Suricata
Installasi dengan Soure Code
Install Required Dependencies
First, you will need to install some dependencies required to compile Suricata from the source. You can install all of them with the following command:
apt-get install rustc cargo make libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libjansson4 pkg-config -y
By default, Suricata functions as an intrusion detection system (IDS). If you want to include intrusion prevention system (IPS) functionality, then you will need to install some more packages in your system. You can install them with the following command:
apt-get install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 -y
Once all the packages are installed, you will need to install the suricata-update tool to update the Suricata rules. You can install it with the following commands:
apt-get install python3-pip
pip3 install --upgrade suricata-update
ln -s /usr/local/bin/suricata-update /usr/bin/suricata-update
Once you are finished, you can proceed to the next step.
Update rules
sudo suricata-update -o /etc/suricata/rules/
Install Suricata
First, download the latest version of Suricata from their official website with the following command:
wget https://www.openinfosecfoundation.org/download/suricata-5.0.3.tar.gz
Once the download is completed, extract the downloaded file with the following command:
tar -xvzf suricata-5.0.3.tar.gz
Next, change the directory to the extracted directory and configure it with the following command:
cd suricata-5.0.3
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var
Next, install the Suricata with the following command:
make
make install-full
Note: This process will take over 10 minutes
Next, install all rules with the following command:
make install-rules
By default, all rules are located at /var/lib/suricata/rules/suricata.rules:
You can see it with the following command:
cat /var/lib/suricata/rules/suricata.rules
Configure Suricata
The default Suricata configuration file is located at /etc/suricata/suricata.yaml. You will need to configure it to protect your internal network. You can do it by editing the file:
vim /etc/suricata/suricata.yaml
Change the following lines:
HOME_NET: "[192.168.1.0/24]"
EXTERNAL_NET: "!$HOME_NET"
Save and close the file when you are finished.
Note: In the command above, replace
192.168.1.0/24with your internal network.
Installasi dengan PPA
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt update
sudo apt install suricata jq
Repositori PPA khusus ditambahkan, dan setelah memperbarui indeks, Suricata dapat diinstal. Kami merekomendasikan untuk menginstal alat jq saat ini karena akan membantu menampilkan informasi dari output EVE JSON Suricata (dijelaskan nanti dalam panduan ini).
Test Suricata Against DDoS
Before starting, you will need to disable packet offload features on the network interface on which Suricata is listening.
First, install ethtool package with the following command:
apt-get install ethtool -y
Next, disable packet offload with the following command:
ethtool -K eth0 gro off lro off
Next, run the Suricata in NFQ mode with the following command:
suricata -c /etc/suricata/suricata.yaml -q 0 &
Next, go to the remote system and perform a simple DDoS attack test against the Suricata server using the hping3 tool as shown below:
hping3 -S -p 80 --flood --rand-source your-server-ip
On the Suricata server, check the Suricata logs with the following command:
tail -f /var/log/suricata/fast.log
You should see the following output:
09/17/2020-07:29:52.934009 [**] [1:2402000:5670] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 167.248.133.70:18656 -> your-server-ip:9407