Setting up the Barracuda XDR Collector for Barracuda IDS for Linux

Last updated on 2024-11-14 15:24:04

This setup is for the XDR Collector only. If you are using a physical or virtual sensor, refer to Integrating Barracuda IDS.

The XDR Collector runs as a service in your environment. While the minimum specifications are listed below, the required resources depend on the number of active integrations and the amount of data being processed.

Minimum requirements

To set up the XDR Collector, the minimum requirements are the following:

Minimum requirements
CPU	2vCPU
Disk Size	10GB SSD
Memory	1GB
Network interface cards (NICs)	2

For Barracuda IDS/Suricata, the host must have 2 Network Interface Cards. One to monitor span traffic and one for host traffic.

Operating System

Ubuntu 22.04 (Recommended)
For other versions, see the Elastic Agent 8.12.x row in the Elastic Agent table on this page.

Required Endpoint/Port Communication

The XDR Collector must be able to communicate to the following endpoints/ports:

Logstash	a96190b49bd294a5fbb3725ff20aab78-c7f64fe7557a87d2.elb.us-east-1.amazonaws.com:5044
Management Server	b5e9a5096e0a4f7782cc444c8edbbd5e.fleet.us-east-1.aws.found.io:443
Update Server	artifacts.elastic.co:443

Dedicated Host Requirements

Barracuda IDS/Suricata requires that the collector run in a dedicated host.

Setting up the XDR Collector for Linux for Barracuda IDS

To set up the XDR Collector for Linux, perform the following procedures:

To install the XDR Collector
To set up switch port mirroring
To edit the Suricata configuration

To install the XDR Collector

The install command is unique to the current selected account and should only be run on systems within that environment.

In Barracuda XDR Dashboard, click Infrastructure > Collectors.
In the Policies table, next to the on-prem policy, click Action > Install.
Click Linux.
Click the copy to clipboard icon to copy the install command to your clipboard.
Open a terminal on the appropriate system, paste the command, and run it.

To set up switch port mirroring

Click a link for specific configurations for the following:

Connect the secondary Ethernet interface on the XDR Collector's host machine to the mirrored port on the switch.
Configure the switch to mirror traffic in both directions on all other ports on the switch.

Checking the Status of the Barracuda XDR Elastic Collector

To check the status of the XDR Collector, open a terminal and run the following command:
elastic-agent status

Installing Suricata

To install Suricata, follow the procedure for your environment (below):

To install Suricata on Ubuntu/Debian
To install Suricata on RHEL/CentOS/Rocky/Alma/Fedora

To install Suricata on Ubuntu/Debian

To run the install script, copy and run the following commands:
sudo mkdir -p "/usr/local/bin/suricata"
sudo bash -c 'curl -L "https://skout-csd-assets-public.s3.amazonaws.com/suricata/linux/suricata-scripts.tar.gz" | tar -xz -C "/usr/local/bin/suricata"'
sudo find "/usr/local/bin/suricata" -type f -exec chmod +x {} \;
cd /usr/local/bin/suricata
sudo ./install.sh
Follow the prompts through the configuration.

To install Suricata on RHEL/CentOS/Rocky/Alma/Fedora

To run the install script, copy and run the following commands:
sudo dnf update -y
sudo dnf install suricata
sudo suricata-update
Enable the Suricata service by running the following:
sudo systemctl enable suricata.service --now
Copy and run the following commands to download the configuration file:
sudo mkdir -p "/usr/local/bin/suricata"
sudo bash -c 'curl -L "https://skout-csd-assets-public-dev.s3.us-east-1.amazonaws.com/suricata/linux/7.0.7/default/suricata-xdr-update.tar.gz" | tar -xz -C "/usr/local/bin/suricata"'
sudo mv /usr/local/bin/suricata/suricata.yaml /etc/suricata/suricata.yaml
sudo mv /usr/local/bin/suricata/disable.conf /etc/suricata/disable.conf
Set the HOME_NET and interface values in the configuration file:
- To open the suricata.yaml configuration file in Nano, open a terminal on the appropriate system and run the following command:
  sudo nano /etc/suricata/suricata.yaml
- To search for HOME_NET, press CTRL+W.
- Next to HOME_NET:, modify the subnet(s) of your internal networks in cidr format.
- For example, if the subnet to be monitored is 192.168.0.0/16, the configuration should read: HOME_NET: "[192.168.0.0/16]"
- To search for af-packet, press CTRL+W.
- Next to interface:, press the spacebar, then enter the secondary network interface. For example, if the secondary network interface is eth1, the configuration should read:
  af-packet:
  - interface: eth1
To create the log cleanup and suricata-update cron jobs, from the terminal open crontab with nano, do the following:
- Type sudo EDITOR=nano crontab -e
- Add a cronjob that runs hourly and delete log files older than 3 hours, and a cronjob that runs daily to update the rules:
  0 * * * * find /var/log/suricata/ -name "*.json" -mmin +180 -delete
  0 2 * * * suricata-update
- To save the file, press CTRL + O.
- To exit, press CTRL + X.
Restart the Suricata service:
sudo systemctl restart suricata.service

Suricata should now be running in the background. To verify that Suricata is generating new entries in the log file, run the following command:
ls -t /var/log/suricata/*.json | head -n 1 | xargs tail -f

To Uninstall Suricata

To uninstall Suricata, follow the procedure for your environment (below):

To uninstall Suricata on Ubuntu/Debian
To uninstall Suricata on RHEL/CentOS/Rocky/Alma/Fedora

To uninstall Suricata on Ubuntu/Debian

Run the following commands:
cd /usr/local/bin/suricata
sudo ./uninstall.sh

To uninstall Suricata on RHEL/CentOS/Rocky/Alma/Fedora

Run the following command:
sudo dnf remove suricata
To remove the log cleanup and suricata-update cron jobs, from the terminal open crontab with nano:
- Type sudo EDITOR=nano crontab -e
- Remove the following entries:
  0 * * * * find /var/log/suricata/ -name "*.json" -mmin +180 -delete
  0 2 * * * suricata-update
To save the file, press CTRL + O.
To exit, press CTRL + X.