How To Install Suricata on Ubuntu 22.04 LTS
In this tutorial, we will show you how to install Suricata on Ubuntu 22.04 LTS. For those of you who didn’t know, Suricata is a free and open-source network analysis and threat detection software developed by OSIF. Suricata uses rules and signatures to detect threat in network traffic. It also supports Lua scripting language that helps it unearth the most complex would be threats in the network.
This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step-by-step installation of the Suricata Intrusion Detection System (IDS) on Ubuntu 22.04 (Jammy Jellyfish). You can follow the same instructions for Ubuntu 22.04 and any other Debian-based distribution like Linux Mint, Elementary OS, Pop!_OS, and more as well.
Prerequisites
- A server running one of the following operating systems: Ubuntu 22.04, 20.04, and any other Debian-based distribution like Linux Mint.
- It’s recommended that you use a fresh OS install to prevent any potential issues.
- SSH access to the server (or just open Terminal if you’re on a desktop).
- A
non-root sudo useror access to theroot user. We recommend acting as anon-root sudo user, however, as you can harm your system if you’re not careful when acting as the root.
Install Suricata on Ubuntu 22.04 LTS Jammy Jellyfish
Step 1. First, make sure that all your system packages are up-to-date by running the following apt commands in the terminal.
sudo apt update sudo apt upgrade sudo apt install wget apt-transport-https gnupg2 software-properties-common
Step 2. Installing Suricata on Ubuntu 22.04.
- Method 1. Install Suricata using the Ubuntu default repository.
By default, Snort is available on Ubuntu 22.04 base repository. Now add the Suricata PPA repository to your Ubuntu system using the following command:
sudo add-apt-repository ppa:oisf/suricata-stable --yes
Once the repository was added, install the Suricata with the following command below:
sudo apt update sudo apt install suricata jq
Verify the version of Suricata on your system:
suricata --build-info
- Method 2. Install Suricata from the source code.
Before starting, you will need to install some dependencies on your server. You can install all of them by running the following command:
sudo apt install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libjansson4 pkg-config libnspr4-dev libnss3-dev liblz4-dev rustc cargo python3-pip python3-distutils sudo apt install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0
Run the following command to download the latest version of Suricata from the official page:
wget https://www.openinfosecfoundation.org/download/suricata-6.0.8.tar.gz
Next, extract the downloaded file:
tar xzf suricata-6.0.8.tar.gz
Navigate the Suricata directory containing the installation file and compile it:
cd suricata-6.0.8 ./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var
Next, change the directory to the build directory and install the Snort with the following command:
make make install-full
Step 3. Configure Suricata.
Suricata’s configuration file is located in the /etc/suricata/suricata.yaml path. For basic setup, we need to configure Suricata for your internal and external networks. Open the configuration file as shown:
nano /etc/suricata/suricata.yaml
Change the following lines:
HOME_NET: "[10.0.2.0/24]"
EXTERNAL_NET: "!$HOME_NET"
af-packet:
- interface: eth0
# - sip
sip:
enabled: no
Save and close the file, then update the Suricata configuration with the following command:
suricata-update
Verify the Suricata configuration file with the following command:
suricata -T -c /etc/suricata/suricata.yaml -v
Step 4. Running Suricata on Ubuntu.
You can now start and enable the Suricata service to run on system boot:
sudo systemctl enable --now suricata sudo systemctl start suricata
You can also see various run modes using the following command:
suricata --list-runmodes
Output:
------------------------------------- Runmodes ------------------------------------------ | RunMode Type | Custom Mode | Description |---------------------------------------------------------------------------------------- | PCAP_DEV | single | Single threaded pcap live mode | --------------------------------------------------------------------- | | autofp | Multi threaded pcap live mode. Packets from each flow are assigned to a single detect thread, unlike "pcap_live_auto" where packets from the same flow can be processed by any detect thread | --------------------------------------------------------------------- | | workers | Workers pcap live mode, each thread does all tasks from acquisition to logging |---------------------------------------------------------------------------------------- | PCAP_FILE | single | Single threaded pcap file mode | --------------------------------------------------------------------- | | autofp | Multi threaded pcap file mode. Packets from each flow are assigned to a single detect thread, unlike "pcap-file-auto" where packets from the same flow can be processed by any detect thread |---------------------------------------------------------------------------------------- | PFRING(DISABLED) | autofp | Multi threaded pfring mode. Packets from each flow are assigned to a single detect thread, unlike "pfring_auto" where packets from the same flow can be processed by any detect thread | --------------------------------------------------------------------- | | single | Single threaded pfring mode | --------------------------------------------------------------------- | | workers | Workers pfring mode, each thread does all tasks from acquisition to logging |----------------------------------------------------------------------------------------
Step 5. Testing Suricata Rules.
Before you can proceed, you need to disable packet offload features on the network interface on which Suricata is listening:
ethtool -K eth0 gro off lro off
Next, stop the Suricata with the following command:
systemctl stop suricata rm -rf /var/run/suricata.pid
Then, run the Suricata manually using the following command:
suricata -D -c /etc/suricata/suricata.yaml -i eth0
Next, log in to the remote system and run the hping3 command to perform a simple DDoS attack against the Suricata server:
hping3 -S -p 80 --flood --rand-source suricata-ip -I eth0 -c 50
After that, go back to the Suricata server and check the Suricata log file:
tail -f /var/log/suricata/fast.log
You should be able to get some sample alerts:
10/31/2022-12:36:38.569298 [**] [1:2240008:2] SURICATA STREAM 3way handshake SYN resend different seq on SYN recv [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 157.32.37.21:59188 -> 209.23.77.188:80
10/31/2022-12:36:38.569304 [**] [1:2240004:2] SURICATA STREAM 3way handshake SYNACK resend with different ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 209.23.10.188:80 -> 157.32.37.66:59188
10/31/2022-12:36:38.569649 [**] [1:2240008:2] SURICATA STREAM 3way handshake SYN resend different seq on SYN recv [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 157.32.37.21:53343 -> 209.88.10.188:80
Congratulations! You have successfully installed Suricata. Thanks for using this tutorial for installing Suricata Intrusion Detection System (IDS) on Ubuntu 22.04 LTS Jammy Jellyfish system. For additional help or useful information, we recommend you check the official Suricata website.
