Use Suricata-IDS as IPS on CentOS 8

Help
1

Hello,
I installed the Suricata-IDS on CentOS 8 from source code with below command:

# ./configure --sysconfdir=/etc --localstatedir=/var --prefix=/usr/ --enable-lua --enable-nfqueue --enable-geoip

And result is:

...
You can now start suricata by running as root something like:
  /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0

If a library like libhtp.so is not found, you can run suricata with:
  LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0

The Emerging Threats Open rules are now installed. Rules can be
updated and managed with the suricata-update tool.

For more information please see:
  https://suricata.readthedocs.io/en/latest/rule-management/index.html

make[1]: Leaving directory '/usr/local/src/suricata-5.0.3'

I created a “suricata” file under the “/etc/sysconfig/” directory with below content:

OPTIONS="-q 0 --user suricata "

And after it created a “direct.xml” file under the “/etc/firewalld/” directory with below content:

<?xml version="1.0" encoding="utf-8"?>
<direct>
  <rule ipv="ipv4" table="filter" chain="INPUT" priority="0">-j NFQUEUE --queue-bypass</rule>
  <rule ipv="ipv4" table="filter" chain="OUTPUT" priority="0">-j NFQUEUE --queue-bypass</rule>
</direct>

Then:

# firewall-cmd --reload
success

Is my configuration OK?
When I want to start the Suricata-IDS service then it show me below error:

# systemctl enable --now suricata
Failed to enable unit: Unit file suricata.service does not exist.

Why? What is my mistake?

Thank you.

2

When you install from source, systemd integration is not provided for you. We do provide a template unit file at etc/suricata.service that you could install.

It looks like you’ve looked at the guide a little? That guide is based around the Suricata RPM, which is what provides the systemd integration and makes use of the /etc/sysconfig/suricata file. If you install from source, you’ll have to tie all that together yourself.

Any reason you are not starting with the package until you need something it doesn’t provide?

3

I want to learn and manipulate it.
I found that file under “/usr/local/src/suricata-5.0.3/etc/suricata.service” directory and then copied it:

# cp /usr/local/src/suricata-5.0.3/etc/suricata.service /etc/systemd/system/

The content of file is:

# Sample Suricata systemd unit file.
[Unit]
Description=Suricata Intrusion Detection Service
After=syslog.target network-online.target

[Service]
# Environment file to pick up $OPTIONS. On Fedora/EL this would be
# /etc/sysconfig/suricata, or on Debian/Ubuntu, /etc/default/suricata.
#EnvironmentFile=-/etc/sysconfig/suricata
#EnvironmentFile=-/etc/default/suricata
ExecStartPre=/bin/rm -f /var/run/suricata.pid
ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid $OPTIONS
ExecReload=/bin/kill -USR2 $MAINPID

[Install]
WantedBy=multi-user.target

After it, I created a shortcut of suricata:

# ln -s /usr/bin/suricata /sbin/suricata

But I can’t run the service:

[root@localhost ~]# systemctl start suricata
[root@localhost ~]# systemctl status suricata
● suricata.service - Suricata Intrusion Detection Service
   Loaded: loaded (/etc/systemd/system/suricata.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2020-09-09 15:45:49 EDT; 4s ago
  Process: 11473 ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid $OPTIONS (code=exited, status=1/FAI>
  Process: 11472 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
 Main PID: 11473 (code=exited, status=1/FAILURE)

Sep 09 15:45:49 localhost.localdomain suricata[11473]:         --simulate-ips                       : force engine into IPS mode. Useful for>
Sep 09 15:45:49 localhost.localdomain suricata[11473]:         --user <user>                        : run suricata as this user after init
Sep 09 15:45:49 localhost.localdomain suricata[11473]:         --group <group>                      : run suricata as this group after init
Sep 09 15:45:49 localhost.localdomain suricata[11473]:         --erf-in <path>                      : process an ERF file
Sep 09 15:45:49 localhost.localdomain suricata[11473]:         --unix-socket[=<file>]               : use unix socket to control suricata wo>
Sep 09 15:45:49 localhost.localdomain suricata[11473]:         --set name=value                     : set a configuration value
Sep 09 15:45:49 localhost.localdomain suricata[11473]: To run the engine with default configuration on interface eth0 with signature file "s>
Sep 09 15:45:49 localhost.localdomain suricata[11473]: /sbin/suricata -c suricata.yaml -s signatures.rules -i eth0
Sep 09 15:45:49 localhost.localdomain systemd[1]: suricata.service: Main process exited, code=exited, status=1/FAILURE
Sep 09 15:45:49 localhost.localdomain systemd[1]: suricata.service: Failed with result 'exit-code'.

