Install Suricata IDS/IPS on CentOS 9|AlmaLinux 9|RHEL 9

On this tutorial, we will look at how to install Suricata IDS/IPS on CentOS 9|AlmaLinux 9|RHEL 9. IDS short for Intrusion Detection System is a system that monitors a network and analyzes it for signs of imminent threats. Its aim is to generate an alert to the security personnel when an anomaly is detected. It does not have the ability to prevent the attack from continuing.
IPS short for Intrusion Prevention System is a system that identifies potential threats on a network and unlike IDS, it takes action to block the threat from occurring.
There are various types of IDS/IPS solutions available to use, they include; Kismet, OSSEC, Suricata, SolarWinds Security Event Manager (SEM) IDS/IPS, Vectra Cognito, Snort, Trellix Network Security, etc.

Suricata

Suricata is a threat detection system that provides capabilities of IDS, IPS, network security monitoring (NSM), and PCAP processing to recognize and evaluate attacks swiftly. It is a robust, adaptable, and open-source solution that puts security, usability, and productivity first to protect your network against sophisticated and new attacks. Suricata may be embedded into many reputable commercial and open source solutions and connects easily with your network.

The following features are associated with Suricata, and they include;

• It’s multi-threaded so a single instance can perform at much higher traffic volumes.
• There is more support available for application layer protocols.
• It supports hashing and file extraction.
• It has hooks for the Lua Scripting Language, which can be used to modify outputs and even create complex and detailed signature detection logic.
• Automatic Protocol Detection.
• The main Logging output is called Eve which is in JSON for easier integration with Logstash.

Install Suricata IDS/IPS on CentOS 9|AlmaLinux 9|RHEL 9

This guide will show you how to install Install Suricata IDS/IPS on CentOS 9|AlmaLinux 9|RHEL 9.

Before you begin the installation, you should first Enable the EPEL repository on your system. Once the EPEL repository has been enabled, you can then proceed to update your system, to do so, use the command below;

sudo dnf update -y

Install Suricata with the following command.

sudo dnf install suricata

You can check the version of Suricata with the following command.

$ suricata -V
This is Suricata version 6.0.6 RELEASE

Set Up Suricata IDS / IPS on CentOS 9|AlmaLinux 9|RHEL 9

Determine the interface and IP address on which Suricata should inspect the network packets.

$ ip --brief add
lo               UNKNOWN        127.0.0.1/8 ::1/128 
ens18            UP             192.168.200.42/24 fe80::8234:dbec:d82b:b68c/64

Open the configuration file to edit the options shown above.

sudo nano /etc/suricata/suricata.yaml

Under the vars section, edit it with your local network value next to HOME_NET which points to IP addresses that need an inspection. The EXTERNAL_NET variables should define any IP or network that is not local.

HOME_NET: "[192.168.200.0/24]"

EXTRNAL_NET: "!$HOME_NET"

The interface name in the af-packet section needs to match. Save and exit the file.

af-packet:
    - interface: ens18

Specify the interface again on the /etc/sysconfig/suricata configuration file. save and exit the file.

$ sudo nano /etc/sysconfig/suricata

# Add options to be passed to the daemon
OPTIONS="-i ens18 --user suricata "

You can update Suricata rules with the following command.

sudo suricata-update

Start and enable the service.

sudo systemctl enable --now suricata

Check the status of the service.

$ sudo systemctl status suricata
● suricata.service - Suricata Intrusion Detection Service
     Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; vendor >
     Active: active (running) since Sat 2022-07-16 14:18:48 EAT; 8s ago
       Docs: man:suricata(1)
    Process: 20964 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, >
   Main PID: 20965 (Suricata-Main)
      Tasks: 1 (limit: 48797)
     Memory: 283.7M
        CPU: 8.550s
     CGroup: /system.slice/suricata.service
             └─20965 /sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /v>

Running Suricata

To check whether Suricata is running, check the log.

