Setting up the Barracuda XDR Collector for Barracuda IDS for Linux

This setup is for the XDR Collector only. If you are using a physical or virtual sensor, refer to Integrating Barracuda IDS.

The XDR Collector runs as a service in your environment. While the minimum specifications are listed below, the required resources depend on the number of active integrations and the amount of data being processed.

Minimum requirements

To set up the XDR Collector, the minimum requirements are the following:

Minimum requirements

Minimum requirements
CPU	2vCPU
Disk Size	10GB SSD
Memory	1GB
Network interface cards (NICs)	2

For Barracuda IDS/Suricata, the host must have 2 Network Interface Cards. One to monitor span traffic and one for host traffic.

Operating System

Ubuntu 22.04 (Recommended)
For other versions, see the Elastic Agent 8.12.x row in the Elastic Agent table on this page.

Required Endpoint/Port Communication

The XDR Collector must be able to communicate to the following endpoints/ports:

Logstash	elastic-agent-on-prem.ingest.skoutsecure.com:5044
Management Server	b5e9a5096e0a4f7782cc444c8edbbd5e.fleet.us-east-1.aws.found.io:443
Update Server	artifacts.elastic.co:443

Dedicated Host Requirements

Barracuda IDS/Suricata requires that the collector run in a dedicated host.

Setting up the XDR Collector for Linux for Barracuda IDS

To set up the XDR Collector for Linux, perform the following procedures:

To install the XDR Collector
To set up switch port mirroring
To edit the Suricata configuration

To install the XDR Collector

The install command is unique to the current selected account and should only be run on systems within that environment.

In Barracuda XDR Dashboard, click Infrastructure > Collectors.
In the Policies table, next to the on-prem policy, click Action > Install.
Click Linux.
Click the copy to clipboard icon to copy the install command to your clipboard.
Open a terminal on the appropriate system, paste the command, and run it.

To set up switch port mirroring

Click a link for specific configurations for the following:

Connect the secondary Ethernet interface on the XDR Collector's host machine to the mirrored port on the switch.
Configure the switch to mirror traffic in both directions on all other ports on the switch.

Checking the Status of the Barracuda XDR Elastic Collector

To check the status of the XDR Collector, open a terminal and run the following command:
elastic-agent status

Installing Suricata

These instructions are also available at Installing Suricata on Linux for the XDR Collector .

To install Suricata, follow the procedure for your environment (below):

To install Suricata on Ubuntu/Debian
To install Suricata on CentOS/Rocky/Alma 9.x

To install Suricata on Ubuntu/Debian

To run the install script, copy and run the following commands:
sudo mkdir -p "/usr/local/bin/suricata"
sudo bash -c 'curl -L "https://skout-csd-assets-public.s3.amazonaws.com/suricata/linux/suricata-scripts.tar.gz" | tar -xz -C "/usr/local/bin/suricata"'
sudo find "/usr/local/bin/suricata" -type f -exec chmod +x {} \;
cd /usr/local/bin/suricata
sudo ./install.sh
Follow the prompts through the configuration.

Installing and configuring Suricata on CentOS/Rocky/Alma 9.x

These instructions have been tested on CentOS/Rocky/Alma 9.x only.

To install and configure Suricata on CentOS/Rocky/Alma 9.x, follow the procedures below.

To update system and install prerequisites

Copy and run the following commands:

sudo dnf update -y
sudo dnf install -y epel-release
sudo dnf install -y curl tar tcpdump

To install Suricata

Copy and run the following command:
sudo dnf install -y suricata

To update Suricata rules

Copy and run the following command:
sudo suricata-update

To enable the Suricata service

Copy and run the following command:
sudo systemctl enable suricata.service

To download and extract the configuration files

Copy and run the following commands:
sudo mkdir -p /usr/local/bin/suricata
sudo curl -L "https://skout-csd-assets-public.s3.us-east-1.amazonaws.com/suricata/linux/7.0.7/default/suricata-xdr-update.tar.gz" | sudo tar -xz -C /usr/local/bin/suricata

