Suricata is a free and open source, mature, fast and robust network threat detection engine. The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing. Suricata can act as a high-level content firewall.
Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats. With standard input and output formats like YAML and JSON integrations with tools like existing SIEMs, Splunk, Logstash/Elasticsearch, Kibana, and other database become effortless.
Debian & Suricata
The suricata software is well integrated into Debian.
Installing the deb package from the official Debian repository will give you a suricata ready for use.
Currently, suricata packages are updated very quickly after the upstream release.
You may check yourself the following links to obtain up-to-date information about the versions of suricata:
Debian package tracker: https://tracker.debian.org/pkg/suricata
Due to the nature of the suricata software, which in some ways can be compared with an anti-virus software, regular updates are required in order to stay useful.
To use the most up-to-date version of suricata in Debian, you will require either:
- run Debian Stable with backports enabled (currently stretch and stretch-backports)
- run Debian Testing (currently buster)
In the case of stable backports, run:
root@debian:~# aptitude install suricata -t stretch-backports
In the case of debian testing, run:
root@debian:~# aptitude install suricata -t testing
The aptitude software will take care of installing dependencies, and will install some additional recommended software, like suricata-oinkmaster and snort-rules-default
Some interesting paths related to suricata:
/etc/suricata/ /etc/suricata/suricata.yaml /etc/suricata/rules/ /etc/logrotate.d/suricata /etc/default/suricata /etc/init.d/suricata /var/log/suricata/ /lib/systemd/system/suricata.service
You should have now 2 manpages installed as well:
Suricata has a lot of build-time features, and some are enabled by default in Debian.
To check them, run the --build-info command, the most important part follows:
Suricata Configuration: AF_PACKET support: yes PF_RING support: no NFQueue support: yes NFLOG support: yes IPFW support: no Netmap support: no DAG enabled: no Napatech enabled: no Unix socket enabled: yes Detection enabled: yes libnss support: yes libnspr support: yes libjansson support: yes hiredis support: yes Prelude support: yes PCRE jit: yes LUA support: no libluajit: yes libgeoip: yes Non-bundled htp: no Old barnyard2 support: no CUDA enabled: no Hyperscan support: yes Libnet support: yes
Some features are architecture-specific, like the Hyperscan support, which is only for intel 64bits CPUs.
about unix socket
In Debian, the suricata unix socket is by default at /var/run/suricata-command.socket. This socket in this path is used by other tools, like suricatasc which in turn is used in other parts of the system (for example, by the default suricata systemd service).
Hyperscan is enabled starting with suricata 3.2-2 (3.2-2~exp1 actually). However, in that version there were 2 binary packages: suricata and suricata-hyperscan, the last being the one including the hyperscan support.
Starting with suricata 3.2.1-1~exp2 this split approach was left behind. Now there is only a binary package 'suricata' which includes the hyperscan support by default.
Please note that running suricata with hyperscan is bounded to the hyperscan requirements: a compatible CPU. Latest version of suricata will choice at runtime if hyperscan is available or a fallback method should be used.
Suricata running configuration
By Debian default, suricata is configured to run this way:
- AF_PACKET capturing mode
- listening in eth0 interface
- a very basic set of rules
If that configuration matches your environment and requirements, congrats, your suricata installation is already capturing packets and producing output to several files at /var/log/suricata.
In Debian, suricata can run out of the box with systemd and sysvinit.
These steps are recommended to follow in order to adapt suricata to your environment:
Edit the /etc/suricata/suricata.yaml file (main suricata config file).
If running systemd, change the service file with systemctl edit suricata.service.
If running sysvinit, tune /etc/default/suricata.
One of the main benefits of running suricata with Debian is the integration with oinkmaster, which will ease the administrator life by updating daily the Emerging Threats ruleset.
To benefit from this integration, you require a package called suricata-oinkmaster. If this package is not installed already, install it with aptitude.
Some files to take into account regarding suricata-oinkmaster:
/etc/cron.daily/suricata-oinkmaster /etc/suricata/suricata-oinkmaster.conf /usr/sbin/suricata-oinkmaster-updater
The /etc/suricata/suricata-oinkmaster.conf file is an oinkmaster configuration file which simply instruct it to update the Emerging Threats ruleset. After the ruleset update, suricata will reload the ruleset.
All of this happens automatically by means of the suricata-oinkmaster-updater script, which of course you can run at any moment apart of the daily cron.
Starting with suricata 3.2beta1, the official versioned documentation can be found at: