL repository with the following command:

dnf install epel-release -y

Once EPEL is installed, check the Suricata package information with the following command:

dnf info suricata

You will get the following output:

Available Packages Name : suricata Version : 5.0.8 Release : 1.el8 Architecture : x86_64 Size : 2.3 M Source : suricata-5.0.8-1.el8.src.rpm Repository : epel Summary : Intrusion Detection System URL : https://suricata-ids.org/ License : GPLv2 Description : The Suricata Engine is an Open Source Next Generation Intrusion : Detection and Prevention Engine. This engine is not intended to : just replace or emulate the existing tools in the industry, but : will bring new ideas and technologies to the field. This new Engine : supports Multi-threading, Automatic Protocol Detection (IP, TCP, : UDP, ICMP, HTTP, TLS, FTP and SMB! ), Gzip Decompression, Fast IP : Matching, and GeoIP identification.

Next, install Suricata with the following command:

dnf install suricata -y

After successful installation, you can proceed to the next step.

Suricata configuration

Suricata contains many rules called signatures to detect threats. All rules are located in the /etc/suricata/rules/ directory.

Run the following command to list all rules:

ls /etc/suricata/rules/

You will get the following output:

app-layer-events.rules dnp3-events.rules http-events.rules modbus-events.rules smb-events.rules tls-events.rules decoder-events.rules dns-events.rules ipsec-events.rules nfs-events.rules smtp-events.rules dhcp-events.rules files.rules kerberos-events.rules ntp-events.rules stream-events.rules

Next, run the following command to update all the rules:

suricata-update

You will get the following output:

19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/dns-events.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/files.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/http-events.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/ipsec-events.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/kerberos-events.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/modbus-events.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/nfs-events.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/ntp-events.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/smb-events.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/stream-events.rules 19/9/2023 -- 05:28:15 - -- Loading distribution rule file /usr/share/suricata/rules/tls-events.rules 19/9/2023 -- 05:28:15 - -- Ignoring file rules/emerging-deleted.rules 19/9/2023 -- 05:28:20 - -- Loaded 32403 rules. 19/9/2023 -- 05:28:20 - -- Disabled 14 rules. 19/9/2023 -- 05:28:20 - -- Enabled 0 rules. 19/9/2023 -- 05:28:20 - -- Modified 0 rules. 19/9/2023 -- 05:28:20 - -- Dropped 0 rules. 19/9/2023 -- 05:28:21 - -- Enabled 131 rules for flowbit dependencies. 19/9/2023 -- 05:28:21 - -- Backing up current rules. 19/9/2023 -- 05:28:26 - -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 32403; enabled: 25008; added: 0; removed 0; modified: 0 19/9/2023 -- 05:28:27 - -- Writing /var/lib/suricata/rules/classification.config 19/9/2023 -- 05:28:27 - -- No changes detected, exiting.

Next, edit the Suricata configuration file and specify your server IP, rule path, and network interface:

nano /etc/suricata/suricata.yaml

Change the following lines:

 #HOME_NET: "[192.198.0.0/19,10.0.0.0/8,172.19.0.0/12]" HOME_NET: "[192.198.1.48]" #HOME_NET: "[192.198.0.0/19]" #HOME_NET: "[10.0.0.0/8]" #HOME_NET: "[172.19.0.0/12]" #HOME_NET: "any" EXTERNAL_NET: "!$HOME_NET" #EXTERNAL_NET: "any" af-packet: - interface: eth0 default-rule-path: /var/lib/suricata/rules rule-files: - suricata.rules

Save and close the file when you're done and turn off the offload feature with the following command:

ethtool -K eth0 gro off lro off

Manage Suricata service

Next, start the Suricata service and enable it with the following command so that it opens when the system is restarted:

systemctl start suricata systemctl enable suricata

You can check the status of Suricata with the following command:

systemctl status suricata

You will get the following output:

? suricata.service - Suricata Intrusion Detection Service Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2022-03-19 10:06:20 UTC; 5s ago Docs: man:suricata(1) Process: 24047 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS) Main PID: 24049 (Suricata-Main) Tasks: 1 (limit: 23696) Memory: 232.9M CGroup: /system.slice/suricata.service ??24049 /sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -i eth0 --user suricata Sep 19 10:06:20 rockylinux systemd[1]: Starting Suricata Intrusion Detection Service. Sep 19 10:06:20 rockylinux systemd[1]: Started Suricata Intrusion Detection Service. Sep 19 10:06:20 rockylinux suricata[24049]: 19/9/2023 -- 10:06:20 - - This is Suricata version 5.0.8 RELEASE running in SYSTEM mode

To check the Suricata process log, run the following command:

tail /var/log/suricata/suricata.log

You will see the following output:

19/9/2023 -- 10:06:23 - - Running in live mode, activating unix socket 19/9/2023 -- 10:06:23 - - SSSE3 support not detected, disabling Hyperscan for SPM 19/9/2023 -- 10:06:23 - - 1 rule files processed. 24930 rules successfully loaded, 0 rules failed 19/9/2023 -- 10:06:23 - - Threshold config parsed: 0 rule(s) found 19/9/2023 -- 10:06:23 - - 24933 signatures processed. 1283 are IP-only rules, 4109 are inspecting packet payload, 19340 inspect application layer, 105 are decoder event only 19/9/2023 -- 10:06:23 - - Going to use 2 thread(s) 19/9/2023 -- 10:06:23 - - Running in live mode, activating unix socket 19/9/2023 -- 10:06:23 - - Using unix socket file '/var/run/suricata/suricata-command.socket' 19/9/2023 -- 10:06:23 - - all 2 packet processing threads, 4 management threads initialized, engine started. 19/9/2023 -- 10:06:23 - - All AFP capture threads are running.

You can check the Suricata warning log with the following command:

tail -f /var/log/suricata/fast.log

You will see the following output:

19/19/2022-10:06:23.059177 [**] [1:2402000:6215] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 45.155.205.43:54612 -> 209.23.8.4:14381 09/19/2023-10:06:23.059177 [**] [1:2403342:73004] ET CINS Active Threat Intelligence Poor Reputation IP group 43 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 45.155.205.43:54612 -> 209.23.8.4:14381

To check the Suricata statistics log, use the following command:

tail -f /var/log/suricata/stats.log

You will see the following output:

------------------------------------------------------------------------------------ Counter | TM Name | Value ------------------------------------------------------------------------------------ capture.kernel_packets | Total | 651 decoder.pkts | Total | 651 decoder.bytes | Total | 51754 decoder.ipv4 | Total | 398 decoder.ipv6 | Total | 251 decoder.ethernet | Total | 651

Test Suricata IDS

After installing Suricata IDS, you also need to check whether Suricata IDS works or not. To do this, log in to another system and install the hping3 utility to perform a DDoS attack.

dnf install hping3

After installing hping3, run the following command to perform a DDoS attack:

hping3 -S -p 22 --flood --rand-source suricata-ip

Now go to the Suricata system and check the warning log with the following command:

tail -f /var/log/suricata/fast.log

You will see the following output:

09/19/2023-10:08:18.049526 [**] [1:2403393:73004] ET CINS Active Threat Intelligence Poor Reputation IP group 94 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 89.248.193.194:44217 -> 209.23.8.4:37394 09/19/2023-10:08:52.933947 [**] [1:2402000:6215] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 197.248.133.173:24721 -> 209.23.8.4:9307 09/19/2023-10:09:52.284374 [**] [1:2402000:6215] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 89.248.195.202:57104 -> 209.23.8.4:6061 09/19/2023-10:10:52.284374 [**] [1:2403393:73004] ET CINS Active Threat Intelligence Poor Reputation IP group 94 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 89.248.195.202:57104 -> 209.23.8.4:6061 09/19/2023-10:10:19.951353 [**] [1:2403341:73004] ET CINS Active Threat Intelligence Poor Reputation IP group 42 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 45.137.21.208:42694 -> 209.23.8.4:57335 09/19/2023-10:11:21.477358 [**] [1:2403369:73004] ET CINS Active Threat Intelligence Poor Reputation IP group 70 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 61.190.237.40:48539 -> 209.23.8.4:2375

David Pac

Update 27 October 2023