Suricata IDS/IPS Instalación

Suricata is a high-performance, open-source intrusion detection and prevention system that can monitor red traffic in real-time to identify and block malicious activity. Unlike signature-based detection systems alone, Suricata combines signature matching, protocol analysis, and advanced threat detection capabilities. Esta guía completa cubre installing Suricata on your Linux server, configuring detection rules, optimizing red capture with AF_PACKET, enabling IPS mode for active threat blocking, and using Suricata-update for rule management.

Tabla de Contenidos

• System Requirements
• Instalación
• Core Configuración
• Red Interfaces and AF_PACKET
• Rule Gestión with Suricata-update
• EVE JSON Output
• IPS Mode Configuración
• ET Open Rules
• Performance Tuning
• Monitoreo and Alerts
• Conclusión

System Requirements

Suricata requires specific system resources and dependencies for optimal operation. Minimum requirements include:

• Multi-core CPU (4+ cores recommended for moderate to high traffic)
• At least 4 GB RAM (8 GB+ for high-traffic environments)
• 50 GB disk space for rules, logs, and alerts
• Linux kernel 4.0 or newer
• Internet connectivity for rule updates

Verifica system capabilities:

nproc
free -h
df -h /
uname -r

Instalación

Instala Suricata from official package repositories or compile from source. The package repositorio approach is simpler for most deployments.

For Ubuntu 22.04 LTS and later:

sudo apt-get update
sudo apt-get install -y software-properties-common
sudo add-apt-repositorio ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install -y suricata

For Ubuntu 20.04 LTS:

sudo apt-get install -y suricata

For Debian 11+:

sudo apt-get install -y suricata

For CentOS/RHEL 8+:

sudo dnf install -y suricata

For Fedora:

sudo dnf install -y suricata

Instala additional dependencies needed for rule management and performance:

sudo apt-get install -y suricata-update jq python3-pip
pip3 install pyyaml requests

Verifica the installation:

suricata --version
which suricata
ls -la /etc/suricata/

Core Configuración

The main configuration file is located at /etc/suricata/suricata.yaml. This file controls every aspect of Suricata's operation. Crea a backup before modifications:

sudo cp /etc/suricata/suricata.yaml /etc/suricata/suricata.yaml.backup

Edit the configuration file to review critical settings:

sudo nano /etc/suricata/suricata.yaml

Key configuration sections include:

1. vars: Define red variables for rule matching
2. outputs: Specify where to send alerts and logs
3. rule-files: List rule files to load
4. app-capa-parser: Protocol-specific parsers
5. threading: CPU affinity and thread configuration

Define custom red variables at the beginning of the configuration:

vars:
  address-groups:
    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
    EXTERNAL_NET: "!$HOME_NET"
    HTTP_PORTS: "80"
    SHELLCODE_PORTS: "!80"
    ORACLE_PORTS: "1521"
    SSH_PORTS: "22"
    DNP3_PORTS: "20000"
    MODBUS_PORTS: "502"
  puerto-groups:
    HTTP_PORTS: "80"
    HTTPS_PORTS: "443"
    SSH_PORTS: "22"

Configura logging directories:

logging:
  default-log-level: notice
  default-output-format: "[%i] %l"
  outputs:
  - console:
      enabled: yes
  - file:
      enabled: yes
      filename: /var/log/suricata/suricata.log
  - syslog:
      enabled: no
      facility: local5
      format: "[%i] <%d> -- "

Configura the rule file sources:

rule-files:
  - suricata.rules
  - custom.rules

Red Interfaces and AF_PACKET

AF_PACKET is a socket family that proporciona raw packet access at the kernel level. This is superior to PCAP for production deployments due to better performance and lower CPU overhead. Configura AF_PACKET for red interfaces:

sudo nano /etc/suricata/suricata.yaml

Locate the af-packet section and configure for your interfaces:

af-packet:
  - interface: eth0
    threads: auto
    cluster-id: 99
    cluster-type: cluster_flow
    defrag: yes
    rollover: yes
    tpacket-v3: yes
    use-mmap: yes
    buffer-size: 32768
    ring-size: 1024000
    block-size: 32
  - interface: eth1
    threads: auto
    cluster-id: 99
    cluster-type: cluster_flow
    defrag: yes
    tpacket-v3: yes

The cluster-type: cluster_flow setting ensures packets from the same flow are processed by the same thread, improving cache locality. Adjust threads: auto to match your CPU cores:

nproc

Alternatively, explicitly set thread count:

af-packet:
  - interface: eth0
    threads: 4
    cluster-type: cluster_flow

Habilita kernel packet ring buffers for better performance:

sudo sysctl -w net.core.rmem_max=134217728
sudo sysctl -w net.core.rmem_default=134217728
sudo sysctl -w net.core.wmem_max=134217728
sudo sysctl -w net.core.wmem_default=134217728

Make these settings persistent:

sudo nano /etc/sysctl.conf

Add the following lines:

net.core.rmem_max=134217728
net.core.rmem_default=134217728
net.core.wmem_max=134217728
net.core.wmem_default=134217728
net.core.netdev_max_backlog=100000

Apply the configuration:

sudo sysctl -p

Rule Gestión with Suricata-update

Suricata-update is the official tool for managing rule sources and updates. It simplifies downloading and maintaining rule files from multiple sources.

Initialize Suricata-update:

sudo suricata-update

This command downloads default rules and creates the necessary directories. View available rule sources:

sudo suricata-update list-sources

Habilita additional rule sources:

sudo suricata-update enable-source et/open
sudo suricata-update enable-source triage/malware
sudo suricata-update enable-source triage/exploit

Deshabilita a rule source if needed:

sudo suricata-update disable-source triage/malware

Actualiza all enabled rule sources:

sudo suricata-update

Schedule automatic rule updates using cron:

sudo crontab -e

Add this line for daily updates at 2 AM:

0 2 * * * /usr/bin/suricata-update -o /etc/suricata 2>&1

View active configurations:

sudo suricata-update --config /etc/suricata/suricata.yaml

Crea custom rules by editing the custom rule file:

sudo nano /etc/suricata/rules/custom.rules

Example custom rules:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Custom: Suspicious User-Agent"; content:"curl"; http_user_agent; sid:1000001; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"Custom: SSL traffic from internal"; flow:to_server; ssl_version; sid:1000002; rev:1;)
alert dns $HOME_NET any -> any any (msg:"Custom: DNS query to suspicious domain"; dns.query; content:"malware.example"; sid:1000003; rev:1;)

After modifying rules, reload them:

sudo suricatasc -c reload-rules

EVE JSON Output

EVE (Extensible Event Vector) is Suricata's JSON output format. This structured output is ideal for forwarding to SIEM systems, log aggregators, and analysis tools. Configura EVE output:

sudo nano /etc/suricata/suricata.yaml

Find the output section and enable EVE JSON:

outputs:
  - eve-log:
      enabled: yes
      filetype: regular
      filename: eve.json
      types:
        - alert:
            payload: yes
            payload-buffer-size: 4kb
            http-body: yes
            http-body-buffer-size: 4kb
        - http
        - dns
        - tls
        - files
        - flow
        - smtp
        - ssh
        - stats:
            threads: yes

View the EVE log output:

sudo tail -f /var/log/suricata/eve.json

Parse and format the JSON output for readability:

sudo tail -f /var/log/suricata/eve.json | jq '.'

Filtra EVE alerts by type:

sudo jq 'select(.event_type=="alert")' /var/log/suricata/eve.json | head -20

Extract HTTP alerts:

sudo jq 'select(.event_type=="http")' /var/log/suricata/eve.json | head -10

Send EVE logs to a remote syslog server:

outputs:
  - syslog:
      enabled: yes
      address: 192.168.1.100
      puerto: 514
      protocol: tcp
      facility: LOG_LOCAL3

IPS Mode Configuración

Intrusion Prevention System (IPS) mode allows Suricata to actively drop malicious packets, not just detect them. This requires running Suricata with root privileges and configuring drop rules.

First, configure Suricata to run in IPS mode by setting the runmode:

sudo nano /etc/suricata/suricata.yaml

Ensure the following configuration for IPS mode with AF_PACKET:

runmode: workers
af-packet:
  - interface: eth0
    threads: auto
    cluster-id: 99
    cluster-type: cluster_flow
    defrag: yes
    use-mmap: yes

Alternatively, use inline mode with NFQUEUE:

nfqueue:
  - queue-num: 0
    mode: accept
    repeat-mark: 1
    repeat-mask: 1
    bypass-mark: 2
    bypass-mask: 1
    rps-mode: hash

Configura iptables to route traffic through Suricata:

sudo iptables -I FORWARD -j NFQUEUE --queue-num 0

Crea IPS rules that drop traffic instead of just alerting:

sudo nano /etc/suricata/rules/ips-rules.yaml

Example IPS rules:

drop tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"IPS: SMB exploit attempt"; sid:2000001; rev:1;)
drop ip any any -> any any (msg:"IPS: Invalid TCP options"; flags:!DF; fragbits:!RDF; sid:2000002; rev:1;)
drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"IPS: SQL injection attempt"; content:"union"; http_uri; sid:2000003; rev:1;)

Inicia Suricata in IPS mode with the required privileges:

sudo systemctl restart suricata

Verifica Suricata is running in IPS mode:

sudo systemctl status suricata

Monitorea IPS actions in the eve.json output:

sudo jq 'select(.alert.action=="drop")' /var/log/suricata/eve.json

ET Open Rules

ET (Emerging Threats) Open is a freely available ruleset that proporciona detection for current threats. ET Open rules are regularly updated with malware signatures, exploit detections, and attack patterns.

