How to Install Suricata IDS on Ubuntu 24.04

February 24, 2025 rootlogic ubuntu security

Suricata is a powerful, open-source Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). This guide will walk you through installation and basic configuration.

Prerequisites

  • Ubuntu 24.04 server
  • Root or sudo privileges
  • At least 4GB RAM (8GB recommended for production)
  • Network interface in promiscuous mode

Step 1: Update System

sudo apt update
sudo apt upgrade -y

Step 2: Install Required Dependencies

sudo apt install -y wget gnupg software-properties-common

Why these packages?

  • wget: For downloading additional files
  • gnupg: For signature verification
  • software-properties-common: For managing repositories

Step 3: Add OISF Repository

sudo add-apt-repository ppa:oisf/suricata-stable -y
sudo apt update

Step 4: Install Suricata

sudo apt install suricata -y

Step 5: Configure Network Interface

Edit the Suricata configuration file:

sudo nano /etc/suricata/suricata.yaml

Find and modify the following settings:

af-packet:
  - interface: eth0  # Change to your network interface
    cluster-id: 99
    cluster-type: cluster_flow
    defrag: yes
    use-mmap: yes
    tpacket-v3: yes

Understanding the configuration:

  • cluster-type: Determines how packets are distributed
  • defrag: Enables packet defragmentation
  • use-mmap: Enables memory-mapped packet capture
  • tpacket-v3: Uses the latest packet capture version

Step 6: Update Suricata Rules

sudo suricata-update

To enable specific rulesets:

# List available rulesets
sudo suricata-update list-sources

# Enable specific ruleset
sudo suricata-update enable-source et/open
sudo suricata-update

Step 7: Configure Outputs

Modify the output configuration in suricata.yaml:

outputs:
  - eve-log:
      enabled: yes
      filetype: regular
      filename: /var/log/suricata/eve.json
      types:
        - alert
        - http
        - dns
        - tls
        - files
        - ssh
        - flow

Step 8: Start Suricata Service

sudo systemctl start suricata
sudo systemctl enable suricata
sudo systemctl status suricata

Step 9: Verify Installation

sudo suricata --build-info
sudo tail -f /var/log/suricata/suricata.log

Advanced Configuration

Memory Management

# in suricata.yaml
max-pending-packets: 1024
detect-engine:
  - profile: medium
  - custom-values:
      toclient-groups: 3
      toserver-groups: 25

Performance Tuning

threading:
  set-cpu-affinity: yes
  cpu-affinity:
    - management-cpu-set:
        cpu: [ 0 ]
    - receive-cpu-set:
        cpu: [ 1 ]
    - decode-cpu-set:
        cpu: [ 2, 3 ]
    - stream-cpu-set:
        cpu: [ 4, 5 ]

Rule Management

Custom Rules

Create a custom rules file:

sudo nano /etc/suricata/rules/local.rules

Example rules:

# Alert on SSH attempts
alert tcp any any -> $HOME_NET 22 (msg:"Potential SSH Brute Force"; flow:established; threshold: type both, track by_src, count 5, seconds 60; classtype:attempted-admin; sid:1000001; rev:1;)

# Alert on multiple HTTP 404s
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Web Scan"; flow:established; content:"404"; http_stat_code; threshold: type both, track by_src, count 10, seconds 60; classtype:web-application-attack; sid:1000002; rev:1;)

Monitoring and Analysis

Basic Log Analysis

# View alerts in real-time
sudo tail -f /var/log/suricata/fast.log

# Search for specific attacks
sudo jq 'select(.alert.signature | contains("SQL Injection"))' /var/log/suricata/eve.json

# Count alerts by signature
sudo jq -c 'select(.event_type=="alert") | .alert.signature' /var/log/suricata/eve.json | sort | uniq -c | sort -nr

Performance Monitoring

# Check packet statistics
sudo suricata --dump-counters

# Monitor resource usage
sudo suricatasc -c "iface-stat eth0"

Troubleshooting

Common Issues

  • High CPU Usage: 
    # Check thread utilization
sudo ps -eLo pid,ppid,%cpu,%mem,cmd | grep suricata
  • Dropped Packets: 
    # Monitor packet statistics
sudo suricatasc -c "pcap-stats"
  • Rule Loading Issues: 
    # Validate rules
sudo suricata -T -c /etc/suricata/suricata.yaml

Best Practices

  • Regularly update rules
  • Monitor system resources
  • Tune rules based on false positives
  • Implement log rotation
  • Regular backup of custom configurations

Integration with Other Tools

ELK Stack Integration

# Filebeat configuration
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/suricata/eve.json
  json.keys_under_root: true
  json.add_error_key: true
  fields:
    source: suricata

Setting Up Alerts

# Create alert script
sudo nano /etc/suricata/scripts/alert.sh

#!/bin/bash
# Send alert via email
echo "Alert: $1" | mail -s "Suricata Alert" [email protected]

Regular Maintenance

  • Update signatures daily
  • Monitor log sizes
  • Review and tune rules
  • Check system performance
  • Backup configurations