Suricata 4.0 detects intruders and monitors network traffic

Suricata

meerkat logo

Suricata is a high performance IDS network engine (Intrusion Detection System), IPS and network security, developed by the OISF, this is a cross-platform open source application and Is property of a non-profit foundation of the Open Information Security Foundation community (OISF).

It is based on a set of rules externally developed to monitor network traffic and provide alerts to the system administrator when suspicious events occur. Designed to be compatible with existing network security components, offers unified output functionality and pluggable library options to accept calls from other applications. As a multi-threaded engine, it offers increased speed and efficiency in network traffic analysis.

Today is in its version 4.0 with improvements in intrusion detection capabilities and also in the support of more protocols and options, improving the TCP flow engine and its IDS.

How to install Suricata on Ubuntu?

As I mentioned, it has support for different operating systems and Ubuntu is no exception, has an official repository which we can add and be able to install on our system, just type the following commands:

sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install suricata

In case of having Ubuntu 16.04 or having problems with dependencies, with the following command it is solved:

sudo apt-get install libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev libnet1-dev libyaml-dev zlib1g-dev libcap-ng-dev libmagic-dev libjansson-dev libjansson4

Installation done, it is recommended to disable any offloead feature pack on the NIC that Suricata is listening to.

They can disable LRO / GRO on the eth0 network interface using the following command:

sudo ethtool -K eth0 gro off lro off

Meerkat supports a number of operating modes. We can see the list of all execution modes with the following command:

sudo /usr/bin/suricata --list-runmodes
Meerkat running

Meerkat-Running

The default run mode used is autofp stands for "automatic fixed flow load balancing". In this mode, packets from each different stream are assigned to a single detection thread. The flows are assigned to the threads with the lowest number of unprocessed packets.

Now we can proceed to start Suricata in pcap live mode , using the following command:

sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml -i ens160 --init-errors-fatal

If you want to know a little more about the options that Suricata offers us, I leave you this link where you can check out everything about this amazing software.


3 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Gustavo Adolfo Villegas Gomez said

    Elizabeth Aristizabal Gomez

    1.    Elizabeth Aristizabal Gomez said

      I always wanted to go far in life. ?

  2.   George said

    and then how do I see what it detects?