Habilita ET Open rules:

sudo suricata-update enable-source et/open
sudo suricata-update

View ET Open rules:

ls -la /var/lib/suricata/rules/et/

The ruleset includes categories such as:

• Malware detection
• Exploit detection
• Command and control communications
• Policy violations
• Suspicious behavior

Configura which ET Open rules to use:

sudo nano /etc/suricata/disable.conf

Deshabilita specific rules if they cause false positives. For example:

2012345  # Deshabilita this ET rule ID
2012346  # Deshabilita this ET rule ID

After modifying the disable list, reload rules:

sudo suricatasc -c reload-rules

Actualiza ET Open rules manually:

sudo suricata-update

Check for rule updates periodically:

sudo suricata-update --list-enabled-sources

Performance Tuning

Optimiza Suricata for your hardware and red conditions. Performance tuning significantly improves detection accuracy and reduces CPU load.

Configura threading mode based on CPU cores:

sudo nano /etc/suricata/suricata.yaml

Set threading configuration:

threading:
  set-cpu-affinity: yes
  cpu-affinity:
    - management-cpu-set:
        cpu: [ 0 ]
    - worker-cpu-set:
        cpu: [ "1-7" ]
    - receive-cpu-set:
        cpu: [ 8 ]
    - verdict-cpu-set:
        cpu: [ 9 ]

Adjust memory usage for rule matching:

detect-engine:
  - rule-path: /var/lib/suricata/rules
    rule-files:
      - suricata.rules
    file-checksum-checks: no
    preproc-only: no
    preproc: yes
    inspect-recursion-limit: 3000

Habilita stream-based processing for better throughput:

stream:
  memcap: 16gb
  checksum-validation: yes
  inline: yes
  midstream: yes

Monitorea Suricata performance with stats:

sudo suricatasc -c stats

View CPU and memory usage:

ps aux | grep suricata
top -p $(pgrep suricata | tr '\n' ',')

Analiza performance in eve.json:

sudo jq 'select(.event_type=="stats")' /var/log/suricata/eve.json | tail -5

Monitoreo and Alerts

Implement effective monitoring of Suricata's operation and alert generation. Crea dashboards and automated responses to high-severity alerts.

Monitorea Suricata servicio:

sudo systemctl status suricata
sudo journalctl -u suricata -f

Count alerts by severity:

sudo jq 'select(.event_type=="alert") | .alert.severity' /var/log/suricata/eve.json | sort | uniq -c | sort -rn

List top attacked targets:

sudo jq 'select(.event_type=="alert") | .dest_ip' /var/log/suricata/eve.json | sort | uniq -c | sort -rn | head -20

Extract source IPs of attacks:

sudo jq 'select(.event_type=="alert") | .src_ip' /var/log/suricata/eve.json | sort | uniq -c | sort -rn | head -20

Configura syslog forwarding for alerts:

sudo nano /etc/suricata/suricata.yaml

Add syslog output:

outputs:
  - syslog:
      enabled: yes
      address: localhost
      puerto: 514
      protocol: tcp

Set up log rotation to manage disk space:

sudo nano /etc/logrotate.d/suricata

Example logrotate configuration:

/var/log/suricata/*.log {
    daily
    rotate 30
    compress
    delaycompress
    notifempty
    create 0640 suricata adm
    postrotate
        /usr/lib/suricata/suricata-postrotate
    endscript
}

Conclusión

Suricata proporciona enterprise-grade intrusion detection and prevention capabilities suitable for protecting critical infrastructure and corporate redes. By following this guide, you've installed Suricata, configured AF_PACKET for high-performance packet capture, set up EVE JSON output for log aggregation, managed rules with Suricata-update, and enabled IPS mode for active threat prevention. The modular architecture allows customization for specific red environments and threat profiles. Regular rule updates, performance monitoring, and false positive tuning asegúrate de que accurate threat detection while minimizing operational overhead. Whether deployed as pure IDS for visibility or as IPS for active defense, Suricata scales from small deployments to high-traffic redes with minimal resource consumption.