Configuring Suricata

In this post, we’re going to set up an IDS (Intrusion Detection System) called Suricata for our lab. What’s an IDS? It’s a program that analyzes network traffic to look for malicious or suspicious data based on pre-configured rules. Similar to how anti-virus software can identify malware based on signatures, an IDS can analyze network traffic for specific signatures and log these alerts. The difference with an IDS like Suricata is that it can be configured to alert us to anything we want it to including machines connecting to specific IP addresses, ports, or connecting to servers outside of certain hours. Our choice of IDS will be Suricata.

Initial Setup

LXC Creation

We will be utilizing Ubuntu 22 for this container. Please navigate to your local LVM on the Proxmox dashboard. Then, select "CT Templates" on the right and click on "Templates." You should find a list of LXC templates available for download. From the list, choose "Ubuntu 22.04 Standard" and initiate the download.

Select Ubuntu 22 as template and click next.

For disk I am giving 25GB. Lowest you could give 10GB. And for CPU I am taking 1 Core.

For memory my selection is 2047MB and 1024 Swap.

Once the download is done Start creating LXC containers

For this IDS I am selecting static IP and bridge is vmbr0 as we want it to connected to the WAN network.

Click Next on DNS and use host settings. Next confirm your settings and finish it. Make sure to uncheck Start after created. We will start it after we add our mirror for internal switch.

Click on the container in my case 107. Select network and click add. The interface is going to send copies of packets of machines connected to the internal switch to this server. No IP will be assigned to this interface. Make sure the firewall is unchecked. After adding the device, start the machine.

Host System Configuration

Log in and update the system.

#apt update && apt upgrade -y

Check our interface:

#ip a

Interfaces look correct. We can continue.

Suricata Install

Create SPAN Port on Lab Switch

In this setup, we want a copy of all traffic on the pfSense internal switch to be sent to the Suricata server. To do that, we need create a SPAN port on that switch.

Open the shell on your Proxmox server, and run the command:

#ip link show | grep container-id

where container-id is the id number of the Proxmox node for the suricata server.

In my case, the id is 107. If you are seeing extra interfaces that start with “fw,” make sure the firewalls are off on the network interfaces for the suricata server.

The first interface veth107i0@if2 is the interface connected to the home network where the machine receives it’s IP. The second interface veth107i1@if3 for the SPAN port.

Now, run the following command in the Proxmox shell to create a span port on the lab switch:

Next command to start SPAN port:

#ovs-vsctl -- --id=@p get port veth107i1 -- --id=@m create mirror name=suriIDS select-all=true output-port=@p -- set bridge vmbr1 mirrors=@m

(change this interface name veth107i1 as per your interface name)

Configure Suricata

Installation

Back in the Suricata machine, run the following commands:

#apt install suricata jq

This will install Suricata and the jq package which is a useful command line tool for reading and manipulating json data.

Edit Suricata.yaml

Next, we need to setup the interface Suricata is going to monitor. Open up the suricata.yaml file:

#nano /etc/suricata/suricata.yaml

The first line to change is the home network. We’re going to change this to the networks we’re going to monitor. In my case , this are the subnet 10.0.10.0/28 and the Active Directory subnet 10.10.20.0/28.

Make sure the eve.json file is enabled. "This is big file, best way to search anything on it using nano is by pressing ctrl+Q then type the word and press enter"

Change the interface from eth0 to the monitoring interface.

Back on the Suricata server, run the command:

#tail /var/log/suricata/fast.log

And we can see Suricata has picked up the ICMP packets from the Kali machine at 10.0.10.2 to the machine at 10.0.0.1.

Create Custom Rules

Create a file for custom rules by running command:

#nano /etc/suricata/rules/local.rules

We’re going to create a generic test rule to test our system. Add the following lines to the file:

alert icmp any any -> any any (msg: "ICMP Packet Found";)

Finally, restart Suricata to apply the changes. Then start Suricata on the monitoring interface in the background.

##systemctl restart suricata suricata -i MirrorInternal &

Testing Custom Rules

To test the custom rules, we’re going to test the machines connected on the internal switch. Let start with the Kali machine on the 10.0.10.0/28 network. I’m going to ping the default gateway on the home network.

Change the default rule path and add a local rules file. ( we will create the local rule files on the next step)

Now, we’re going to test a machine from the Active Directory network. We’ll send a ping from that network to the Kali machine.

The ping request fails. Let check the Suricata server to see if it picked it up.

The packets from the machine on the Active Directory at 10.0.20.2 were captured as well.

One final test is for the firewall rules. Our firewall is set up so that traffic cannot pass between the Active Directory network and the WAN/home network. Lets confirm it.

Checking the fast.log on the Suricata machine:

We see that Suricata did pick it up and it confirms the machine on the 10.0.0.0 network didn’t reply back. We’ve now confirmed both that our Suricata server and firewall are working as intended.

We can also check the traffic on our span network using TCPDump.

# sudo tcpdump -i MirrorInternal -nn -v icmp

this will capture all traffic (mirrored) on our internal network

Now that our IDS is in place, we can commence monitoring our machines and establish alerts for any unusual activities. However, this task won't be accomplished solely with Suricata. In the next part of this lab, we will set up a SIEM to centralize logs from all the machines we're monitoring. Subsequently, we'll forward all alerts from Suricata to our SIEM, enabling us to monitor all activities in our lab environment through a unified interface.