Network Intrusion Detection System with Suricata on Debian Wheezy

Written by - 2 comments

Published on October 8th 2014 - Listed in Security Linux Network

Suricata is a network intrustion detection system (NIDS) which has a goal to become the "next snort", the de facto standard of NIDS. Both Suricata and Snort are running on rules which are both compatible with each other.

On Debian Wheezy there's the following package available in the repository:

root@debian-wheezy:~# apt-cache show suricata
Package: suricata
Version: 1.2.1-2
Installed-Size: 3809
Maintainer: Pierre Chifflier
Architecture: amd64
Depends: libc6 (>= 2.4), libcap-ng0, libgcrypt11 (>= 1.4.5), libgnutls26 (>= 2.12.17-0), libhtp1 (>= 0.2.6), libmagic1, libnet1 (>=, libnetfilter-queue1 (>= 0.0.15), libnfnetlink0 (>= 1.0.0), libpcap0.8 (>= 1.0.0), libpcre3 (>= 8.10), libprelude2, libyaml-0-2
Recommends: oinkmaster, snort-rules-default
Description-en: Next Generation Intrusion Detection and Prevention Tool
 Suricata is a network Intrusion Detection System (IDS). It is based on
 rules (and is fully compatible with snort rules) to detect a variety of
 attacks / probes by searching packet content.

However there are two big downsides with this package:

1) It is old. In the Wheezy repo Suricata is at version 1.2.1 while the sources of 2.4 have been released in September.
2) It doesn't work. I don't know if I did something wrong, but I installed the package on two newly installed virtual machines and nothing was ever logged. Not even local attacks simulated with nikto.

When I installed Suricata with the latest source package, it immediately started to work. That's why this article is about running Suricata from source.

1) Install pre-requirements
The following packages are enought to compile Suricata on a minimal Debian Wheezy.

apt-get install build-essential pkg-config libpcre3 libpcre3-dbg libpcre3-dev libyaml-0-2 libyaml-dev \
autoconf automake libtool libpcap-dev libnet1-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev \
libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0

2) Download and unpack
Download the newest release (at the time of this writing this was 2.0.4) and unpack it.

cd /root/src; wget
tar -xzf suricata-2.0.4.tar.gz; cd suricata-2.0.4

3) Compile
A little side node for the compile step: If you want to use Suricata as both IDS (Intrusion Detection System) AND IPS (Intrusion Prevention System), you must use "--enable-nfqueue" as configure option. You can also just compile with this option, just to be IPS-ready. The final switch has to be done in the configuration file anyway.
With the following configure line, the program will use the following folders:

/usr/bin: For the executable binary (/usr/bin/suricata)
/etc/suricata: Config files (most importantly suricata.yaml)
/etc/suricata/rules: Rule files
/var/log/suricata: Log files
/var/run/suricata: pid file

./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var

The output at the end is the following:

Generic build parameters:
  Installation prefix (--prefix):          /usr
  Configuration directory (--sysconfdir):  /etc/suricata/
  Log directory (--localstatedir) :        /var/log/suricata/

  Host:                                    x86_64-unknown-linux-gnu
  GCC binary:                              gcc
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no

To build and install run 'make' and 'make install'.

You can run 'make install-conf' if you want to install initial configuration
files to /etc/suricata/. Running 'make install-full' will install configuration
and rules and provide you a ready-to-run suricata.

To install Suricata into /usr/bin/suricata, have the config in
/etc/suricata and use /var/log/suricata as log dir, use:
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/

Then run make followed by make install-full, which downloads additional emerging rules right into /etc/suricata/rules (thanks!):

make install-full

/usr/bin/wget -qO - | tar -x -z -C "/etc/suricata/" -f -

You can now start suricata by running as root something like '/usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0'.

If a library like is not found, you can run suricata with:
'LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0'.

While rules are installed now, it's highly recommended to use a rule manager for maintaining rules.
The two most common are Oinkmaster and Pulledpork. For a guide see:

4) Adapt the configuration
The configuration file is, as mentioned above, /etc/suricata/suricata.yaml. This format is in yaml (yet another markup language) but just edit the file with your favorite editor (mine is vim).
I suggest you go from top to bottom of the config file to learn as much as possible and to set the configuration to your environments, but the following points are the settings I changed. Note that I didn't activate IPS with these config changes.

Disable console logging and log to file instead:

  # Define your logging outputs.  If none are defined, or they are all
  # disabled you will get the default - console output.
  - console:
      enabled: no
  - file:
      enabled: yes
      filename: /var/log/suricata/suricata.log

Define your HOME_NET (which is the private LAN where your machines is connected to):

  # Holds the address group vars that would be passed in a Signature.
  # These would be retrieved during the Signature address parsing stage.

    HOME_NET: "[]"

Adapt the host-os-policy and set your machine's IP address next to the policy (yes, Debian is a Linux distro, duh!):

# Host specific policies for defragmentation and TCP stream
# reassembly.  The host OS lookup is done using a radix tree, just
# like a routing table so the most specific entry matches.
  # Make the default policy windows.
  windows: []
  bsd: []
  bsd-right: []
  old-linux: []
  linux: []
  old-solaris: []
  solaris: []
  hpux10: []
  hpux11: []
  irix: []
  macos: []
  vista: []
  windows2k3: []

Set the paths to classification and reference-config-file correct (they should now be in the rules folder):

classification-file: /etc/suricata/rules/classification.config
reference-config-file: /etc/suricata/rules/reference.config

5) Start Suricata
Now let's start Suricata in daemon mode (-D) and see what happens... (that's exciting!)

