Install Suricata5 on CentOS

Sunday, December 22, 2019 » linux, suricata

Install suricata.

Install epel release for CentOS.

1
2
3
yum install epel-release -y
yum clean all
yum update

Install packages.

1
yum -y install libpcap libpcap-devel libnet libnet-devel pcre pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml libyaml-devel zlib zlib-devel file-devel libcap-ng-devel nspr-devel nss-devel lz4-devel rustc cargo

Download and install suricata.

1
2
3
4
5
6
wget https://www.openinfosecfoundation.org/download/suricata-5.0.1.tar.gz
mkdir /etc/suricata ; tar -xzvC /etc/suricata -f suricata-5.0.1.tar.gz
cd /etc/suricata/suricata-5.0.1/ ; ./configure && make && make install-full

--disable-gccmarch-native
# Do not optimize the binary for the hardware it is built on. Add this flag if the binary is meant to be portable or if Suricata is to be used in a VM.

Copy default configuration files.

1
cp /usr/local/etc/suricata/{classification.*,reference.*,suricata.*} /etc/suricata/

Modify the suricata.yaml file to fit the environment.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
vars:
  # more specific is better for alert accuracy and performance
  address-groups:
    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
    #HOME_NET: "[192.168.0.0/16]"
    #HOME_NET: "[10.0.0.0/8]"
    #HOME_NET: "[172.16.0.0/12]"
    #HOME_NET: "any"

    EXTERNAL_NET: "!$HOME_NET"
    #EXTERNAL_NET: "any"

    HTTP_SERVERS: "$HOME_NET"
    SMTP_SERVERS: "$HOME_NET"
    SQL_SERVERS: "$HOME_NET"
    DNS_SERVERS: "$HOME_NET"
    TELNET_SERVERS: "$HOME_NET"
    AIM_SERVERS: "$EXTERNAL_NET"
    DC_SERVERS: "$HOME_NET"
    DNP3_SERVER: "$HOME_NET"
    DNP3_CLIENT: "$HOME_NET"
    MODBUS_CLIENT: "$HOME_NET"
    MODBUS_SERVER: "$HOME_NET"
    ENIP_CLIENT: "$HOME_NET"
    ENIP_SERVER: "$HOME_NET"

  port-groups:
    HTTP_PORTS: "80"
    SHELLCODE_PORTS: "!80"
    ORACLE_PORTS: 1521
    SSH_PORTS: 22
    DNP3_PORTS: 20000
    MODBUS_PORTS: 502
    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
    FTP_PORTS: 21
    VXLAN_PORTS: 4789

Put interface into promiscuous mode.

1
ifconfig ens224 promisc

root@ids ~> ifconfig ens224
ens224: flags=441(UP,BROADCAST,RUNNING,PROMISC,MULTICAST)  mtu 1500
        ether 00:12:42:21:e5:56  txqueuelen 1000  (Ethernet)
        RX packets 434891  bytes 374980327 (357.6 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 201  bytes 68742 (67.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Create a service for the promiscuous interface.

1
vi /etc/systemd/system/promisc.service

[Unit]
Description=Promiscuous mode for Suricata Interface
After=network.target

[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link set dev ens224 promisc on
TimoutStartSec=0
RemainAfterExit=yes

[Install]
WantedBy=default.target

Enable service.

1
systemctl enable promisc.service

Start suricata and check if working.

1
2
/usr/local/bin/suricata -c /etc/suricata/suricata.yaml -D -i ens224
tailf /data/suricata/eve.json

Creat suricata service. 

1
vi /etc/systemd/service/suricata.service

[Unit]
Description=Suricata Intrusion Detection Service
After=network-online.target

[Service]
Type=simple
Environment=CFG=/etc/suricata/suricata.yaml PID=/var/run/suricata.pid
PIDFile=/var/run/suricata.pid
ExecStart=/usr/local/bin/suricata -c $CFG -D -i ens224 --pidfile $PID -D

[Install]
WantedBy=multi-user.target