Suricata in Ubuntu

Suricata is a free, open source, mature, fast and robust network threat detection engine. In this publication, we will show one of the many things you can do.

We will need our virtual machine of any operative system of which we are going to make a ping. On the other hand, we need our virtual Linux machine Ubuntu in which we will install and configure Suricata.

We update our Linux virtual machine with the following command.

$ sudo apt-get update

With the following command we will install Suricata

$ sudo apt-get install suricata -y

We will create an empty rules file with the following command.

$ sudo touch /etc/suricata/rules/local.rules

Now we will edit the file suricata.yaml with the following command, you can use vim or nano in our case we will use gedit.

$ sudo gedit /etc/suricata/suricata.yaml

We will comment on all the rules files available, in this way our rules file will have priority, the comment is made by adding the sign # at the beginning of the line.

local.rules was a file that we created in the past.

Now we will add our local network, which we have configured in our virtual machine, in this case we have the 192.168.100.0/24

The next step is to edit our local file.rules

$ sudo gedit /etc/suricata/rules/local.rules

This is what we have to write in our file local.rules

$ alert icmp any any -> 192.168.100.3 any (msg: "ICMP detected";  sid:100000001;)

If you do not have ethtool installed yet, you can do it with the following command.

$ sudo -s

# apt-get install ethtool

Now execute following command to make GRO (Generic receive offload) disable on specific interfaces with help of Ethtool.

$ sudo ethtool -K enp0s3 gro off

Then again turn On NIDS mode of surictata using given below command.

$ sudo suricata -c /etc/suricata/suricata.yaml -i enp0s3

Now we ping from another virtual machine that is in the same network.

ping 192.168.100.3

And as a result, we have the record that made the virtual machine infosecaddicts@hacker to the machine that has meerkat installed infosecaddicts@infosecaddicts, to see that information in detail we will review the file fast.log with the following command.

$ sudo tall -f /var/log/suricata/fast.log

Suricata has other much better functionality we invite you to install and perform much more tests with this tool.

 

Avatar

This post was written by Ruben Dario Caravajal Herrera