Installing Suricata with Oinkmaster on Debian

This blog entry is a mini-howto on the installation and configuration of Suricata with Oinkmaster, on Debian. If you are familiar with the Debian commands it should take no more than five minutes.

It was tested on Debian Sid, but should work for all Debian versions.

Install Suricata

Suricata is in Debian since Squeeze, so a simple:

apt-get install suricata

will do the job.

To work, Suricata needs some rules. The package "snort-rules-default" provides some rules for Snort, but since Suricata is compatible these rules will work.

However, these rules have some problems: they are outdated (and updated only very rarely), and they are not written for Suricata (and cannot use the specific keywords). Emerging Threats provides some rules (both open source and Pro). We will now configure Oinkmaster and Suricata to be able to automatically update the signatures.

Install Oinkmaster

Oinkmaster is a tool to help you manage your signatures. While it is primarily designed for Snort, it also works for Suricata.

If you have installed Suricata using the default configuration, then Oinkmaster should be installed (it is recommended by the package). If not, run:

apt-get install oinkmaster

Edit the configuration file /etc/oinkmaster.conf:

url =  http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz

Create the directory for rules:

mkdir /etc/suricata/rules

Download the rules:

oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

Now update Suricata’s configuration (default for Debian is /etc/suricata/suricata-debian.yaml to match the paths:

classification-file: /etc/suricata/rules/classification.config
reference-config-file: /etc/suricata/rules/reference.config
default-rule-path: /etc/suricata/rules

Now, we need to update the list of rules (adding names of files /etc/suricata/rules/*.rules) in the same configuration file:

rules-files:
 - botcc.rules
 - ...

The rules are organized in files, grouped by categories. If you want to disable some categories, just comment the lines.

If you want to disable only a signature, find its sid (signature id), and add it to /etc/oinkmaster.conf:

disablesid 2011755

On the next oinkmaster update, the corresponding line will automatically be commented in the rules file.

Updating the rules

One nice feature of oinkmaster is the ability to keep the rules up to date very easily.Just run the same command:

oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

and restart Suricata. Voila !

Some rules are updated very often (compromised hosts, etc.). You can update the rules once a week for example. Creating a cron job is trivial.

Troubleshooting

This is not related to the current blog entry, but also concerns Suricata, especially when trying to load lots of signatures.

I often got a SIGBUS (Bus error) when starting Suricata on a x86 (in a virtual machine like kvm). This seems to be caused by the process running out of memory (for this process Virtual Address space, not for the system) when trying to load lots of signatures, causing memory fragmentation and finally killing the process.So far, the workarounds are the following:

comment some lines to load less signatures
rebuild suricata without the PIE/ASLR flags (randomization is enabled by default in the Debian package)
run suricata on a x86-64 architecture

References

Other articles

Creating a live cd for open source SIEM Prelude and Suricata
Date Fri 05 February 2010 Tags Debian Security IDS Prelude Suricata Snort

I have started to work on a Live CD for Open Source tools like Prelude SIEM, and software like Suricata, Snort, OpenVAS to send alerts. The goal is to easily test these tools, register new agents, get some alerts and be able to correlate them etc. I also want to add some visualization tools, so this CD could maybe become a reference for security alert detection and report.

First, a few points on applications used:
- Debian Live for building the CD. It’s very easy, it’s based on Debian, and it allows me to re-use some work I’ve done
- Suricata IDS, which is a very promising project
- Snort IDS, with the free signatures
- OpenVAS to be able to generate alerts
- Prelude SIEM is the key point: suricata, snort, syslog etc. will send alerts to Prelude, which has a database, a correlator, a web interface (Prewikka) etc.
- Standard useful tools: nmap, scapy, wireshark, p0f, etc.
This first version is based on Debian Lenny and arch x86. Everything is based on packages (.debs) to make it easier to maintain, upgrade versions or add patches: most of the time, I just have to rebuild packages from squeeze or sid.

The build …
read more

Page 1 / 1