Installing Suricata with Oinkmaster on Debian
This blog entry is a mini-howto on the installation and configuration of Suricata with Oinkmaster, on Debian. If you are familiar with the Debian commands it should take no more than five minutes.
It was tested on Debian Sid, but should work for all Debian versions.
Install Suricata
Suricata is in Debian since Squeeze, so a simple:
apt-get install suricata
will do the job.
To work, Suricata needs some rules. The package "snort-rules-default" provides some rules for Snort, but since Suricata is compatible these rules will work.
However, these rules have some problems: they are outdated (and updated only very rarely), and they are not written for Suricata (and cannot use the specific keywords). Emerging Threats provides some rules (both open source and Pro). We will now configure Oinkmaster and Suricata to be able to automatically update the signatures.
Install Oinkmaster
Oinkmaster is a tool to help you manage your signatures. While it is primarily designed for Snort, it also works for Suricata.
If you have installed Suricata using the default configuration, then Oinkmaster should be installed (it is recommended by the package). If not, run:
apt-get install oinkmaster
Edit the configuration file /etc/oinkmaster.conf:
url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
Create the directory for rules:
mkdir /etc/suricata/rules
Download the rules:
oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
Now update Suricata’s configuration (default for Debian is
/etc/suricata/suricata-debian.yaml to match the paths:
classification-file: /etc/suricata/rules/classification.config
reference-config-file: /etc/suricata/rules/reference.config
default-rule-path: /etc/suricata/rules
Now, we need to update the list of rules (adding names of files
/etc/suricata/rules/*.rules) in the same configuration file:
rules-files:
- botcc.rules
- ...
The rules are organized in files, grouped by categories. If you want to disable some categories, just comment the lines.
If you want to disable only a signature, find its sid (signature
id), and add it to /etc/oinkmaster.conf:
disablesid 2011755
On the next oinkmaster update, the corresponding line will automatically be commented in the rules file.
Updating the rules
One nice feature of oinkmaster is the ability to keep the rules up to date very easily.Just run the same command:
oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
and restart Suricata. Voila !
Some rules are updated very often (compromised hosts, etc.). You can update the rules once a week for example. Creating a cron job is trivial.
Troubleshooting
This is not related to the current blog entry, but also concerns Suricata, especially when trying to load lots of signatures.
I often got a SIGBUS (Bus error) when starting Suricata on a x86 (in a virtual machine like kvm). This seems to be caused by the process running out of memory (for this process Virtual Address space, not for the system) when trying to load lots of signatures, causing memory fragmentation and finally killing the process.So far, the workarounds are the following:
- comment some lines to load less signatures
- rebuild suricata without the PIE/ASLR flags (randomization is enabled by default in the Debian package)
- run suricata on a x86-64 architecture