Introduction to Suricata
Suricata is a free and open source, mature, fast and robust network threat detection engine [1]. It analyzes all traffic in the firewall and searches for known attacks and anomalies. It was developed by the Open Information Security Foundation (OISF). The source code of the product can be accessed via the following Github address;
https://github.com/OISF/suricata
Step 1 - Installing Suricata in Ubuntu 18.04
Rather than installing from source, we will use Personal Package Archives (PPA) for updating and installation the latest stable Suricata. This process can be simplified by using the Suricata Ubuntu packages [2].
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
Then you can install the latest stable Suricata with:
sudo apt-get install suricata
or for the Suricata package with build in (enabled) debugging!
sudo apt-get install suricata-dbg
If you are having trouble implementing the code blocks, you can also follow the video below:
Step 2 - Initial Configuration
At the end of the installation, we can see the Suricata rules under this path: /etc/suricata/rules/ . In the next step, we will try to get the rules with Emerging Threats that is a repository for Snort and Suricata rules [3].
wget http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
tar zxvf emerging.rules.tar.gz
sudo mkdir /var/lib/suricata/
sudo mv rules /var/lib/suricata/
We also need to check and edit the /etc/suricata/suricata.yaml file for additional configuration. Make sure every variable of the vars, address-groups and port-groups in the yaml file is set correctly for your needs. You need to set the ip-address(es) of your local network at HOME_NET. It is recommended to set EXTERNAL_NET to !$HOME_NET. This way, every ip-address but the one set at HOME_NET will be treated as external [4].
sudo nano /etc/suricata/suricata.yaml
Change the following lines:
HOME_NET: "your machine's ip address, for example mine is 192.168.56.0/24"
EXTERNAL_NET: "!$HOME_NET"
Also, we will enable our rules of choice. For this purposes we will define the /var/lib/suricata/rules/emerging-exploit.rules . We will make this change on /etc/suricata/suricata.yaml file.
default-rule-path: /var/lib/suricata/rules
rule-files:
- emerging-exploit.rules
You can also see a detailed explanation by using the video below:
Step 3 – Implementing rules for the DDoS Attack
Any request from external networks will not match the IP address that home networks have and that we define. Therefore Suricata will describe this as an attack. For this purpose, we will try to understand how Suricata gives an alert on a possible SYN flood or DDoS. Therefore, in order to realize this scenario, we need to create our test rule as shown below [5];
sudo nano /etc/suricata/rules/test-ddos.rules
alert tcp any any -> $HOME_NET 80 (msg: "Possible DDoS attack"; flags: S; flow: stateless; threshold: type both, track by_dst, count 200, seconds 1; sid:1000001; rev:1;)
Then, we need to configure Suricata to include this rule. So, we also need to edit the Suricata configuration file and add the rules file under the rule-files: section.
sudo nano /etc/suricata/suricata.yaml
rule-files:
- botcc.rules
- ciarmy.rules
...
# - Custom Test rules
- test-ddos.rules
You can also see a detailed explanation by using the video below:
Step 4 - Testing Suricata Against DDoS Attack
And now, our environment is ready to perform the tests, however; before we can proceed with it, we need to disable packet offload features on the network interface on which Suricata is listening [6].
ethtool -K enp0s3 gro off lro off
Instead of enp0s3, you can include the network card of your preference. It belongs to my preference for my network card. If you are warned as Cannot change large-receive-offload, it means that your interface doesn’t support this feature and it is safe to ignore it. However, you can verify this by running the command below;
ethtool -k enp0s3 | grep large
large-receive-offload: off [fixed]
Then, fire Suricata in PCAP lives mode by executing the command below.
suricata -D -c /etc/suricata/suricata.yaml -i enp0s3
Finally, we will perform a simple DDoS attack test against our Suricata host from a different host. We can use many tools such as hping3 or nmap for this.The aim is to generate heavy traffic in a way that the target machine cannot meet the service demand. For hping3:
hping3 -S -p 80 --flood --rand-source 192.168.56.1
For nmap:
nmap --script dos -Pn 192.168.56.1
While the DDoS attack test against the Suricata server is running, we can observe the alert logs and check what is happening with the following command on the Suricata server;
tail -f /var/log/suricata/fast.log
17/05/2021-22:13:20.572970 [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 158.196.226.203:49876 -> 192.168.56.1:80
17/05/2021-22:13:21.084437 [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 158.196.226.203:51622 -> 192.168.56.1:80
17/05/2021-22:13:22.106880 [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 158.196.226.203:54296 -> 192.168.56.1:80
You can also read more about Suricata on their documentation page. Thanks for reading:)
References
- [1] https://suricata-ids.org/
- [2] https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation_-Personal_Package_Archives(PPA)
- [3] https://hackertarget.com/install-suricata-ubuntu-5-minutes/
- [4] https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Basic_Setup
- [5] https://kifarunix.com/install-and-setup-suricata-on-ubuntu-18-04/
- [6] https://www.atlantic.net/vps-hosting/how-to-install-and-setup-suricata-ids-on-ubuntu-20-04/
- [7] https://suricata.readthedocs.io/en/suricata-4.1.0/