$ sudo tail /var/log/suricata/suricata.log
16/7/2022 -- 14:18:48 - <Info> - Found an MTU of 1500 for 'ens18'
16/7/2022 -- 14:18:48 - <Info> - Found an MTU of 1500 for 'ens18'
16/7/2022 -- 14:18:48 - <Info> - dropped the caps for main thread
16/7/2022 -- 14:18:48 - <Info> - fast output device (regular) initialized: fast.log
16/7/2022 -- 14:18:48 - <Info> - eve-log output device (regular) initialized: eve.json
16/7/2022 -- 14:18:48 - <Info> - stats output device (regular) initialized: stats.log
16/7/2022 -- 14:18:48 - <Info> - Running in live mode, activating unix socket
16/7/2022 -- 14:18:55 - <Info> - 1 rule files processed. 26972 rules successfully loaded, 0 rules failed
16/7/2022 -- 14:18:55 - <Info> - Threshold config parsed: 0 rule(s) found
16/7/2022 -- 14:18:56 - <Info> - 26975 signatures processed. 1157 are IP-only rules, 4604 are inspecting packet payload, 21010 inspect application layer, 108 are decoder event only

To check statistics, check the stats.log file. This file is updated every 8 seconds by default.

sudo tail -f /var/log/suricata/stats.log

The more advanced output EVE JSON can be produced with the following command.

sudo tail -f /var/log/suricata/eve.json

Test Suricata

To test whether it logs run a ping test with a curl utility.

$ curl http://testmynids.org/uid/index.html

uid=0(root) gid=0(root) groups=0(root)

To test whether it was logged, check the alert log.

$ sudo cat /var/log/suricata/fast.log
07/16/2022-14:20:05.989638  [**] [1:2013028:7] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.200.42:55492 -> 143.204.89.32:80
07/16/2022-14:20:05.995861  [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 143.204.89.32:80 -> 192.168.200.42:55492

Setup Suricata Rules

There are a set of rules that come prepackaged with Suricata. You can find them with the following command.

$ sudo ls -al /var/lib/suricata/rules/
total 19744
drwxr-s---. 2 root     suricata       57 Jul 16 14:18 .
drwxrws---. 4 suricata suricata       33 Jul 16 14:18 ..
-rw-r--r--. 1 root     suricata     3228 Jul 16 14:18 classification.config
-rw-r--r--. 1 root     suricata 20210513 Jul 16 14:18 suricata.rules

You can specify your sources of rules, Run the following command to download indexes of sources that give various types of the rules set.

sudo suricata-update list-sources

The sources may be commercial or free. Check out the ones that need a subscription (commercial) and the ones you can download without a subscription (MIT/open-source).

Name: et/open
  Vendor: Proofpoint
  Summary: Emerging Threats Open Ruleset
  License: MIT
Name: et/pro
  Vendor: Proofpoint
  Summary: Emerging Threats Pro Ruleset
  License: Commercial
  Replaces: et/open
  Parameters: secret-code
  Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset
Name: oisf/trafficid
  Vendor: OISF
  Summary: Suricata Traffic ID ruleset
  License: MIT
Name: scwx/enhanced
  Vendor: Secureworks
  Summary: Secureworks suricata-enhanced ruleset
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: scwx/malware
  Vendor: Secureworks
  Summary: Secureworks suricata-malware ruleset
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: scwx/security
  Vendor: Secureworks
  Summary: Secureworks suricata-security ruleset
  License: Commercial
  Parameters: secret-code
  Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures)
Name: sslbl/ssl-fp-blacklist
  Vendor: Abuse.ch
  Summary: Abuse.ch SSL Blacklist
  License: Non-Commercial
Name: sslbl/ja3-fingerprints
  Vendor: Abuse.ch
  Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset
  License: Non-Commercial
Name: etnetera/aggressive
  Vendor: Etnetera a.s.
  Summary: Etnetera aggressive IP blacklist
  License: MIT
Name: tgreen/hunting
  Vendor: tgreen
  Summary: Threat hunting rules
  License: GPLv3
Name: malsilo/win-malware
  Vendor: malsilo
  Summary: Commodity malware rules
  License: MIT

To enable a source, use the following command syntax with the name of the source.

