Differences between revisions 9 and 10
Revision 9 as of 2017-03-03 10:41:17
Size: 6724
Comment: add documentation about hyperscan integration and the unix socket
Revision 10 as of 2017-06-01 23:00:55
Size: 6724
Comment:
Deletions are marked like this. Additions are marked like this.
Line 153: Line 153:
All of this happens automagically by means of the suricata-oinkmaster-updater script, which of course you can run at any moment apart of the daily cron. All of this happens automatically by means of the suricata-oinkmaster-updater script, which of course you can run at any moment apart of the daily cron.

Introduction

Suricata is a free and open source, mature, fast and robust network threat detection engine. The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing. Suricata can act as a high-level content firewall.

Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats. With standard input and output formats like YAML and JSON integrations with tools like existing SIEMs, Splunk, Logstash/Elasticsearch, Kibana, and other database become effortless.

Debian & Suricata

The suricata software is well integrated into Debian.

Installing the deb package from the official Debian repository will give you a suricata ready for use.

Versions

Currently, suricata packages are updated very quickly after the upstream release.

You may check yourself the following links to obtain up-to-date information about the versions of suricata:

Due to the nature of the suricata software, which in some ways can be compared with an anti-virus software, regular updates are required in order to stay useful.

Installation

To use the most up-to-date version of suricata in Debian, you will require either:

  • run Debian Stable with backports enabled (currently jessie and jessie-backports)
  • run Debian Testing (currently stretch)

In the case of stable backports, run:

root@debian:~# aptitude install suricata -t jessie-backports

In the case of debian testing, run:

root@debian:~# aptitude install suricata -t testing

The aptitude software will take care of installing dependencies, and will install some additional recommended software, like suricata-oinkmaster and snort-rules-default

Some interesting paths related to suricata:

/etc/suricata/
/etc/suricata/suricata.yaml
/etc/suricata/rules/
/etc/logrotate.d/suricata
/etc/default/suricata
/etc/init.d/suricata
/var/log/suricata/
/lib/systemd/system/suricata.service

You should have now 2 manpages installed as well:

  • suricata(8)
  • suricatasc(1)

Features

Suricata has a lot of build-time features, and some are enabled by default in Debian.

To check them, run the --build-info command, the most important part follows:

Suricata Configuration:
  AF_PACKET support:                       yes
  PF_RING support:                         no
  NFQueue support:                         yes
  NFLOG support:                           yes
  IPFW support:                            no
  Netmap support:                          no
  DAG enabled:                             no
  Napatech enabled:                        no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  hiredis support:                         yes
  Prelude support:                         yes
  PCRE jit:                                yes
  LUA support:                             no
  libluajit:                               yes
  libgeoip:                                yes
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  CUDA enabled:                            no
  Hyperscan support:                       yes
  Libnet support:                          yes

Some features are architecture-specific, like the Hyperscan support, which is only for intel 64bits CPUs.

about unix socket

In Debian, the suricata unix socket is by default at /var/run/suricata-command.socket. This socket in this path is used by other tools, like suricatasc which in turn is used in other parts of the system (for example, by the default suricata systemd service).

about Hyperscan

Hyperscan is enabled starting with suricata 3.2-2 (3.2-2~exp1 actually). However, in that version there were 2 binary packages: suricata and suricata-hyperscan, the last being the one including the hyperscan support.

Starting with suricata 3.2.1-1~exp2 this split approach was left behind. Now there is only a binary package 'suricata' which includes the hyperscan support by default.

Please note that running suricata with hyperscan is bounded to the hyperscan requirements: a compatible CPU. Latest version of suricata will choice at runtime if hyperscan is available or a fallback method should be used.

Suricata running configuration

By Debian default, suricata is configured to run this way:

  • AF_PACKET capturing mode
  • listening in eth0 interface
  • a very basic set of rules

If that configuration matches your environment and requirements, congrats, your suricata installation is already capturing packets and producing output to several files at /var/log/suricata.

In Debian, suricata can run out of the box with systemd and sysvinit.

These steps are recommended to follow in order to adapt suricata to your environment:

  • Edit the /etc/suricata/suricata.yaml file (main suricata config file).

  • If running systemd, change the service file with systemctl edit suricata.service.

  • If running sysvinit, tune /etc/default/suricata.

Rule management

One of the main benefits of running suricata with Debian is the integration with oinkmaster, which will ease the administrator life by updating daily the Emerging Threats ruleset.

To benefit from this integration, you require a package called suricata-oinkmaster. If this package is not installed already, install it with aptitude.

Some files to take into account regarding suricata-oinkmaster:

/etc/cron.daily/suricata-oinkmaster
/etc/suricata/suricata-oinkmaster.conf
/usr/sbin/suricata-oinkmaster-updater

The /etc/suricata/suricata-oinkmaster.conf file is an oinkmaster configuration file which simply instruct it to update the Emerging Threats ruleset. After the ruleset update, suricata will reload the ruleset.

All of this happens automatically by means of the suricata-oinkmaster-updater script, which of course you can run at any moment apart of the daily cron.

Additional resources

Starting with suricata 3.2beta1, the official versioned documentation can be found at:


CategorySystemSecurity