I have used Snort quite extensively in the past and was curious about toying with Suricata which is similar to Snort but nicer in my view. It has been a few years since I looked at it. I can see the project seems to have evolved quite a lot. One functionality that I will be using down the line will be PF Ring.
On a lazy Sunday afternoon, I thought this was the perfect time to take a look at what it can do in its current form. I used Debian 7.3 for my tests. Everything is packaged which is quite nice though the version of suricata is a bit old on this (1.2.1 vs 1.4.7 on the website). I am very likely to make packages for this later in order to have more functionality.
Once you have done the traditional apt-get install suricata, there is not much to do to get it running, mostly edit: /etc/default/suricata and change this line depending on your network interface, and also allow it to run:
# set to yes to start the server in the init.d script
# Interface to listen on (for pcap mode)
You then should grab the rules to get it all going and monitoring, check out the official page to set this up. I edited /etc/oinkmaster.conf to add the rules I wanted:
url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
You now need to grab the rules, a quick mkdir /etc/suricata/rules && oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules should fix this, and give you something like this:
~ # oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
Downloading file from http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz… done.
Archive successfully downloaded, unpacking… done.
Setting up rules structures… done.
Processing downloaded rules… disablesid 0, enablesid 0, modifysid 0, localsid 0, total rules 18195
Setting up rules structures… done.
Comparing new files to the old ones… done.
Updating local rules files… done.
[***] Results from Oinkmaster started 20140119 18:15:26 [***]
[*] Rules modifications: [*]
[*] Non-rule line modifications: [*]
[+] Added files (consider updating your snort.conf to include them if needed): [+]
Restart the thing with a simple service suricata restart and there you are, you can leave it running on your system to learn what kind of traffic is happening. It is worth noting that default rules are set to PASS to avoid messing your traffic up. It is up to you to tune this the right way(tm).
Snorby is a web interface that allows you see events in a nice web inteface. It will require a few things to work nicely, which you can install prior by doing: apt-get install bundler libxml2-dev libxslt-dev libmysqlclient-dev graphviz-dev libgv-ruby wkhtmltopdf.
Before you execute the next commands, be careful with your snorby_config.yml file and set your domain to a secure domain and random port, since this is a ruby on rails application, unless you plan on proxying it behind a http server. My 2 cents, opinions my own, etc…
git clone http://github.com/Snorby/snorby.git
cp database.yml.example database.yml
cp snorby_config.yml.example snorby_config.yml
bundle exec rake snorby:setup
bundle exec rails server -e production
Now you need to set up a parser between the suricata logs and the snorby interface, this is where banyard2 comes in. The new version is hosted on github. You will need a few things to get it compiled right.
git clone https://github.com/firnsy/barnyard2.git
apt-get install dh-autoreconf libpcap-dev
# check out where your MySQL libs are before specifying the same folder
If there were no errors, you should have a nice running setup, time to configure it to send stuff to MySQL. Edit /usr/local/etc/barnyard2.conf and change the following:
# set the appropriate paths to the file(s) your Snort process is using.
config reference_file: /etc/suricata/reference.config
config classification_file: /etc/suricata/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/community-sid-msg.map
# define the full waldo filepath.
config waldo_file: /var/log/suricata/suricata.waldo
# database: log to a variety of databases
output database: log, mysql, user=snorbydbuser password=snorbydbpassword dbname=snorbydbname host=localhost
You should then be able to start it and check that it works, if it does, then you can use -D to run as a daemon.
1234 barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata/ -f unified2.alert -w /var/log/suricata/suricata.waldo -d
More on this when I have time