Intrusion Detection/Intrusion Prevention System (IDS/IPS)
suricata-1.4.7 for CentOS-5
In our school, we have a Fedora 19 server that acts as a router using iptables MASQUERADE to allow the computers in the computer classroom to connect to the internet. Since the computers are all using Windows operating system, it is inevitable that some computers get infected by virus/malware. When this happens the router's IP is blocked by our ISP. This happened many times and is a hassle since some courses do need internet connectivity.
After cleaning all computers of virii/malwares, a formidable work as we have more than 100 computers in the classroom, and asking the ISP to unblock the router's IP, the router gets blocked again after a few seconds.
So, I thought that using an IDS/IPS might help. But I dreaded this idea as I thought only experts are capable of doing this! Anyway, not knowing what I was doing, I just installed suricata:
yum install suricata
To my surprise, Fedora 19 fully supported suricata and installed suricata and all the files it required. After some time reading about suricata (please see: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/index) I was able to configure suricata and have it running in no time. I can't believe that it was that easy to install suricata!
After a few days, I thought it would also be good to install suricata in our gateway/router as some of our teacher's computers get blocked also for being infected by virii/malwares (as usual, Windows computers). The problem was our gateway/router runs CentOS-5 and CentOS-5 does not support suricata.
The articles I have read on how to install suricata in CentOS-5 would list the files needed for a successful installation. Some needed files are available in the CentOS-5 repo, some in the Epel repo and the rest need to be compiled and installed from source. The famous process of "./configure && make && make install."
If you want to install suricata in CentOS-5 then you need to install the Epel repo:
rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
Unless you are desperate, I do not recommend the process of installing from source as this is the best way to clutter your server with garbage.
So what to do?
Search the internet for the needed programs that do not exist in CentOS-5 repo and Epel repo. I was very fortunate as I was able to find all the needed source rpm files. Some I got from http://rules.emergingthreatspro.com/projects/emergingrepo/SRPMS and some from http://rpm.pbone.net/. In this way, I was able to collect all the needed programs to build a suricata rpm for CentOS-5.
To make the long story short, I did successfully build a suricata rpm for CentOS-5. And I have made suricata rpm and source rpm available for download at ftp://cc2.savs.hcc.edu.tw/CentOS/suricata/ and the supporting rpm files, source rpm files and devel rpm files at ftp://cc2.savs.hcc.edu.tw/CentOS/suricata/files/.
Suricata requires the following rpm files. Just install the rpm files from my ftp server. The rest will be installed during suricata's installation as dependencies. Note that the rpm files I built are not gpg-signed, so you need to use the --nogpgcheck option to install.
|file-5.04-4.2.CentOS5.i686.rpm||my ftp server|
|file-devel-5.04-4.2.CentOS5.i686.rpm||my ftp server|
|libcap-ng-0.6.4-3.1.CentOS5.i686.rpm||my ftp server|
|libnetfilter_queue-0.0.17-2.CentOS5.i686.rpm||my ftp server|
After installing the first 4 rpm files from my ftp server, you may now install suricata-1.4.7-1.CentOS5.i686.rpm:
yum localinstall --nogpgcheck suricata-1.4.7-1.CentOS5.i686.rpm
Check if the installed suricata program is working properly by executing:
suricata -c /etc/suricata/suricata.yaml -i eth0
After a few minutes, press ^C to stopped the running suricata. Check the log files in /var/log/suricata. If the log files are populated with data, this means that suricata is capturing network packets and is running correctly as IDS.
The next step is to download the rules and uncompress it to /etc/suricata/rules/emerging (taken from notes.fedora):
tar -xz -C /etc/suricata/rules/emerging --strip-components=1 -f emerging.rules.tar.gz
Then edit and configure /etc/suricata/suricata.yaml:
# uncomment 4 lines below and change mode: accept to repeat. This is for IPS.
Uncomment: copy-mode: ips
Uncomment: copy-iface: eth1
enabled: yes # change from no to yes
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" # change this to your network IPs
After this, also edit /etc/sysconfig/suricata and change the OPTIONS to:
OPTIONS="-D -q 0"
service suricata start
If there is no error, then suricata is now running in IPS mode waiting for network packets from iptables. The next thing to do is set iptables to send all network packets to suricata for inspections.
Since this is gateway/router server, edit /etc/sysconfig/iptables and insert this line to the appropriate location:
-A FORWARD -j NFQUEUE --queue-num 0
service iptables restart
Check again the log files in /var/log/suricata. The log files, especially stats.log, shoud be getting new entries.
To be sure that suricata runs during computer boot, execute:
chkconfig suricata on
To make suricata effective, it is very important to continually update the rules. For this, I wrote a short and simple bash script for updating the rules. I also put this file in my ftp server and called it SRupdate (Suricata Rules update).
The action specified in the rules are all alerts. So when a network packet matches a rule, only an alert is raised. This means that although suricata is now running as an IPS, it still functions as an IDS.
To make sure that suricata really functions as an IPS, you need to change the action in some rules from alert to drop so that when a network packet matches a rule, this network packet will be dropped. But to manually change alert to drop requires a lot of hard work and time. For example, emerging-malware.rules has 898 rules to change, emerging-trojan.rules has 2097 and emerging-worm.rules has 11. Even if you use oinkmaster to manage the rules, just to configure it takes a tremendous amount of time.
Since I am more interested in preventing virus/malware/trojan/worm from going out or coming into our network, I decided to focus only on the 3 rule files mentioned above. But I am not sure which rules to change the action from alert to drop. To make things a little bit easier, I decided to just change all the action on the 3 rule files from alert to drop. For this purpose, I wrote a simple c program to do this. I have put this file, alert2drop.c and the corresponding RSupdate in the directory alert2drop. After downloading the alert2drop.c, compile it:
gcc -O2 alert2drop.c -o alert2drop
I recommend that you put this executable file, alert2drop, and RSupdate in /root/bin so that these two files are in the environment path.
Caveat: In IPS mode, if suricata, for whatever reason, dies your server will not be accessible anymore. Even ssh will not be able to connect. Although this might be a remote possibility, it is always good to be prepared just in case. So I use cron to check, every 10 minutes, if suricata is still alive. If it died it will be started. I have put this cron file in my ftp server and named it as ChkStoppedCron. Put this file in /root/bin and chmod to 755. You need to setup cron, of course.
Fr. Visminlu Vicente L. Chua, S.J.