Introduction
In this lab, you will learn to detect network anomalies using Suricata, a powerful open-source threat detection engine. You'll explore key features including rule configuration, traffic monitoring, and alert analysis to identify potential security threats.
The hands-on exercises will guide you through Suricata setup, basic rule creation, and real-time traffic inspection. You'll gain practical experience in detecting suspicious activities like ICMP ping requests and customizing rules for specific threat scenarios.
Install Suricata
In this step, you will install Suricata, an open-source network threat detection engine. Suricata acts like a security camera for your network, constantly analyzing traffic to identify potential threats. It can perform three key functions: real-time intrusion detection (IDS) to monitor for attacks, inline intrusion prevention (IPS) to block malicious traffic, and network security monitoring to log all activity.
Let's begin the installation process step by step:
First, we need to update the package list. This ensures your system knows about the latest available software versions before we install anything:
sudo apt updateThe
sudocommand gives you administrator privileges, whileapt updaterefreshes your system's list of available packages.Now we'll install Suricata along with all its necessary components (dependencies). The
-yflag automatically confirms the installation:sudo apt install -y suricataThis command downloads and installs the Suricata software package from Ubuntu's official repositories.
After installation, let's verify everything worked correctly by checking the installed version:
suricata -VYou should see output similar to:
This is Suricata version 6.0.3 RELEASEThe
-Vflag tells Suricata to display its version information. Seeing this output confirms the installation was successful.Suricata's behavior is controlled by a configuration file. Let's check if this important file exists in its default location:
ls /etc/suricata/suricata.yamlThe
/etc/suricata/directory is where Linux typically stores configuration files for system-wide applications.Finally, Suricata needs rules to know what to look for in network traffic. These rules are like a set of instructions telling Suricata what constitutes suspicious activity. The default rules are stored in:
ls /var/lib/suricata/rulesThe
/var/lib/suricata/rulesdirectory contains the rule files that come with the Suricata installation. We'll work with these rules later in the lab.
Configure Basic Rules
In this step, you will configure basic detection rules for Suricata. Rules are the core component that tell Suricata what to look for in network traffic. Think of them like a set of instructions that define suspicious patterns or known threats.
First, navigate to the Suricata rules directory where all rule files are stored:
cd /var/lib/suricata/rulesThis is where Suricata keeps its default and custom rule files. The directory location is specified in Suricata's configuration.
List the existing rule files to see what's already available:
lsYou should see several
.rulesfiles likesuricata.rules. These files contain different categories of rules that Suricata uses for detection.Let's examine a basic rule structure. Open the main rules file using nano editor:
sudo nano suricata.rulesThe nano editor is a simple text editor we'll use to modify rules. You'll see many existing rules with similar structures.
Add a simple rule to detect ICMP ping requests (add this at the end of the file):
alert icmp any any -> any any (msg:"ICMP Ping Detected"; itype:8; sid:1000001; rev:1;)Let's break down what this rule does:
alert: Tells Suricata to generate an alert when matchedicmp: Applies to ICMP protocol trafficany any -> any any: Matches any source IP/port to any destination IP/portmsg: The alert message that will appear in logsitype:8: Specifically matches ICMP type 8 (ping requests)sid: Unique rule identifier (1000001+ for custom rules)rev: Rule revision number
Save the file (Ctrl+O, Enter, Ctrl+X in nano). This stores your new rule permanently.
Verify the rule syntax is correct before applying it:
sudo suricata -T -c /etc/suricata/suricata.yaml -vThe
-Tflag tests the configuration. You should see output ending with:Configuration provided was successfully loaded. Exiting.This confirms your rule is properly formatted.
Restart Suricata to load the new rules and begin monitoring:
sudo pkill suricata sudo suricata -c /etc/suricata/suricata.yaml -i eth0The first command stops any running Suricata instance, while the second starts it fresh with your new rules, monitoring the eth0 interface.
Monitor Live Traffic
In this step, we'll observe how Suricata monitors real-time network traffic and generates alerts based on the rules we configured earlier. This is the core functionality of any IDS (Intrusion Detection System) - watching network packets and flagging suspicious activity.
First, we need to start Suricata in live capture mode. The following commands will first stop any running Suricata instance (if exists) and then start a new one monitoring the eth0 interface:
sudo pkill suricata sudo suricata -c /etc/suricata/suricata.yaml -i eth0The
-cflag specifies our configuration file, while-itells Suricata which network interface to monitor.Now let's generate some test traffic that should trigger our ICMP rule from the previous step. Open a new terminal and run:
ping -c 3 8.8.8.8This sends 3 ICMP ping packets to Google's DNS server (8.8.8.8). Since we created a rule to detect ICMP traffic, Suricata should log this activity.
Suricata writes alerts to
/var/log/suricata/fast.log. To watch these alerts in real-time, use:sudo tail -f /var/log/suricata/fast.logThe
tail -fcommand continuously displays new lines added to the file. You should see output similar to:01/01/2023-12:34:56.123456 [**] [1:1000001:1] ICMP Ping Detected [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.1.1 -> 8.8.8.8This shows the timestamp, rule ID (1:1000001:1), alert message, and source/destination IP addresses.
