Installing Suricata on Ubuntu and FreeBSD

In an earlier post I showed a dashboard built with Sumo Logic using the output of Suricata, an IDS/IDP system. This post uses v3.0 and I have never used any earlier versions.

One item of note: Suricata is pretty heavy on memory usage. Using detect-engine at medium, using ~25K rules it is 400+ MiB on FreeBSD (I have seen this as high as 2 GiB and I think there is a memory leak – I am researching), ~450 MiB on Ubuntu (very stable usage). Changing the setting to low reduces this memory usage to ~270 MiB for FreeBSD and ~370 MiB for Ubuntu.

Suricata is easily installed on both Ubuntu and FreeBSD and I’ll explain the steps below for the basic installation and configuration.

For Ubuntu:

add-apt-repository ppa:oisf/suricata-stable
apt-get update
apt-get install suricata
apt-get install oinkmaster

For FreeBSD:

portsnap fetch update
pkg install suricata
pkg install oinkmaster

Ubuntu installs the Suricata configuration files in /etc/suricata while FreeBSD installs into /usr/local/etc/suricata though otherwise the basic configuration is about the same out of the box.

Both UNIX-like systems has logs added to /var/log/suricata and if you use my configuration files (downloadable below) you’ll have things broken apart into separate logs. This will become more useful for Sumo Logic reporting and alerting later on.

Ubuntu installs the Oinkmaster configuration file in /etc/oinkmaster.conf while FreeBSD installs the file into /usr/local/etc/oinkmaster.conf and both need a single line added for Suricata. This tells oinkmaster where to download the emerging threats rule files.

url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
# have not researched enough yet
# url = https://www.snort.org/rules/community
# requires registration
# url = https://www.snort.org/rules/snortrules-snapshot-DDDD.tar.gz?oinkcode=<oinkcode>

You can then add a cronjob to run this regularly, like twice a day at 51 minutes past the hour.

51 */12 * * * root /root/scripts/run-oinkmaster-ubuntu.sh
#!/bin/sh

cd /etc

/usr/sbin/oinkmaster -Q -C /etc/oinkmaster.conf -o /etc/suricata/rules

sleep 5

kill -USR2 <code>cat /var/run/suricata.pid</code>

Adjust the script as required for FreeBSD of course.

Wait, what’s Oinkmaster?

Good question! It’s a basic rule management system for systems like Snort or Suricata. It downloads rulesets and modifies them based on a configuration you choose. I have added a hint at the bottom of this post that is modifying a set of rules to do prevention instead of detection.

Out of the box, Suricata will log everything set to alert by the rules files (stored in ./rules directory for each installation) and added to the suricata.yaml configuration.

The configuration file is well documented though by default it doesn’t have all the emerging threats rules that as referenced above. This is easily remedied by editing the configuration for Suricata and either sending a USR2 signal to the process or restarting the process completely. You can download my configuration files for Ubuntu and FreeBSD. Download and review!

The basics of adding rules to your configuration are by adding lines like so:

rule-files:
 - app-layer-events.rules
 - botcc.portgrouped.rules
 - botcc.rules
 - ciarmy.rules
 - compromised.rules
 - decoder-events.rules
 - dns-events.rules
 - drop.rules
 - dshield.rules
 - emerging-activex.rules
 - emerging-attack_response.rules
 # disabled cause I don't worry about chat
 # - emerging-chat.rules
 - emerging-current_events.rules
 - emerging-dns.rules
...continued for 30 more lines...

Note: empty rules files generate errors! If a rule file is empty or has all lines commented out then you should not add it to your rule-files stanza in the configuration file.

Also, only include rulesets you care about or wish to later act upon. For my basics I have set up I want to see everything but for production I would turn of many of these rules as extraneous or just outright not useful.

Last hint for this post – change the rules by adding the following to the end of your compromised.rules file.

modifysid 2500000 "alert" | "reject"
modifysid 2500002 "alert" | "reject"
modifysid 2500004 "alert" | "reject"
modifysid 2500006 "alert" | "reject"
modifysid 2500008 "alert" | "reject"
modifysid 2500010 "alert" | "reject"
modifysid 2500012 "alert" | "reject"
modifysid 2500014 "alert" | "reject"
modifysid 2500016 "alert" | "reject"
modifysid 2500018 "alert" | "reject"
modifysid 2500020 "alert" | "reject"
modifysid 2500022 "alert" | "reject"
modifysid 2500024 "alert" | "reject"
modifysid 2500026 "alert" | "reject"
modifysid 2500028 "alert" | "reject"
modifysid 2500030 "alert" | "reject"
modifysid 2500032 "alert" | "reject"
modifysid 2500034 "alert" | "reject"
modifysid 2500036 "alert" | "reject"
modifysid 2500038 "alert" | "reject"
modifysid 2500040 "alert" | "reject"
modifysid 2500042 "alert" | "reject"
modifysid 2500044 "alert" | "reject"
modifysid 2500046 "alert" | "reject"
modifysid 2500048 "alert" | "reject"
modifysid 2500050 "alert" | "reject"
modifysid 2500052 "alert" | "reject"
modifysid 2500054 "alert" | "reject"
modifysid 2500056 "alert" | "reject"
modifysid 2500058 "alert" | "reject"
modifysid 2500060 "alert" | "reject"
modifysid 2500062 "alert" | "reject"
modifysid 2500064 "alert" | "reject"
modifysid 2500066 "alert" | "reject"
modifysid 2500068 "alert" | "reject"
modifysid 2500070 "alert" | "reject"
modifysid 2500072 "alert" | "reject"

Then send a signal to Suricata process to reread the rules.

kill -USR2 <code>cat /var/run/suricata.pid</code>

Thanks for reading!