Suricata is a powerful open-source network analysis and threat detection software developed by the Open Information Security Foundation (OISF). Suricata can be used for various purposes, such as an intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring engine.
Suricata uses a rule and signature language to detect and prevent threats on your networks. It is a free and powerful network security tool used by enterprises and small and large companies.
In this tutorial, we will show you how to install Suricata on Debian 12 step by step. We will also show you how to configure Suricata and manage Suricata rule sets with the suricata-update utility.
Prerequisites
Before you continue, make sure you have the following:
- A Debian 12 server.
- A non-root user with sudo administrator privileges.
Installing Suricata
Suricata is a network security monitoring engine that can be used for both IDS (Intrusion Detection System) and IPS (Intrusion Prevention System). It can be installed on most Linux distributions. For Debian, Suricata is available in the Debian Backports repository.
First run the following command to activate the backports repository for Debian Bookworkm.
sudo echo "deb http://deb.debian.org/debian/ bookworm-backports main" > /etc/apt/sources.list.d/bookworm-backports.sources.list
Then, update your package index with the following command.
sudo apt update
Once the repository is updated, install the suricata package with the following apt install command. Type y to confirm the installation.
sudo apt install suricata
Now that Suricata is installed, check the Suricata service with the following systemctl commands.
sudo systemctl is-enabled suricata sudo systemctl status suricata
The following output should confirm that Suricata is enabled and running on your system.
You can also check the Suricata version by running the following command.
sudo suricata --build-info
In this example, you have installed Suricata 6.0 via the backports repository on your Debian machine.
Configure Suricata
After installing Suricata, you need to configure Suricata to monitor your target network interface. To do this, you can find out the details of your network interfaces using the ip command utility. Then you configure the Suricata configuration /etc/suricata/suricata.yaml to monitor your target network interface.
Before configuring Suricata, check the default gateway for Internet access by running the following command.
ip -p -j route show default
In this example, the default Internet gateway for the server is interface eth0, and Suricata will monitor interface eth0.
Now open the default Suricata configuration /etc/suricata/suricata.yaml with the following nano editor command.
sudo nano /etc/suricata/suricata.yaml
Change the default option community-id to true.
# enable/disable the community id feature. community-id: true
In the HOME_NET variable, change the default network subnet to your subnet.
# HOME_NET variable HOME_NET: "[192.168.10.0/24]"
In the af-packet section, enter the name of your network interface as follows.
af-packet: - interface: eth0
Then add the following lines to the configuration below to enable live reload rules on the fly.
detect-engine: - rule-reload: true
Save and close the file when you are done.
Next, run the following command to reload Suricata rulesets without killing the process. Then restart the Suricata service with the following systemctl command.
sudo kill -usr2 $(pidof suricata) sudo systemctl restart suricata
Finally, check Suricata with the following command.
sudo systemctl status suricata
The Suricata service should now run with the new settings.
Managing Suricata rule sets via Suricata-update
Rule sets are a set of signatures that automatically detect malicious traffic on your network interface. In the following section, you will download and manage Suricata rule sets via the suricata-update command line.
If you are installing Suricata for the first time, run the suricata-update command to download rulesets to your Suricata installation.
sudo suricata-update
In the following output you should see that the ruleset“Emerging Threats Open” or et/open has been downloaded and stored in the directory /var/lib/suricata/rules/suricata.rules. You should also see the information about the downloaded rules, e.g. a total of 45055 and 35177 activated rules.
Now reopen the suricata configuration /etc/suricata/suricata.yaml with the following nano editor command.
sudo nano /etc/suricata/suricata.yaml
Change the default rule path to /var/lib/suricata/rules as follows:
default-rule-path: /var/lib/suricata/rules
Save and close the file when you are done.
Then run the following command to restart the Suricata service and apply the changes. Afterwards, check if Suricata is really running.
sudo systemctl restart suricata sudo systemctl status suricata
If everything runs fine, you should see the following output:
You can also enable the et/open ruleset and check the list of enabled rulesets by running the following command.
suricata-update enable-source et/open suricata-update list-sources --enabled
You should see that the et/open rule set is enabled.
Below are some suricata-update commands you need to know for rule set management.
Update the suricata ruleset index with the following command.
sudo suricata-update update-sources
Check the list of available rule set sources in the index.
suricata-update list-sources
Now you can activate the suricata rule set with the following command. In this example you will activate the new rule set oisf/trafficid.
suricata-update enable-source oisf/trafficid
Next you will update the suricata rules again and restart the suricata service to apply the changes.
sudo suricata-update sudo systemctl restart suricata
You can run the following command again to make sure that the rule sets are enabled.
suricata-update list-sources --enabled
You can also disable the rule set with the following command.
suricata-update disable-source et/pro
If you want to remove the rule set, use the following command.
suricata-update remove-source et/pro
Test Suricata as IDS
The installation and configuration of Suricata as IDS (Intrusion Detection System) is now complete. In the next step, you test your Suricata IDS by using the signature ID 2100498 from ET/Open, which is specifically meant for testing.
You can check the signature ID 2100498 from the ET/Open rule set by running the following command.
grep 2100498 /var/lib/suricata/rules/suricata.rules
The signature ID 2100498 will warn you when you access a file with the contents“uid=0(root) gid=0(root) groups=0(root)”. The warning issued can be found in the file /var/log/suricata/fast.log.
Use the following tail command to check the /var/log/suricata/fast.log log file.
tail -f /var/log/suricata/fast.log
Open a new terminal and connect to your Debian server. Then run the following command to test your Suricata installation.
curl http://testmynids.org/uid/index.html
If everything goes well, you should see that the alarm in the file /var/log/suricata/fast. log has been triggered.
You can also check the json formatted logs in the file /var/log/suricata/eve.json.
First, install the jq tool by running the following apt command.
sudo apt install jq -y
Once jq is installed, check the log file /var/log/suricata/eve.j son using the tail and jq commands.
sudo tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")'
You should see that the output is formatted as json.
Below are some other commands you can use to check the statistics.
sudo tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="stats")|.stats.capture.kernel_packets' sudo tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="stats")'
Conclusion
Congratulations on successfully installing Suricata as IDS (Intrusion Detection System) on the Debian 12 server. You have also monitored the network interface through Suricata and completed the basic use of the Suricata-update utility to manage rule sets. Finally, you tested Suricata as an IDS by reviewing the Suricata logs.