For more detailed logging in JSON format, we can examine the eve.json file. The following command filters and pretty-prints only alert events:
sudo tail -f /var/log/suricata/eve.json | jq '. | select(.event_type == "alert")'The
jqtool helps parse and format the JSON output, making it easier to read.To view statistics about the traffic Suricata is processing, including how many alerts were generated:
sudo suricatasc -c statsLook for counters like
detect.alertin the output - this shows how many times our rules triggered alerts.When you're finished observing the traffic, press Ctrl+C in any terminal windows where you're monitoring logs to stop the continuous output.
Review Generated Alerts
In this step, you will analyze the alerts generated by Suricata from the previous monitoring session. This helps understand what traffic patterns triggered your rules. When working with intrusion detection systems, reviewing alerts is crucial to identify potential security threats and fine-tune your detection rules.
First, check the basic alert log:
sudo cat /var/log/suricata/fast.logThis command displays timestamped alerts in a simple, human-readable format. The
fast.logis Suricata's default alert output file. Look for entries containing "ICMP Ping Detected" - these indicate ping requests that matched your detection rule.For more detailed analysis, examine the structured JSON log:
sudo cat /var/log/suricata/eve.json | jq '. | select(.event_type == "alert")'The
eve.jsonfile contains comprehensive machine-readable logs in JSON format. We usejqto filter only alert events. This provides detailed information including:- Source and destination IP addresses
- Precise timestamps
- Complete rule details
- Packet payload information (when configured)
To count how many times each alert was triggered:
sudo grep -o "ICMP Ping Detected" /var/log/suricata/fast.log | wc -lThis pipeline first extracts all occurrences of "ICMP Ping Detected" using
grep -o, then counts them withwc -l. This helps quantify how frequently this event occurs.For a summary of alert types:
sudo jq -r '.alert.signature' /var/log/suricata/eve.json | sort | uniq -cThis command extracts all alert signatures (rule names), sorts them alphabetically, then counts unique occurrences. It gives you an overview of which rules are triggering most frequently.
To view alerts with source IP information:
sudo jq -r 'select(.event_type == "alert") | [.timestamp, .src_ip, .alert.signature] | @tsv' /var/log/suricata/eve.jsonThis advanced
jqquery creates a tab-separated output showing the timestamp, source IP, and alert signature for each event. The@tsvformat makes it easy to import into spreadsheets.To check the most recent 5 alerts:
sudo tail -n 5 /var/log/suricata/fast.logThe
tailcommand shows the last few lines of a file. This is useful for quick checks of recent activity without scrolling through the entire log.
Add a Custom Rule
In this step, you'll learn how to create and test your own Suricata rule to detect specific patterns in network traffic. We'll focus on detecting HTTP requests to a test domain (example.com) as a practical example. Custom rules allow you to extend Suricata's detection capabilities beyond its default rule set.
First, navigate to the rules directory where Suricata stores its detection rules:
cd /var/lib/suricata/rulesThis is where all Suricata rule files are typically stored. We'll add our custom rules here to keep them organized with the existing rules.
Create a new rule file specifically for your custom rules:
sudo nano custom.rulesUsing
sudois necessary because the rules directory requires administrative privileges to modify. We're naming the filecustom.rulesto clearly distinguish it from Suricata's default rule files.Add the following rule to detect HTTP requests to example.com:
alert http any any -> any any (msg:"HTTP Request to example.com"; flow:to_server; http.host; content:"example.com"; nocase; sid:1000002; rev:1;)Let's break down what this rule does:
alert http: Triggers an alert for HTTP trafficany any -> any any: Applies to traffic from any source port to any destination portmsg: Provides a human-readable alert messageflow:to_server: Only matches traffic going to servershttp.host: Examines the HTTP Host headercontent:"example.com": Looks for this specific domainnocase: Makes the match case-insensitivesid:1000002: Gives the rule a unique ID (above 1,000,000 for custom rules)rev:1: Indicates this is the first version of the rule
Save the file in nano editor by pressing Ctrl+O (write out), then Enter to confirm, and Ctrl+X to exit.
Now we need to tell Suricata to load our new rule file. Edit the main configuration:
sudo nano /etc/suricata/suricata.yamlFind the
rule-files:section (usually around line 50-60) and add:- custom.rulesThis addition ensures Suricata will load our custom rules when it starts.
Before applying the changes, verify the rule syntax is correct:
sudo suricata -T -c /etc/suricata/suricata.yaml -vThe
-Tflag tells Suricata to test the configuration without actually running. This helps catch any syntax errors in your rules before they're used.Restart Suricata to load the new rule:
sudo pkill suricata sudo suricata -c /etc/suricata/suricata.yaml -i eth0The first command stops any running Suricata instance, while the second starts it fresh with our updated configuration.
To test if our rule works, generate some HTTP traffic to example.com:
curl http://example.comThis command makes a simple HTTP request that should trigger our new rule.
Finally, check if Suricata detected the traffic by viewing the latest alerts:
sudo tail -n 5 /var/log/suricata/fast.logYou should see an alert matching our custom rule's message about HTTP requests to example.com. If not, double-check each step and verify the rule syntax.
Summary
In this lab, you have learned how to install and configure Suricata, an open-source network threat detection engine. The process included updating packages, installing dependencies, and verifying the installation by checking the configuration file and rules directory.
You also explored creating custom detection rules by adding an ICMP ping request rule, understanding its structure and components. Finally, you verified the rule syntax to ensure Suricata can effectively monitor network traffic and generate alerts for anomalies.