To move configuration files into place

Copy and run the following commands:
sudo mv /usr/local/bin/suricata/suricata-xdr-update/suricata.yaml /etc/suricata/suricata.yaml
sudo mv /usr/local/bin/suricata/suricata-xdr-update/disable.conf /etc/suricata/disable.conf
sudo mv /usr/local/bin/suricata/suricata-xdr-update/suricata-custom.yaml /etc/suricata/suricata-custom.yaml

To identify your network interface

Copy and run the following command to list available network interfaces:
ip link show
Copy the name of the interface you want to monitor (e.g., ens19, eth0, ens192) and store it in a secure place to use in the To configure the Suricata service interface procedure.

To configure the Suricata service interface

Copy and run the following command to open the Suricata sysconfig file:
sudo vi /etc/sysconfig/suricata
Find the OPTIONS line and replace the interface with the name of the interface that you copied in the To identify your network interface procedure. For example, if your interface is ens19, the line would read OPTIONS="-i ens19 --user suricata"
To save and exit, press Esc, then type :wq and press Enter.

To set the HOME_NET and interface values in suricata.yaml

Copy and run the following command to open the suricata.yaml configuration file:
sudo vi /etc/suricata/suricata.yaml.
Type /HOME_NET and press Enter to search.
Press i to enter insert mode.
Modify the subnet(s) of your internal networks in CIDR format. For example, if the subnet to be monitored is 192.168.0.0/16, the line would read
HOME_NET: "[192.168.0.0/16]"
To configure the network interface, do the following:
- Press Esc, then type /af-packet and press Enter to search.
- Press i to enter insert mode.
- Next to interface, enter your network interface. For example, if your network interface is ens19, the line would read
  af-packet:
  - interface: ens19
To save and exit, press Esc, then type :wq and press Enter.

To create cron jobs for log cleanup and rule updates

Copy and run the following command to open crontab with vi:
sudo EDITOR=vi crontab -e
Press i to enter insert mode, then add the following two lines:
0 * * * * /usr/bin/find /var/log/suricata/ -name "*.json" -mmin +180 -delete
0 2 * * * /usr/bin/suricata-update && /usr/bin/systemctl restart suricata.service
To save and exit, press Esc, then type :wq and press Enter.

To start and verify the service

Copy and run the following commands:
sudo systemctl start suricata.service
sudo systemctl status suricata.service
Verify the service is active (running).

To verify Suricata is capturing traffic

After completing the previous procedure, wait at least one minute before checking for logs.

Copy and run the following command:
ls -la /var/log/suricata/*.json

The most recent .json file should have a non-zero file size.

To view live events

Copy and run the following command:
ls -t /var/log/suricata/*.json | head -n 1 | xargs tail -f

To stop viewing the log, press CTRL+C.

Triggering manual alerts for threat simulation

Use this procedure to trigger manual alerts on Ubuntu, Debian, CentOS, Rocky, or Alma 9.x.

To trigger a manual alert for threat simulation

Run the following command from any system within your network:
curl http://testmynids.org/uid/index.html

Uninstalling Suricata

To uninstall Suricata, follow the procedure for your environment (below):

To uninstall Suricata on Ubuntu/Debian
To uninstall Suricata on CentOS/Rocky/Alma 9.x

To uninstall Suricata on Ubuntu/Debian

Run the following commands:
cd /usr/local/bin/suricata
sudo ./uninstall.sh

To uninstall Suricata on CentOS/Rocky/Alma 9.x

Run the following command:
sudo dnf remove suricata
To remove the log cleanup and suricata-update cron jobs, from the terminal open crontab with nano:
- Type sudo EDITOR=nano crontab -e
- Remove the following entries:
  0 * * * * /usr/bin/find /var/log/suricata/ -name "*.json" -mmin +180 -delete
  0 2 * * * /usr/bin/suricata-update && /usr/bin/systemctl restart suricata.service
To save the file, press CTRL + O.
To exit, press CTRL + X.