February 24, 2015

Setting up a Suricata IDS on CentOS 7

The IDS module in my Cisco routers are going EoL. Frankly, I haven't been that impressed with the service the IDS provided. My excellent Cisco Partner will lead me over to one of two Cisco's latest acquisitions, SourceFire or Meraki. I'm aware SourceFire is the "paid" version of Snort with a fancy UI and support. Both really good reasons to purchase the product. For those of you who have never heard of Snort, it is the de facto standard in IDS software. But…I'm going to use something different. A software called Suricata. Suricata is similar to Snort. It can use the same detection rules and some of the same configuration files. The main reason I'm using Suricata over Snort is that Suricata uses multi-thread by default. Snort needs it to be compiled in. Multi-thread equals more processing and faster detection. Let's move into system requirements.

Hardware

Multi-Core Processor (Can't have multi-thread without that)

A descent amount of RAM and Hard Drive space.

2 Network Interfaces (1 must be a dedicated physical interface. No VM switch here)

A switch capable of doing port mirroring.


 

Software

OS (CentOS 7 x64 minimal install)

Suricata (JASONISH maintains an RPM for CentOS 7)


 


 

Let's get started:

  • I have a working CentOS installation patched up (yum update). It has two NICs, eth0 and eth1. eth0 will be my passive interface for receiving traffic from the switch's port mirror and has a static address for a random subnet. eth1 will be my management interface with a static address accessible from my LAN.
  • Install some prerequisites: yum install epel-release wget perl per-Archive-Tar perl-Crypt-SSLeay perl-libwww-perl perl-Sys-Syslog perl-LWP-Protocol-https
  • (Optional) Install some optional tools: yum install wget nano net-tools mlocate system-config-firewall-tui
  • Install Suricata from JASONISH here: http://codemonkey.net/suricata-rpms/ It will install Suricata, GeoIP, libnet, libnetfilter_queue, and libyaml
  • Navigate to /ec/suricata, backup suricata.yaml (cp suricata.yaml suricata.yaml.orig) and make sure pfring: -interface is set to eth0 in suricata.yaml.
  • Next, we need some rules. Download the latest rules from Emerging Threats (wget https://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz) and extract to our Suricata directory (tar –xvzf emerging.rules.tar.gz -C /etc/suricata/)
  • Let's test Suricata to make sure it runs properly. (suricata –vv –c /etc/suricata/suricata.yaml –I eth0)
  • If everything works okay, enable Suircata (systemctl enable suricata), and start the service (systemctl start suricata)


 

Now that Suricata is setup. Connect eth0 to your core network switch and eth1 to your management network. Configure your core switch to mirror the traffic from the router trunk pork to the interface connected to eth0.


 

Suricata logs are located in /var/log/suricata