Suricata on NethServer?

Continuing the discussion from Bandwith problem:

I think we should separate this discussion

IMHO, snort defaults in 6.7 protect against a very low number of threats. But security needs many layers, one more is always better. And you may have customized snort as I did.
To use snort with an high bandwidth link as yours, you need a lot of cpu power.
The tests made by @EddieA seem to prove that the number of rules is not affecting a lot bandwidth cutoff, but my old tests (with much lower bandwidth) told another story: rules number made a substantial difference.

I’m working on snort on 7, but I still haven’t tested performances. With a few rules and a weak cpu I can reach 30 mibt/s.

May be interesting:

https://www.aldeid.com/wiki/Suricata-vs-snort

http://wiki.aanval.com/wiki/Snort_vs_Suricata

1 Like

Suricata is much better because it can use multiple cores (snort 3 will, but it’s in alpha).
As I said in the past, it wasn’t stable enough when we had to take a decision on NethServer 6.5.
I think that it’s now much better, it even landed in epel, so it will be a metter of minutes to have it on NS.
But I’m exploring application ID on snort for 7 and AFAIK suricata is still missign such a feature.

1 Like

suricata have much more interessing features like ip reputation, and perform much better on multicpu.

flowbit:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flow-keywords

ip rep:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/IP_Reputation

this is an old (2010) article on suricata performance…

1 Like

As result, Suricata is Multi-threaded so, it may be faster.

1 Like

That’s what I think too. Can anybody help with howto install suricata on nethserver?

That’s a great idea, does anyone want to give it a try?

1 Like

Now I’m using suricata on my pfsense firewall (now a VM in nethserver! :wink: ) and works great…i use both ET open and VRT paid rules (18600+ rules)…no problem with my slow 20 mbps connection :frowning:
Never crashed in one year :wink:

1 Like

I’ll have to give it a try sometime once I get the time

1 Like

Me too :triumph:

Uh don’t fight guys :slight_smile: There’s room for all @bwdjames
Please share your achivements and notes as soon as possibile. I’m eager to know how things are going

Start testing with:

yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel
zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar make
libnetfilter_queue-devel lua-devel

wget http://www.openinfosecfoundation.org/download/suricata-3.0.1.tar.gz
tar -xvzf suricata-3.0.tar.gz
cd suricata-3.0
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua
make install-full

LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0

For now all ok (install) =) i have to test if it work :smiley: …no more time today :tired_face:

NB: clamav show the rules as virus (false positive)…so if you have a proxy with clamav scan will block it! :wink:

1 Like

Nice job, let’s keep the ball rolling

I’d use a much “simpler” command:

yum install http://codemonkey.net/files/rpm/suricata/stable/epel-7-x86_64/suricata-3.0-0.1.el7.x86_64.rpm

You’ll get 3.0.0 instead of 3.0.1, but it’s a matter of time for the latest version to be released.

2 Likes

=)

1 Like

Install suricata and download oinkmaster:

yum install suricata -y
wget http://prdownloads.sourceforge.net/oinkmaster/oinkmaster-2.0.tar.gz
tar xzf oinkmaster-2.0.tar.gz
mkdir /etc/oinkmaster
mv oinkmaster-2.0/* /etc/oinkmaster/
yum install nano -y

Edit oinkmaster config:

nano /etc/oinkmaster/oinkmaster.conf

Add: “url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz

Run oinkmaster:
/etc/oinkmaster/oinkmaster.pl -C /etc/oinkmaster/oinkmaster.conf -o /etc/suricata/rules

Edit suricata config:

nano /etc/suricata/suricata.yaml

My NIC (or VM?) need this change to avoid SURICATA TCPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] rule to be triggered:

checksum-validation: yes -> checksum-validation: no

search for:
# Set the default rule path here to search for the files.
# if not set, it will look at the current working dir
default-rule-path: /etc/suricata/rules
rule-files:

and change the list of rule to use according to your needs (this is mine):

 - botcc.rules
 - ciarmy.rules
 - compromised.rules
 - drop.rules
 - dshield.rules
 - emerging-activex.rules
 - emerging-attack_response.rules
# - emerging-chat.rules
# - emerging-current_events.rules
 - emerging-dns.rules
 - emerging-dos.rules
 - emerging-exploit.rules
# - emerging-ftp.rules
# - emerging-games.rules
# - emerging-icmp_info.rules
# - emerging-icmp.rules
 - emerging-imap.rules
 - emerging-inappropriate.rules
 - emerging-malware.rules
 - emerging-misc.rules
 - emerging-mobile_malware.rules
# - emerging-netbios.rules
 - emerging-p2p.rules
# - emerging-policy.rules
 - emerging-pop3.rules
# - emerging-rpc.rules
# - emerging-scada.rules
 - emerging-scan.rules
# - emerging-shellcode.rules
 - emerging-smtp.rules
# - emerging-snmp.rules
 - emerging-sql.rules
# - emerging-telnet.rules
# - emerging-tftp.rules
 - emerging-trojan.rules
# - emerging-user_agents.rules
# - emerging-voip.rules
 - emerging-web_client.rules
 - emerging-web_server.rules
# - emerging-web_specific_apps.rules
 - emerging-worm.rules
 - tor.rules
 - decoder-events.rules # available in suricata sources under rules dir
 - stream-events.rules  # available in suricata sources under rules dir
 - http-events.rules    # available in suricata sources under rules dir
 - smtp-events.rules    # available in suricata sources under rules dir
 - dns-events.rules     # available in suricata sources under rules dir
 - tls-events.rules     # available in suricata sources under rules dir
# - modbus-events.rules  # available in suricata sources under rules dir
 - app-layer-events.rules  # available in suricata sources under rules dir

then:

suricata -i eth0

To autoupdate rules, cron: /etc/oinkmaster/oinkmaster.pl -C /etc/oinkmaster/oinkmaster.conf -o /etc/suricata/rules
and restart suricata :slight_smile:


Note you can simply:

yum install suricata -y
wget http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
tar xzf emerging.rules.tar.gz
mv rules/* /etc/suricata/rules/
em rules
suricata -i eth0

but will use the standard suricata config


Sorry it’s a bit confusing :blush: :weary:

2 Likes

@rasi @bwdjames @GG_jr Enjoy! :stuck_out_tongue:

Thanks guys! I’ll give this a try sometime. I would try it straight away but I have something urgent work-related tasks to complete first. Will be providing feedback once I have given it a try

1 Like

in this way, and with only one NIC, it work as IDS…some one can try it in IPS mode? :smiling_imp: