🦝 Suricata IDS Home-Lab
welcome back guys in the series of “security analysis 101” where we analyse the logs and discover pattern in them using latest industrial tools and technics. In this blog, we will learn what is suricata, why it is use and how we can setup suricata on our local machine.Lets see.
🍁Introduction
The goal of setting up a Suricata home-lab is to gain practical experience in deploying and configuring an Intrusion Detection System (IDS) for network security monitoring. Suricata is an open-source IDS capable of detecting and preventing various network-based threats. This home-lab provides individuals with hands-on experience in setting up, configuring, and utilizing Suricata to enhance network security.
In this home-lab, we will cover:
- Requirement
- Lab structure
- Setting up the Suricata Home-Lab
- Excercises 1- Network-based attacks
- Excercises 2 - Web-based attacks
📝 Requirements
Hardware:
- Computer with internet connectivity
- RAM: 16GB at least
- CPU: dual-core processor
VM/ISO Image:
- Windows Machine(Victim Machine)
- Kali Linux(Attacker Machine)
👩🏻🔬🧪Lab Diagram
👨🏽💻Setting up the Suricata Home-Lab
Now we have clear image of what is suricata and also we made structural diagram of lab. Lest start with setup the home-lab in local machine for what we already discuss that we require Virtualbox so we can setup labs there.
Setting up Suricata IDS Server
- Import Ubuntu Server 22.04 OVA file in Virtualbox
- Install Suricata IDS package
Setting up Victim Server-1
- Import Ubuntu Server 22.04 OVA file in Virtualbox
- Install DVWA(Damn Vulnerable Web Application)
Setting up Victim Server-2
- Import Metasploitable 2 OVA Image
- Setting up Victim Server-3
- Import Typhoon OVA image
I am not going discuss here the process of installing DVWA and Typhoon for that please refer Youtube links below.
Here i will show you how to install Suricata IDS on ubuntu server:
🍁 Suricata IDS set-up on Ubuntu server:
- Install suricata with apt package manager:
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install suricata -y2. Download and extract the Emerging Threats Suricata ruleset:
cd /tmp/ && curl -LO https://rules.emergingthreats.net/open/suricata-6.0.8/emerging.rules.tar.gz
sudo tar -xvzf emerging.rules.tar.gz && sudo mv rules/*.rules /etc/suricata/rules/
sudo chmod 640 /etc/suricata/rules/*.rules3. Modify Suricata settings in the /etc/suricata/suricata.yaml file and set the following variables:y
HOME_NET: "<UBUNTU_IP>"
EXTERNAL_NET: "any"
default-rule-path: /etc/suricata/rules
rule-files:
- "*.rules"
# Global stats configuration
stats:
enabled: Yes
# Linux high speed capture support
af-packet:
- interface: eth04. Restart the Suricata service so that it will not show any error:
sudo systemctl restart suricata🍁 Conclusion:
Now we are ready with lab. In the next blog i will solve some exercise on this lab setup so we can understand the working of suricata in real scenario.
Thats all for today for more such a content fallow me on medium and linkedin. Also if you like this blog please click on clap icon that help me to grow on medium. stay tune for more exercises.
