Suricata on NethServer?

Thanks guys! I’ll give this a try sometime. I would try it straight away but I have something urgent work-related tasks to complete first. Will be providing feedback once I have given it a try

1 Like

in this way, and with only one NIC, it work as IDS…some one can try it in IPS mode? :smiling_imp:

@jackyes will add that to the list of things to try

1 Like

To test if work create a custom rules.

put a file named customrules.rules in /etc/suricata/rules

and add in it:

drop tcp any any → any any (msg:“facebook Block =)”; content:“facebook.com”; http_header; nocase; classtype:policy-violation; sid:1;)

in /etc/suricata/suricata.yaml

add customrules.rules to the enabled rules

example:

rule-files:

  • customrules.rules
  • botcc.rules
  • ciarmy.rules
  • compromised.rules
  • drop.rules

this will trigger when trying to reach facebook.com :slight_smile:

UPDATE :wink:

to use suricata in IPS mode (for the machine itself):

#start suricata with -q o option
suricata -q 0 &
#add this iptables rules
iptables -I INPUT -j NFQUEUE
iptables -I OUTPUT -j NFQUEUE 

To use suricata in IPS mode (as gateway): Not tested

#start suricata with -q o option
suricata -q 0 &
#add this iptables rules
iptables -I FORWARD -j NFQUEUE

hope this help :slight_smile:

@jackyes to use suricata in IPS mode put the following line in /etc/sysconfig/suricata:
OPTIONS="-q 0 --user suricata "
I tested it for some minutes on a slow hw (AMD G-T40N @ 800MHz) and even suricata cuts the bandwidth.
Also, there’s no need to use oinkmaster, since pulledpork is already working.
To use it:
ln -sf /etc/snort/rules/snort.rules /etc/suricata/rules/
And put snort.rules in suricata.yaml.

Can you give numbers? compared to snort?

Unfortunately not easily. I’m using that hw to test a custom snort config with app detection. I’d need to bring it back to factory default, but only after I end my tests.

Sorry but i can’t make test because my connection is too slow to be cutted :joy: :sweat_smile:

I can’t install suricata because it needs Python 2.7 which is not installable.

Are you on NS6 or NS7?

I’m on NS6. I gave NS7 a try but the (KVM) virtual machine hung on boot.

Does that mean suricata has to be started twice? Once as IDS and once as IPS?

Okay, I reinstalled NS7 and could then install suricata following the Howto of jackyes and Filippo’s hints. The result is amazing:
With Snort the bandwith goes down from 400 mbs to about 150.
With Suricata the full bandwith is preserved! But Suricata consumes more memory.
There must be something wrong the implementation of Snort in Nethserver. I used Snort with pfSense before, there it behaved just like Suricata.

1 Like

snort in NS is used in nfq mode.
How did you setup suricata?

As I said, I followed the instructions of jackyes and yours for the IPS mode.
What is nfq mode?

The way NethServer sends traffic to snort (or suricata).
In my instructions above:

I’m testing suricata on NethServer 7 in production: it behaves really well.
Details: I’m using an Atom C2518 CPU that is slow enough to cut bandwidth with snort. With a similar ruleset (16541 rules) suricata doesn’t cut bandwidth and reaches 70% cpu at max.
I’ll try to fine tune suricata.

2 Likes

After some weeks of test I’d like to propose to switch to Suricata as default IPS on NethServer 7 and drop snort.
Some reasons:

  1. snort doesn’t start when it encounters errors in rules
  2. snort cuts bandwidth on slow cpu
  3. snort init script says it’s running while it’s not
  4. snort never accepted our improvements to init script
  5. we have to build and maintain our snort package

Suricata has a good package maintained from competent people at epel.
It’s fast and doesn’t cut bandwidth

What do you think? Do we need to run a poll?
Any more reasons to justify the switch? Or something I forgot that will force us to keep snort?

4 Likes

I don’t think that a poll is needed. We have encountered many issues related to snort here in community so it looks like a win-win choice to me.
Also using a well-tested epel rpm is definitely a good plus.
That sounds quite awesome actually.

1 Like

It’s true that Suricata does not cut bandwith but unfortunately it has a memory leak. No matter how much memory I allocate to NS, Suricata takes it all and after about 30 hours it starts to eat up the swap memory until nothing is left. That’s why I switched back to pfSense for now. I’m missing the postfix forwarder there but at least Snort works correctly and can be finetuned via the web gui.

Good health.
Tell me how to fix it - the logs stopped writing: