Suricata is an open-source network threat detection tool with features such as intrusion detection, intrusion prevention, as well as network security monitoring. It excels at deep packet inspection and pattern matching, making it an invaluable tool for detecting threats and attacks.
Suricata can generate logs, drop traffic, and trigger alerts in case suspicious packets are in your network.
Here at LinuxAPT, as part of our Server Management Services, we regularly help our Customers to perform related Ubuntu Linux system Software Installation queries.
In this context, we shall look into the complete installation procedure of Suricata IDS on ubuntu 20.04.
1. Perform System Update
To begin, ensure your system packages are updated by running the below command:
$ sudo apt update
2. Add Suricata Repository
The latest stable version of Suricata is available on the PPA repository maintained by OISF. Therefore, we are going to add the Suricata repository on your Ubuntu system:
$ sudo add-apt-repository ppa:oisf/suricata-stable
Thereafter, update your system’s package index:
$ sudo apt update
With the PPA in place, head over to the next step and install the Suricat IDS.
3. Install Suricata
To install Suricata run the command:
$ sudo apt install suricata
With the installation of Suricata, let's go a step further and enable it to start on boot time:
$ sudo systemctl enable suricata.service
Next, ensure that the installation was successful by running the following command:
$ sudo suricata –build-info
Confirm that Suricata's systemd service is running:
$ sudo systemctl status suricata
The output confirms that Suricata is up and running on Ubuntu 20.04
Suricata's configuration file is located in the /etc/suricata/suricata.yaml path. For basic setup, we need to configure Suricata for your internal and external network. Open the configuration file with the below command:
$ sudo vim /etc/suricata/suricata.yaml
Then, specify the ip address for the HOME_NET variable. In this case, our IP address is 192.168.100.1. The HOME_ NET variable is the IP address of your local network or interface you want to monitor. Next, define the value for EXTERNA_ NET as being any network that is not your local ip address.
Next, go to the af-packet section in the configuration file and change the interface name to reflect the network interface chosen.
Suricata allows you to create network rules or signatures according to your requirements. The most common rules include Emerging Threats and Emerging Threats Pro.
The rules file is located in the /etc/suricata/rules/ directory. To view the contents run:
$ ls /etc/suricata/rules/
To install the Emerging Threats Open ruleset, run:
$ sudo suricata-update
This will install the rules to the /var/lib/suricata/rules/ directory.
After installing all the rules, you can restart the Suricata IDS service with the below command:
$ sudo systemctl restart suricata
You can also check the Suricata logs with the below command:
$ sudo tail /var/log/suricata/suricata.log
This article covers how to install Suricata IDS on Ubuntu 20.04. In fact, Suricata is capable of real-time intrusion detection, intrusion prevention, and network security monitoring. For more information head over to the Suricata's documentation page.