The “journalctl -xe” command show me:

Sep 09 15:45:49 localhost.localdomain suricata[11473]:                                                --list-runmodes
Sep 09 15:45:49 localhost.localdomain suricata[11473]:         --engine-analysis                    : print reports on analysis of different>
Sep 09 15:45:49 localhost.localdomain suricata[11473]:                                                Please have a look at the conf paramet>
Sep 09 15:45:49 localhost.localdomain suricata[11473]:                                                can be printed
Sep 09 15:45:49 localhost.localdomain suricata[11473]:         --pidfile <file>                     : write pid to this file
Sep 09 15:45:49 localhost.localdomain suricata[11473]:         --init-errors-fatal                  : enable fatal failure on signature init>
Sep 09 15:45:49 localhost.localdomain suricata[11473]:         --disable-detection                  : disable detection engine
Sep 09 15:45:49 localhost.localdomain suricata[11473]:         --dump-config                        : show the running configuration
Sep 09 15:45:49 localhost.localdomain suricata[11473]:         --build-info                         : display build information
Sep 09 15:45:49 localhost.localdomain suricata[11473]:         --pcap[=<dev>]                       : run in pcap mode, no value select inte>
Sep 09 15:45:49 localhost.localdomain suricata[11473]:         --pcap-file-continuous               : when running in pcap mode with a direc>
Sep 09 15:45:49 localhost.localdomain suricata[11473]:         --pcap-file-delete                   : when running in replay mode (-r with d>
Sep 09 15:45:49 localhost.localdomain suricata[11473]:         --pcap-buffer-size                   : size of the pcap buffer value from 0 ->
Sep 09 15:45:49 localhost.localdomain suricata[11473]:         --af-packet[=<dev>]                  : run in af-packet mode, no value select>
Sep 09 15:45:49 localhost.localdomain suricata[11473]:         --simulate-ips                       : force engine into IPS mode. Useful for>
Sep 09 15:45:49 localhost.localdomain suricata[11473]:         --user <user>                        : run suricata as this user after init
Sep 09 15:45:49 localhost.localdomain suricata[11473]:         --group <group>                      : run suricata as this group after init
Sep 09 15:45:49 localhost.localdomain suricata[11473]:         --erf-in <path>                      : process an ERF file
Sep 09 15:45:49 localhost.localdomain suricata[11473]:         --unix-socket[=<file>]               : use unix socket to control suricata wo>
Sep 09 15:45:49 localhost.localdomain suricata[11473]:         --set name=value                     : set a configuration value
Sep 09 15:45:49 localhost.localdomain suricata[11473]: To run the engine with default configuration on interface eth0 with signature file "s>
Sep 09 15:45:49 localhost.localdomain suricata[11473]: /sbin/suricata -c suricata.yaml -s signatures.rules -i eth0
Sep 09 15:45:49 localhost.localdomain systemd[1]: suricata.service: Main process exited, code=exited, status=1/FAILURE
Sep 09 15:45:49 localhost.localdomain systemd[1]: suricata.service: Failed with result 'exit-code'.

What is my problem?

Suricata-IDS can run manually:

# suricata -q0
9/9/2020 -- 15:54:31 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
9/9/2020 -- 15:54:31 - <Notice> - all 3 packet processing threads, 4 management threads initialized, engine started.

Thank you.

4 
ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid $OPTIONS

This is the line in the service file that is being used to execute Suricata. You can uncomment one of the EnvironmentFile lines to set the OPTIONS in an external file like you have to up already, are just modify the ExecStart line to provide the command line you want. You’re most of the way there.

5

It is uncommented already!! Is it not?
A line like /sbin/suricata -c /etc/suricata/suricata.yaml will run my Suricata-IDS as IDS, but I want to use Suricata-IDS as IPS!
Two modes (IDS and IPS) can’t working together?

6

It wasn’t uncommented in your last post… You’ll want to uncomment this:

EnvironmentFile=-/etc/sysconfig/suricata

Then /etc/sysconfig/suricata could look something like:

OPTIONS="-q0"

You’ve basically recreated the RPM type of installation, so installing it might be a good idea to just to see how it ties together Suricata, systemd, etc…

Or just tweak the line in the service file and add your -q there instead of the EnvironmentFile.

7

I edited the suricata file as below:

# Sample Suricata systemd unit file.
[Unit]
Description=Suricata Intrusion Detection Service
After=syslog.target network-online.target

[Service]
# Environment file to pick up $OPTIONS. On Fedora/EL this would be
# /etc/sysconfig/suricata, or on Debian/Ubuntu, /etc/default/suricata.
EnvironmentFile=-/etc/sysconfig/suricata
#EnvironmentFile=-/etc/default/suricata
ExecStartPre=/bin/rm -f /var/run/suricata.pid
ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid $OPTIONS
ExecReload=/bin/kill -USR2 $MAINPID

[Install]
WantedBy=multi-user.target

And changed the /etc/sysconfig/suricata file from:

OPTIONS="-q 0 --user suricata"

To:

OPTIONS="-q0"

Thank you, Suricata-IDS running. How can I test my IPS?

8

Glad to see you are running. Testing an IPS is probably another topic - you’d have to find a rule for something you can trigger and test that it is blocked. I don’t have anything I can suggest myself.

9

Thank you.
I have below rules:

suricata
suricata802×292 6.18 KB

I tested below command, but Suricata-IDS failed to protect my server:

$ sudo hping3 -c 10000 -d 120 -S -w 64 -p 22 --flood "IP"

In your opinion, did I any configuration right?
For test my IPS, should I open a new thread?

10

Yeah, probably. I don’t use IPS mode myself, or understand that hping3 command. You might want to start just by checking that Suricata is logging what you expect.

11

Thank you so much for your help.