Suricata for CentOS-5

Intrusion Detection/Intrusion Prevention System (IDS/IPS)

suricata-1.4.7 for CentOS-5

繁體中文版

suricata.jpeg

In our school, we have a Fedora 19 server that acts as a router using iptables MASQUERADE to allow the computers in the computer classroom to connect to the internet. Since the computers are all using Windows operating system, it is inevitable that some computers get infected by virus/malware. When this happens the router's IP is blocked by our ISP. This happened many times and is a hassle since some courses do need internet connectivity.

After cleaning all computers of virii/malwares, a formidable work as we have more than 100 computers in the classroom, and asking the ISP to unblock the router's IP, the router gets blocked again after a few seconds.

So, I thought that using an IDS/IPS might help. But I dreaded this idea as I thought only experts are capable of doing this! Anyway, not knowing what I was doing, I just installed suricata:

yum install suricata

To my surprise, Fedora 19 fully supported suricata and installed suricata and all the files it required. After some time reading about suricata (please see: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/index) I was able to configure suricata and have it running in no time. I can't believe that it was that easy to install suricata!

After a few days, I thought it would also be good to install suricata in our gateway/router as some of our teacher's computers get blocked also for being infected by virii/malwares (as usual, Windows computers). The problem was our gateway/router runs CentOS-5 and CentOS-5 does not support suricata.

The articles I have read on how to install suricata in CentOS-5 would list the files needed for a successful installation. Some needed files are available in the CentOS-5 repo, some in the Epel repo and the rest need to be compiled and installed from source. The famous process of "./configure && make && make install."

If you want to install suricata in CentOS-5 then you need to install the Epel repo:

rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm

Unless you are desperate, I do not recommend the process of installing from source as this is the best way to clutter your server with garbage.

So what to do?

Search the internet for the needed programs that do not exist in CentOS-5 repo and Epel repo. I was very fortunate as I was able to find all the needed source rpm files. Some I got from  http://rules.emergingthreatspro.com/projects/emergingrepo/SRPMS and some from http://rpm.pbone.net/. In this way, I was able to collect all the needed programs to build a suricata rpm for CentOS-5.

To make the long story short, I did successfully build a suricata rpm for CentOS-5. And I have made suricata rpm and source rpm available for download at ftp://cc2.savs.hcc.edu.tw/CentOS/suricata/ and the supporting rpm files, source rpm files and devel rpm files at ftp://cc2.savs.hcc.edu.tw/CentOS/suricata/files/.

Installation:

Suricata requires the following rpm files. Just install the rpm files from my ftp server. The rest will be installed during suricata's installation as dependencies. Note that the rpm files I built are not gpg-signed, so you need to use the --nogpgcheck option to install.

rpm filename

origin
file-5.04-4.2.CentOS5.i686.rpm my ftp server
file-devel-5.04-4.2.CentOS5.i686.rpm my ftp server
libcap-ng-0.6.4-3.1.CentOS5.i686.rpm my ftp server
libnetfilter_queue-0.0.17-2.CentOS5.i686.rpm my ftp server
libnet epel
libnfnetlink epel
libpcap centos
pcre centos
prelude centos
libyaml centos

After installing the first 4 rpm files from my ftp server, you may now install suricata-1.4.7-1.CentOS5.i686.rpm:

yum localinstall --nogpgcheck suricata-1.4.7-1.CentOS5.i686.rpm

Check if the installed suricata program is working properly by executing:

suricata -c /etc/suricata/suricata.yaml -i eth0

After a few minutes, press ^C to stopped the running suricata. Check the log files in /var/log/suricata. If the log files are populated with data, this means that suricata is capturing network packets and is running correctly as IDS.

The next step is to download the rules and uncompress it to /etc/suricata/rules/emerging (taken from notes.fedora):

wget http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
tar -xz -C /etc/suricata/rules/emerging --strip-components=1 -f emerging.rules.tar.gz

Then edit and configure /etc/suricata/suricata.yaml:

nfq:
# uncomment 4 lines below and change mode: accept to repeat. This is for IPS.
mode: repeat
repeat-mark: 1
repeat-mask: 1
route-queue: 2

Uncomment: copy-mode: ips
Uncomment: copy-iface: eth1

- file:
enabled: yes     # change from no to yes
filename: /var/log/suricata.log

default-rule-path: /etc/suricata/rules/emerging

HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" 
    # change this to your network IPs

After this, also edit /etc/sysconfig/suricata and change the OPTIONS to:

OPTIONS="-D -q 0"

Execute:

service suricata start

If there is no error, then suricata is now running in IPS mode waiting for network packets from iptables. The next thing to do is set iptables to send all network packets to suricata for inspections.

Since this is gateway/router server, edit /etc/sysconfig/iptables and insert this line to the appropriate location:

-A FORWARD -j NFQUEUE --queue-num 0

Restart iptables:

service iptables restart

Check again the log files in /var/log/suricata. The log files, especially stats.log, shoud be getting new entries.

To be sure that suricata runs during computer boot, execute:

chkconfig suricata on

To make suricata effective, it is very important to continually update the rules. For this, I wrote a short and simple bash script for updating the rules. I also put this file in my ftp server and called it SRupdate (Suricata Rules update).

The action specified in the rules are all alerts. So when a network packet matches a rule, only an alert is raised. This means that although suricata is now running as an IPS, it still functions as an IDS.

To make sure that suricata really functions as an IPS, you need to change the action in some rules from alert to drop so that when a network packet matches a rule, this network packet will be dropped. But to manually change alert to drop requires a lot of hard work and time. For example, emerging-malware.rules has 898 rules to change, emerging-trojan.rules has 2097 and emerging-worm.rules has 11. Even if you use oinkmaster to manage the rules, just to configure it takes a tremendous amount of time.

Since I am more interested in preventing virus/malware/trojan/worm from going out or coming into our network, I decided to focus only on the 3 rule files mentioned above. But I am not sure which rules to change the action from alert to drop. To make things a little bit easier, I decided to just change all the action on the 3 rule files from alert to drop. For this purpose, I wrote a simple c program to do this. I have put this file, alert2drop.c and the corresponding RSupdate in the directory alert2drop.  After downloading the alert2drop.c, compile it:

gcc -O2 alert2drop.c -o alert2drop

I recommend that you put this executable file, alert2drop, and RSupdate in /root/bin so that these two files are in the environment path.

Caveat: In IPS mode, if suricata, for whatever reason, dies your server will not be accessible anymore. Even ssh will not be able to connect. Although this might be a remote possibility, it is always good to be prepared just in case. So I use cron to check, every 10 minutes, if suricata is still alive. If it died it will be started. I have put this cron file in my ftp server and named it as ChkStoppedCron. Put this file in /root/bin and chmod to 755. You need to setup cron, of course.

Fr. Visminlu Vicente L. Chua, S.J.
2014/01/10
Updated: 2014/01/25