Installing & Configuring Suricata

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] uh so let's get started with the practical demo i'm just going to switch over to my ubuntu virtual machine and we can actually get started uh with the practical demonstrations we'll get started with installing and configuring surikata and then we'll take it from there all right so i'm back on the ubuntu vm and again it uh it isn't running anything on it so to get started uh i would recommend going to the suricata website which is uh at or on surikata.io uh if you click on this little uh right uh this little menu here on your to your right this is a collapsible menu you can click on documentation and under documentation you can click on the installation guide so you can go through the installation manually and compile it from source and i do recommend taking a look at the suricated documentation because it really is fantastic so the great thing with surikata is you have the binary packages for the latest version and you'll need to add the repository firstly so this is the official oisf repository and we essentially it's essentially used for suricata so once you add it you can then update your repositories and then install suricata directly so let's do that so i'm just going to copy that command there and i'll clear up my terminal paste that in here and there we go so that will get surikata the actual repository added so i'll hit enter to continue and it's then going to add it and we can then update our repositories and install suricata so we'll give this a couple of seconds there we are so i'll say sudo apt get update and sudo apt get install suricata and i'll use the y option here just so that it installs directly uh so by default you'll not be prompted to enter the interface so in that regard you know suricata is much easier to configure and much easier to understand so uh this will complete installing suricata and there we are so that's done now one thing to note is that the suricata can be started and stopped with systemd or the init system that you're using on your distribution and uh if you are if you do want to run surikata on system startup then you can enable the service but uh do note that if you are running this in a virtualized environment and you do not need that functionality or you don't want suricata consuming resources and working in the background then do not enable the service in my case i can just do that so i can say sudo system ctl because i'm running a system d or you know this version of ubuntu comes with system d so sudo systemctl enable and then we can say surikata dot service don't worry if it gives you this error here so suricata.service hit enter and you can see it's not a native service so it'll redirect it to system d sysv install so it's going to execute it so that means it's going to be running on startup so i can then say sudo system ctl status suricata and it is active and loaded so we want to stop this so i'm just going to use the previous command because we don't need it running when we're making configurations all right so now that that is done let's take a look at where all the configuration files and rules are stored so as i said it's very similar to snort in that if i list out the contents of the etsy suricata directory you can see that you have the suricata configuration file that's in a yaml that's in yaml format which is great i really like uh you know configuration files that are in yaml and then you have the rules directory where you have a set of rules that come pre-packaged with suricata so for example if i list out rules here you can see that we have all of these uh you know these various types of rules based on protocols uh so you know we have http uh ipsec or ipsec if you will nfs ntp smb events etc so uh in order to modify it you need a root or pseudo privileges i'm going to say sudo etsy in order to modify the configuration file i'm going to say sudo etsy suricata suricata.yaml now there's a few things that we need to configure so this file is quite large and there's tons of configurations you can make but as as you can see uh you know it really is awesome because um you know you can essentially specify or uh customize the various variables uh you know of and it's extremely similar to snort or the snort configuration file so again the comments to essentially disable a particular option you can use the hash or the pound symbol so again it's fairly simple so the first thing we need to do is configure the variable so more specific is better for alert accuracy and performance so we need to specify our home net subnet address or the uh the actual network subnet that we would like to monitor so again you can get this info by saying ifconfig so i'll say ifconfig and my my interface here is enp0s3 that's the interface i want to monitor and the subnet is 192.168.2.0 forward slash 24. if i type in ipas that will give you the entire networks your your entire network subnet range in my case it's 24 right uh okay so we can specify that here so again as it says make sure it is specific so i'll just enter insert here and we won't only want to enter that network so point zero forward slash 24. all right you can also specify the other variable options here to add additional subnets or addresses and then you can specify uh you know the actual external net variable here so in this case we can specify you know it's saying not home net so any address that's not in the home net so that's perfectly fine and let me just write the changes so that's the first option that we need to configure uh the next option that i recommend configuring is the actual af packet option so i'll just search for it using forward slash within vim if you're using a visual text editor like g edit that's perfectly fine just make sure you open it up or you open the file with our pseudo root privileges so i'll say af packet and right so this is the linux high speed capture support make sure you specify the correct interface uh you know based on the network you're monitoring in my case it's enp 0s3 i believe let me just verify that this is very important so it's enp 0s3 that is correct and yeah so that's set up now uh if you do want to add another network interface you can add that on top here and you can follow this the actual syntax just make sure to change the cluster id and make it unique because this is very important um okay so that needs uh that is done so this is a cross platform lib b cap capture support you can also configure that interface if you want to i recommend doing that so we can actually set it here cross platform lib b cap capture support uh we can say uh enp 0s3 i believe that is the correct syntax let's just confirm that enp 0s3 these interface names on ubuntu are quite difficult to remember there we are so that's done okay so i'll write the changes the next option we need to set and this is optional uh this is the community uh flow id option um this is used for event correlation and is useful when using tools like uh like zeke or when you're trying to import the logs in json format so this is very important actually so we want to search for community id so community hyphen id um so we're looking for this option here uh is this the option is that's the community flow id section so this will add a community id field to the eve records these are meant to give records a predictable flow id that can be used to match records to the uh you know to output of other tools such as zeek uh so it takes a seed that needs to be uh the same across sensors and tools to make them to make the id less predictable so you can enable the community id feature uh you know by default suricata already uh you know saves uh or generates a log file and saves the logs in json format so uh we can set this to true and uh i think that's the only options we need to configure right now as i said you can go through the configuration file it is quite extensive one other option that i would like to go over is the actual rules uh the actual rules here so if i search for this uh rule path i believe is it the rule path there we are okay so the rule part this is the default rule path it's not under the etsy directory you can change it to b there but surikata already has a suricata dot rules file that is stored under var lib suricata rules so if you want to add a custom rules file then you'd essentially you can specify it here if it already exists within the directory so uh you know if it's under var libsurikata rules then you can say you know you can just provide the name so i can say local.rules however if it's stored in another directory like etsy suricata under rules and then you can say local dot rules then you know you can load it like that so any custom rule or rule sets that you'd like to load up can be done this way for now we don't have that file because surikata does not create it by default so i'll just write and quit because we don't want to modify that right now so let's take a look at the rules stored within var lib and this will require root privileges so i'll say sudo lsal var lib surikata let me make sure i type that in correctly var lib that should be under var lib surikata it's not displaying so surikata and then rules it doesn't look like that exists that's uh very interesting because i think uh yeah i think we need to run surikata one time in order for that to be reflected or in order for that to be created so uh because we haven't updated the suricata rule sets we need to do that next now this can easily be done by typing in sudo surikata and then surikata update so surikata doesn't have a man page or man pages as you can see here so you can open up the help menu by saying surikata help right and the options as you can see are fairly simple so you can specify the configuration file uh whether you want to test the configuration file and then of course you have the suricata update option which is what we're going to do now so we'll say sudo suricata update um so let's hit enter that's going to as you can see it's going to use the following directory so using the configuration hc suricatasuricata.yaml by the way uh you can create another configuration file but i don't recommend doing that so you can see it's going to a load of the it's going to load the distribution rule file from etsy suricator rules smt so you know from that directory there so it's then once that is done it is then going to perform uh the suricata configuration test to make sure that there's nothing wrong in terms of the the options and syntax that you've used within the suricata configuration file so we'll give this a couple of seconds it doesn't take too long all right so that is done um so now if we try and list that directory uh you can see it exists so you have siricarta.rules and uh you know that contains an aggregation of all the rules so if you take a look at what was displayed here you can see that no sources have been configured i'll i'll explain that in a second so it's going to fetch the latest rules from emergingthreads.net so these are suricata rules these are emerging rules so that's great it's then going to load the distribution file there and it's going to ignore that file there so that is done enabled 131 rules for flow bit dependencies creating the directory backing up the current rules and it's then going to write the rules to to surikata.rules so uh it's going to add all the rules from these rule rule files here or these rule sets into suricated rules which is you know really really cool now one of the really cool features that surrekat offers is the ability to specify your own sources so by default suricata allows you to select other sources that you'd like to essentially retrieve rules from or rule sets from you can obtain this by saying sudo surikata update uh so sudo surikata update and you can then say list sources and hit enter so it's going to download the index of sources so these are all the sources that will give you uh various types of uh you know rule sets based on your own requirements so the one that we were using was uh i believe let's see where was this