Suricata has been added to Debian Backports
Thanks to the hard work of Arturo Borrero Gonzalez, Suricata has just been added to the Debian ‘backports’ repository. This allows users of Debian stable to run up to date versions of Suricata.
The ‘Backports’ repository makes the Suricata and libhtp packages from Debian Testing available to ‘stable’ users. As ’testing’ is currently in a freeze, it may take a bit of time before 2.0.5 and libhtp 0.5.16 appear.
Anyway, here is how to use it.
Install
First add backports repo to your sources:
# echo "deb http://http.debian.net/debian wheezy-backports main" > /etc/apt/sources.list.d/backports.list
# apt-get update
As explained here http://backports.debian.org/Instructions/, this will not affect your normal packages.
To prove this, check:
# apt-get install suricata -s
Conf libhtp1 (0.2.6-2 Debian:7.7/stable [amd64])
Conf suricata (1.2.1-2 Debian:7.7/stable [amd64])
Not what we want, as that is still the old version.
To install Suricata from backports, we need to specify the repo:
# apt-get install -t wheezy-backports suricata -s
Conf libhtp1 (0.5.15-1~bpo70+1 Debian Backports:/wheezy-backports [amd64])
Conf suricata (2.0.4-1~bpo70+1 Debian Backports:/wheezy-backports [amd64])
Let’s do it!
# apt-get install -t wheezy-backports suricata
...
Setting up suricata (2.0.4-1~bpo70+1) ...
[FAIL] suricata disabled, please adjust the configuration to your needs ... failed!
[FAIL] and then set RUN to 'yes' in /etc/default/suricata to enable it. ... failed!
Suricata 2.0.4 is now installed, but it’s not yet running. To see what features have been compiled in, run:
# suricata --build-info
This is Suricata version 2.0.4 RELEASE
Suricata Configuration:
AF_PACKET support: yes
PF_RING support: no
NFQueue support: yes
NFLOG support: no
IPFW support: no
DAG enabled: no
Napatech enabled: no
Unix socket enabled: yes
Detection enabled: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
Prelude support: yes
PCRE jit: yes
LUA support: yes
libluajit: yes
libgeoip: no
Non-bundled htp: yes
Old barnyard2 support: no
CUDA enabled: no
Suricatasc install: yes
It has Luajit enabled, libjansson for the JSON output, NFQ and AF_PACKET IPS modes, NSS for MD5 checksums and unix sockets. Quite a good feature set.
Run
To get it running, we need a few more steps:
Edit /etc/default/suricata:
1. Change RUN=no to RUN=yes 2. Change LISTENMODE to “af-packet”:
Now lets start it.
# service suricata start
Starting suricata in IDS (af-packet) mode... done.
And confirm that it’s running.
# ps aux|grep suricata
root 20295 1.8 4.1 200212 42544 ? Ssl 00:50 0:00 /usr/bin/suricata -c /etc/suricata/suricata-debian.yaml --pidfile /var/run/suricata.pid --af-packet -D
Check if we’re seeing traffic:
# tail /var/log/suricata/stats.log -f|grep capture
capture.kernel_packets | RxAFPeth01 | 406
capture.kernel_drops | RxAFPeth01 | 0
capture.kernel_packets | RxAFPeth11 | 0
capture.kernel_drops | RxAFPeth11 | 0
capture.kernel_packets | RxAFPeth01 | 411
capture.kernel_drops | RxAFPeth01 | 0
capture.kernel_packets | RxAFPeth11 | 0
capture.kernel_drops | RxAFPeth11 | 0
capture.kernel_packets | RxAFPeth01 | 417
capture.kernel_drops | RxAFPeth01 | 0
capture.kernel_packets | RxAFPeth11 | 0
capture.kernel_drops | RxAFPeth11 | 0
capture.kernel_packets | RxAFPeth01 | 587
capture.kernel_drops | RxAFPeth01 | 0
capture.kernel_packets | RxAFPeth11 | 0
capture.kernel_drops | RxAFPeth11 | 0
capture.kernel_packets | RxAFPeth01 | 593
capture.kernel_drops | RxAFPeth01 | 0
capture.kernel_packets | RxAFPeth11 | 0
capture.kernel_drops | RxAFPeth11 | 0
Logging
As the init script starts Suricata in daemon mode, we need to enable logging to file:
Edit /etc/suricata/suricata-debian.yaml and go to the “logging:” section, there change the “file” portion to look like:
- file:
enabled: yes
filename: /var/log/suricata/suricata.log
Note: in the YAML indentation matters, so make sure it’s exactly right.
Rules
Oinkmaster is automatically installed, so lets use that:
First create the rules directory:
mkdir /etc/suricata/rules/
Open /etc/oinkmaster.conf in your editor and add:
url = https://rules.emergingthreats.net/open/suricata-2.0/emerging.rules.tar.gz
Then run:
# oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
Loading /etc/oinkmaster.conf
Downloading file from https://rules.emergingthreats.net/open/suricata-2.0/emerging.rules.tar.gz... done.
...
Edit /etc/suricata/suricata-debian.yaml and change “default-rule-path” to:
default-rule-path: /etc/suricata/rules
Finally, restart to load the new rules:
# service suricata restart
Validate
Now that Suricata is running with rules, lets see if it works:
# wget http://www.testmyids.com
--2015-01-08 01:21:30-- http://www.testmyids.com/
Resolving www.testmyids.com (www.testmyids.com)... 82.165.177.154
This should trigger a specific rule:
# tail /var/log/suricata/fast.log
01/08/2015-01:21:30.870346 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 82.165.177.154:80 -> 192.168.122.181:59190
Success! :)
Thanks
Thanks to Arturo Borrero Gonzalez for taking on this work for us. Also many thanks for Pierre Chifflier for maintaining the Suricata and libhtp packages in Debian.