suricata -c /etc/suricata/suricata.yaml -i eth0 -D

Suricata immediately starts to write log files into /var/log/suricata:

ls -ltr
total 360
drwxr-xr-x 2 root root   4096 Oct  8 21:49 files
drwxr-xr-x 2 root root   4096 Oct  8 21:49 certs
-rw-r----- 1 root root      0 Oct  8 21:52 http.log
-rw-r--r-- 1 root root    545 Oct  8 21:52 suricata.log
-rw-r--r-- 1 root root   3998 Oct  8 21:52 stats.log
-rw-r----- 1 root root 233626 Oct  8 21:52 unified2.alert.1412797965
-rw-r----- 1 root root 111321 Oct  8 21:52 fast.log

These logs are very important and can be simply explained:

http.log: Logs traffic/attacks to a local web server
suricata.log: The program's log file (which we have defined in the configuration file)
stats.log: Continued logging of statistics
unified2.alert.TIMESTAMP: The alerts are logged into this file in barnyard2 (by2) format
fast.log: Clear text logging of alerts

Now the unified2.alert log file is very interesting. In combination with barnyard2 ( the alerts can be read and stored into an external place, for example syslog or into a data base. I might follow up on this with a dedicated article...

6) Test an attack
I mentioned "nikto" above, which can be used to test-attack a web server. Let's do this and see how Suricata reacts:

root@attacker:~/nikto-master/program# ./ -h -C all

Holy sh!t... I only post the last few lines of the output:

tail /var/log/suricata/http.log
10/08/2014-22:29:20.464061 [**] /solr/admin/ [**] Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:006808) [**] ->
10/08/2014-22:29:20.466145 [**] /html/vergessen.html [**] Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:006809) [**] ->
10/08/2014-22:29:20.468097 [**] /typo3/install/index.php [**] Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:006810) [**] ->
10/08/2014-22:29:20.470129 [**] /dnnLogin.aspx [**] Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:006811) [**] ->
10/08/2014-22:29:20.474056 [**] /dnn/Login.aspx [**] Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:006812) [**] ->
10/08/2014-22:29:20.476151 [**] /tabid/400999900/ctl/Login/portalid/699996/Default.aspx [**] Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:006813) [**] ->
10/08/2014-22:29:20.478121 [**] /Portals/_default/Cache/ReadMe.txt [**] Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:006814) [**] ->
10/08/2014-22:29:20.480445 [**] /Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx [**] Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:006816) [**] ->
10/08/2014-22:29:20.483119 [**] /typo3_src/ChangeLog [**] Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:006817) [**] ->
10/08/2014-22:29:20.487481 [**] /_about [**] Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:006818) [**] ->

In total Suricata discovered and logged more than 20'000 attacks:

cat /var/log/suricata/http.log  | grep -c Nikto

In the fast.log much less entries are logged:

tail /var/log/suricata/fast.log
10/08/2014-22:28:28.744886  [**] [1:2221028:1] SURICATA HTTP Host header invalid [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} ->
10/08/2014-22:28:45.976806  [**] [1:2016184:5] ET WEB_SERVER ColdFusion administrator access [**] [Classification: Web Application Attack] [Priority: 1] {TCP} ->
10/08/2014-22:29:07.430596  [**] [1:2016184:5] ET WEB_SERVER ColdFusion administrator access [**] [Classification: Web Application Attack] [Priority: 1] {TCP} ->
10/08/2014-22:29:07.432698  [**] [1:2016184:5] ET WEB_SERVER ColdFusion administrator access [**] [Classification: Web Application Attack] [Priority: 1] {TCP} ->
10/08/2014-22:29:07.435637  [**] [1:2016184:5] ET WEB_SERVER ColdFusion administrator access [**] [Classification: Web Application Attack] [Priority: 1] {TCP} ->
10/08/2014-22:29:07.438709  [**] [1:2016184:5] ET WEB_SERVER ColdFusion administrator access [**] [Classification: Web Application Attack] [Priority: 1] {TCP} ->
10/08/2014-22:29:11.417867  [**] [1:2200003:1] SURICATA IPv4 truncated packet [**] [Classification: (null)] [Priority: 3] [**] [Raw pkt: 00 0C 29 CF F6 6D 00 0C 29 3D 0D 45 08 00 45 00 0B 84 8B 5D 40 00 40 06 41 B8 C0 A8 70 85 C0 A8 ]
10/08/2014-22:29:12.076980  [**] [1:2200003:1] SURICATA IPv4 truncated packet [**] [Classification: (null)] [Priority: 3] [**] [Raw pkt: 00 0C 29 3D 0D 45 00 0C 29 CF F6 6D 08 00 45 00 11 2C CE AB 40 00 40 06 F8 C1 C0 A8 70 88 C0 A8 ]
10/08/2014-22:29:19.187059  [**] [1:2221007:1] SURICATA HTTP invalid content length field in request [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} ->

So this is how you get a new Suricata version installed quickly and painlessly on a Debian Wheezy. Enjoy.

Add a comment

Show form to leave a comment

Comments (newest first)

ck from Switzerland wrote on Nov 25th, 2014:

Meanwhile that I know suricata better and have worked with it for a couple of weeks, I have additional information to share or to correct the blog article a bit:
- Concerning my statement that the Suricata package on Debian Wheezy does not work: To be able to start suricata, it must first be enabled in /etc/default/suricata. I may have overlooked that.
- The http.log does not log the attacks to http sites. It can be compared to a web server's access log. Every http request is (or should be) logged.
- If the host you have installed suricata is serving as firewall between external and internal networks the HOME_NET and EXTERNAL_NET definitions should be both set to "any" otherwise suricata most likely does not see NATted packages.

anonomon from earth wrote on Nov 9th, 2014:

Thanks m8!