one from let's see if it was actually added or it's using the default one uh yeah so the default one is not here because it's already added so uh these are the other ones available so uh we have one from uh we have one from et open that's from proof point and then we have and of course some of these will require a a subscription so you can see the license is commercial in this case if it is mit or open source uh then you can essentially pull them without any issues or without uh having a uh or registering uh for a subscription so if we take a look at some ones that we can use like uh this one here or maybe this uh this win malware rule set here in order to add it or enable that source we can say sudo surikata update list sources or in this case we're saying enable source and then we specify the name of the source so you know we can just copy that there like so and paste that in there and hit enter and you can see that that is done so now we can update uh we can say sudo surikata update just to make sure that we get the latest here all right fantastic so um that is done it's not going to test the configuration and we'll give this a couple of seconds once that is done we can then run we can actually test it ourself and i'll show you how to do that the syntax is very very simple all right so that is done uh if we take a look at surikata the actual suricata service so sudo system ctl status surikata it should be disabled uh there we are so it's currently uh disabled which is good so in order for us to test the configuration file we can say sudo suri kata we use the t option to test it and just like snot we can specify the configuration file so i can say sudo suricata tc that's the configuration file so surikata and surikata.yaml and we can use the verbose output option there so it's running it in test mode um and it's going to give you an overview of your resources and the um the actual fast output device or the logging configuration is in fast mode similar to what we did with snot and it also have the it also has the eve log output device which outputs it in json so you can see this is the name of this file here is called fast.log so that's where you can file that's where you can find all the intrusion logs uh you then have eve.json which contains the same information just in json format and you can see that one rule file was processed to 25 504 rules successfully loaded and zero rules failed okay so that is done we know that zurich will run without any issues right so in order to start it uh you know we can essentially just say sudo system ctl we don't need to run it from the command line or you can but you can run it in uh you can actually run it in the demon mode or run the surigata daemon similar to what we had with uh with ac with splunk which i didn't cover sorry not with splunk with snort uh which i did not cover we had the the demon option which will run it in the background so that we are run as demon so uh you can also do that with snot that is something that i completely went over but uh yeah you can actually see uh that you can specify your own uh signature rules there and the actual configuration file but to run it with systemd you can simply say sudo system ctl uh start suricata dot service all right so we can then check the status just to make sure everything is running as it should be it should say active and loaded fantastic so now that is done what that means is that it's actually running in the background so that means it's actually monitoring the network traffic and is logging all files to the following directory so var log and suricata so you can see we have the fast.log file which contains uh you know the actual intrusion log stored in the standard output format and then eve dot json which saves it in json format so uh to run a quick test we can utilize one of the surikata rules that is included within the rules file the default one which is stored under the directory that we just saw so it's going to be stored under under this file so if i list out the contents of this directory that rule is part of this rules file uh and that rule uh essentially just uh detects uh you know whether we're querying you'll actually see the actual event it's much better if i do it that way so to essentially test this out we can say the following so i can say curl http test my nids which is used to test your network intrusion detection system so testmynids.org and we're just testing whether it's going to monitor or track all of this and i know i'm running this from the actual server here so i can say testmynits.org uid index.html let me just type that in correctly html hit enter there we are so it just tells us uid root so that information is considered to be a uh is cons you know it's actually considered to be malicious because it means that we have gained access to root or an intruder could have gained access to root so how do we know whether this was logged well to do that we can say sudo cat var log and we can go under surikata and fast dot log and you can see that that was actually locked there and it's uh as i said it's running in the background which is absolutely fantastic so uh as you can see here we have the actual um we have uh the actual log here so it tells us where it was coming from where it was going to etc right so it's one this is good that it's working we know that it is indeed working so let's talk about custom rules all right so in order to do that i'm just going to stop the suricata service because we don't need it running right now so i'm going to say stop and let's take a look at how to write custom rules so i'm going to store the rules uh we can store it you can store them wherever you want just make sure to update that in the actual suricata.yaml config file so i'll say sudo vim etsy we can store it here or under the var lib directory under surikatan rules so i can say etsy surakata rules and i'll say local dot rule so i'm creating the rules file here and just like we did with um just like we did with uh with snort you know the actual syntax is exactly the same so we say alert the type is of alert and then we can say icmp in this case this is going to track or log any pings that are coming from any external network into our home network so we specify the home net variable so that means the subnet that we specified and we can then specify the message that we want displayed in the log so we can say icmp ping and let's see i believe that is the correct syntax uh and then yeah we can just close that up there and we can then specify the s id which in this case we'll just keep it to one because this is a custom one anyway uh revision one as well and we can then close those brackets there uh okay so i think that looks good we didn't specify the port here which is why the syntax highlighting was not reflected so any port coming into our home network uh so right in quit uh and then we can modify the yaml configuration file so let me just head over to that command there i should have actually typed it in but there we are uh so we are looking for a rule path and we want to add it here these are the other rules or rule sets that we would like to add so i'll say this is under etsy surikata rules local dot rules let me type that in correctly so local.rules and we can write in quit uh you can then run the you can then test the configuration just to make sure there isn't any issue with it so i'll hit enter and if it's uh if all is good then we know that we can run surikata without any issues and then we can test whether you know that ping is actually processed or you know detected by our intrusion detection system so we'll just give this a couple of seconds all right so now that that is done we can say sudo system ctl start suricata dot service okay that is done i'm just going to run a ping from the kali linux system so i don't need to show you that i'll just run a ping on this device or i can run it on maybe the router on my router here so i've i'm just running the ping now and i'll let it run for a couple of seconds and we'll check the log to see whether that is actually detected all right so i've performed the ping and we can take a look at the log file now so let's take a look at the fast.log file in this case it doesn't look like uh is that actually started is the suricature service started so i'm going to say status there we are and if i type in ifconfig that is correct um so pseudosystem ctl status for that actually should be logged i'm just gonna run the ping again all right so after a couple of seconds uh i just ran the ping on the actual um ubuntu server primarily because i know that i'd blocked pings uh on my router which makes a lot of sense now but uh you can actually see that that based on our custom rule icmp ping there you can see that you know we didn't set the priority but we could have just as we did with snort so it's icmp where it came from so it came from this system here and it came onto the ubuntu server so those have been logged and you know we can essentially keep up to date with the latest logs uh now i also wanted to showcase the actual uh json or the eve.json log file uh which again if you actually cut out the content with cat it's not gonna be readable because it's in json format so uh one tool that we can use is the json command line processing tool also known as jq so we can say sudo apt get install jq it's a very small package and it will essentially allow us to view this in a in a way that makes sense so we can utilize the tail utility to display the latest logs or alerts if you will so the file is var log and suricata eve dot json and we can then pipe that into the jq utility and say that we want to select um and within brackets uh we can say dot event so the event type is going to be equal to an alert so we'll put this in double quotes the syntax is fairly simple and we then need to close the brackets and single quote there hit enter and uh because this is using tail then you know we would need to perform you know we need to perform or simulate another type of uh intrusion in this case we can just perform a ping and i know that that should be displayed because surikata is running in the background so let me just perform the ping here and because we're using tail it's going to display the latest logs so we'll give this a couple of seconds all right so after a couple of seconds i just performed the ping on another device on my network you can see that this is really helpful when you have this data displayed in json format because you essentially get information like the timestamp uh the source ip the source port the destination ip uh the destination port the protocol is icmp and then of course we have the signature which is icmp ping action is allowed if you were running it in um in ips mode then we could say you know drop or reject etc uh but yeah this is very useful as i said this can uh this can be very useful when you're importing it into tools like uh zeek or when you're performing event correlation uh so yeah we can just terminate uh that command there i just want to take a couple of moments to thank our patreons thank you michael hubbard dustin empress jerry speds doozy sid saab ryan carr shamir douglas jojo bibi balangos and david bricker you guys are really awesome thank you very much for supporting us and you guys make these types of videos possible so we really appreciate it and we look forward to producing even more high quality content [Music]

Info

Channel: HackerSploit

Views: 59,779

Rating: undefined out of 5

Keywords: hackersploit, hacker exploit, hacking, kali linux, suricata, suricata tutorial, suricata installation, suricata wb interface, intrusion detection, suricata pfsense, ids, lawrencesystems, suricata pfsense tutorial, pfsense, firewall, pfsense router, network, pfsense setup, suricata pfsense install, suricata pfsense configuration, suricata pfsense setup guide, snort vs suricata pfsense, tutorial, installing suricata, how to install suricata, Installing suricata on pfsense

Id: UXKbh0jPPpg

Channel Id: undefined

Length: 27min 15sec (1635 seconds)

Published: Thu May 26 2022