Ubuntu Server24.04 ; Suricata , SNORT3

Suricata

SURICATA IDS/IPS is an open source IDS that monitors communications on the network and detects suspicious traffic. Its basic mechanism is signature-based, so it can detect predefined unauthorized communications. Suricata is also characterized by its ability to provide protection as well as detection.

1.Suricata Install

Install required packages

➁Suricata install
Please visit the official website to check the latest version. As of May 4, 2024, the latest stable version of Srikata is 7.0.5

Download and Extract

configuration and installation

Version Check

Stop the Suricata service as it needs to be configured first.

2.Configure Suricata

Determine interface and IP address where Suricata will inspect network packets

Edit /etc/suricata/suricata.yaml file

➁suricata Update

It also shows the number of rules processed, in this example 48910 were added, of which 37185 were activated.

➂Check configuration file

④Confirm that the service starts
Enter the name of each network interface (ens33 in this case)

The following appears

3.Automatic startup of Suricata services

①Create systemd service

➁Enable Suricata

➂Start Suricata

④Check Suricata's status

4.Testing the Suricata Rule

①Test ET Open rule number 2100498

Check log file by specifying rule number

➁Check events in /var/log/suricata/eve.log
Install jq

Filter EVE Log events by searching for 2100498 signatures
Display alert objects with signature_id keys that match the values in 2100498

The following appears

5.Creating and Applying Custom Rules

①Create custom signatures for Custom Rules files

Edit configuration file (define path for local.rules above)

③Testing the configuration file

④Suricat service restart

Testing the application of Custom Rules
Run ping on another PC on the same local network to see if it was logged

⑥Obtain logs in JSON format

Ping another PC on the same local network

6.Adding a Rule Set Provider

①List Default Provider List

If you include the tgreen/hunting ruleset as an example

Perform update

Snort3

1.Install required packages

2. Install DAQ library

Download and install DAQ library

3. Install Gperftools

Profiler tool used to improve the performance of a particular application or service by improving memory handling in multiple instances

4. SNORT3 Install

①Download and deploy SNORT3

➁configuration

➂Install

Update shared libraries

⑤Check version

⑥Test default settings

If it is normal, it will be displayed as follows

5. Identify and configure network interfaces

①Check network interface

The network interface name is ens33

➁Set network interface to promiscuous mode

Check settings

➂Set Large Receive Offload (LRO) and Generic Receive Offload (GRO) to off state

Check current status

Set LRO and GRO offload status to off state

6. Create systemd service for network interface

Contents of snort3-nic.service

Reload the systemd daemon and apply the changes

Start and enable snort3-nic.service

Check the status of snort3-nic.service

7. Adding Snort Rules

7.1 Community rule sets added

Create a folder for Snort rules and download the community ruleset from the Snort website

➁ Edit Snort main configuration file

➂Test main configuration changes

7.2 Add custom rules

①Create a file in the Snort rules directory

➁Edit Snort Main Configuration

➂Test main configuration changes

8. OpenAppID Installation

Once the OpenAppID extension is installed, Snort can detect network threats at the application layer level

①Download and deploy OpenAppID

➁Copy the extracted folder (odp) to the following directory

➂Edit the main configuration file and define the location of the OpenAppID folder

④Test main configuration changes

9. Create systemd service for Snort

9.1 Check all setups

Snort on network interface using local.rules

Sending a ping command to the Ubuntu server IP address from another PC on the same network
You will see the following alert log in the console window of the host server

9.2 Create systemd service for Snort

①Create user (snort) for Snort service

➁Create log folder and set permissions

➂Create SNORT systemd service file

Contents of snort3.service

④Reload and enable Snort service

⑤Start Snort service and check status

10. Snort JSON logging configuration

①Edit Snort configuration file

➁Restart Snort

➂Checking the configuration
Ping command from another PC on the same network to the Ubuntu host server
A log is recorded and saved in the Snort alert_json.txt file. Check the log file