$ sudo suricata-update enable-source et/open

29/6/2022 -- 14:01:35 - <Info> -- Using data-directory /var/lib/suricata.
29/6/2022 -- 14:01:35 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
29/6/2022 -- 14:01:35 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
29/6/2022 -- 14:01:35 - <Info> -- Found Suricata version 6.0.5 at /sbin/suricata.
29/6/2022 -- 14:01:35 - <Info> -- Creating directory /var/lib/suricata/update/sources
29/6/2022 -- 14:01:35 - <Info> -- Source et/open enabled

Once enabled. run the update.

sudo suricata-update

Restart Suricata service.

sudo systemctl restart suricata

Create Custom Suricata Rules

You can specify custom rules that can be applied to Suricata. Start by creating a file containing the customer rules.

sudo nano /etc/suricata/rules/local.rules

Enter an example of the following entry.

alert icmp any any -> $HOME_NET any (msg:"ICMP Ping"; sid:1; rev:1;)

The following rule states that the type is an alert that tracks pings that come from any external network into any port in the home network. Then specify the message that comes with it and specify the sid and revision.

Edit the configuration file and define the new rule path

$ sudo nano /etc/suricata/suricata.yaml

...
default-rule-path: /var/lib/suricata/rules

rule-files:
  - suricata.rules
  - /etc/suricata/rules/local.rules
...

Save and exit the file.

Test the configuration file.

$ sudo suricata -T -c /etc/suricata/suricata.yaml -v
16/7/2022 -- 14:23:36 - <Info> - Running suricata under test mode
16/7/2022 -- 14:23:36 - <Notice> - This is Suricata version 6.0.5 RELEASE running in SYSTEM mode
16/7/2022 -- 14:23:36 - <Info> - CPUs/cores online: 2
16/7/2022 -- 14:23:36 - <Info> - fast output device (regular) initialized: fast.log
16/7/2022 -- 14:23:36 - <Info> - eve-log output device (regular) initialized: eve.json
16/7/2022 -- 14:23:36 - <Info> - stats output device (regular) initialized: stats.log
16/7/2022 -- 14:23:43 - <Info> - 2 rule files processed. 26973 rules successfully loaded, 0 rules failed
16/7/2022 -- 14:23:43 - <Info> - Threshold config parsed: 0 rule(s) found
16/7/2022 -- 14:23:44 - <Info> - 26976 signatures processed. 1158 are IP-only rules, 4604 are inspecting packet payload, 21010 inspect application layer, 108 are decoder event only
16/7/2022 -- 14:24:07 - <Notice> - Configuration provided was successfully loaded. Exiting.
16/7/2022 -- 14:24:08 - <Info> - cleaning up signature grouping structure... complete

Restart the service.

sudo systemctl restart suricata

To test whether the rule applies, Run ping on another machine on the network and check whether it was logged.

$ sudo cat /var/log/suricata/fast.log
07/16/2022-14:20:05.989638  [**] [1:2013028:7] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.200.42:55492 -> 143.204.89.32:80
07/16/2022-14:20:05.995861  [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 143.204.89.32:80 -> 192.168.200.42:55492
07/16/2022-14:26:15.472742  [**] [1:1:1] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.200.41:8 -> 192.168.200.42:0
07/16/2022-14:26:15.472799  [**] [1:1:1] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.200.42:0 -> 192.168.200.41:0

To get the logs with the JSON format with EVE, ensure you have jq installed on your system.

sudo dnf install jq

Then run the following command with jq to parse in the JSON output.

$ sudo tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")'

 {
  "timestamp": "2022-07-16T14:26:15.472799+0300",
  "flow_id": 744904638019238,
  "in_iface": "ens18",
  "event_type": "alert",
  "src_ip": "192.168.200.42",
  "src_port": 0,
  "dest_ip": "192.168.200.41",
  "dest_port": 0,
  "proto": "ICMP",
  "icmp_type": 0,
  "icmp_code": 0,
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 1,
    "rev": 1,
    "signature": "ICMP Ping",
    "category": "",
    "severity": 3
  },
  "flow": {
    "pkts_toserver": 1,
    "pkts_toclient": 1,
    "bytes_toserver": 98,
    "bytes_toclient": 98,
    "start": "2022-07-16T14:26:15.472742+0300"
  }
}

Conclusion

Suricata is a high-performance, open-source IDS, IPS, and Network Security Monitoring (NSM) engine. from this guide, we have installed Suricata IDS/IPS on CentOS 9|AlmaLinux 9|RHEL 9. We have also created custom rules that can be used to identify traffic on the network and log them. Below are some of our recently published articles;

• Install Grafana with Prometheus on RHEL / CentOS Stream
• Install and Configure Apache Cassandra on CentOS Stream / RHEL