Suricata is an open source intrusion detection and prevention system. It can perform network security monitoring by analyzing network traffic and detecting threats through signatures. Suricata supports offline analysis of PCAP files, traffic recording, automatic protocol detection, and JSON output of events and alerts. It is configured through a YAML file and rules files, and can output logs to files, databases like MySQL, or syslog. Signatures use keywords to detect threats based on payload, HTTP, DNS, flow, file, and IP reputation attributes.
2. What is Suricata?
Open Source IDS / IPS / NSM engine
IDS – Intrusion Detection System
IPS – Intrusion Prevention System
NSM – Network Security Monitoring
3. But Wait, There's More
● Off line analysis of PCAP files
● Traffic recording using PCAP logger
● Unix socket mode for automated processing
● Automatic Protocol Detection
● JSON event and alert outputs
– Logstache, etc.
http://suricata-ids.org/features/all-features/
6. Staying on Top
● Edit /etc/oinkmaster.conf
– Add url =
http://rules.emergingthreats.net/open/suricata/emerging.rules.tar
.gz
– save
● $ sudo oinkmaster -C /etc/oinkmaster.conf -o
/etc/suricata/rules
– Cronjob this for up-to-date rules
● Update the Classification and Reference file
– /etc/suricata/rules/classification.conf
– /etc/suricata/rules/reference.conf
7. Configuring for Rules
● Not all rules are loaded from /etc/suricata/rules
● You can add rules easily to suricata.yaml
• - <rule name>.rules
• # to comment out the rule temporarily
● To change a specific rule, edit oinkmaster.conf
– disablesid 2010495
– modifysid 2010495 “alert” | “drop”
8. EVE Logging
- eve-log:
enabled: yes
type: file #file|syslog|unix_dgram|unix_stream
filename: eve.json
types:
- alert
- http:
extended: yes # enable this for extended logging information
custom: [Accept-Encoding, Accept-Language, Authorization]
- dns
- tls:
extended: yes # enable this for extended logging information
- files:
force-magic: no # force logging magic on all logged files
force-md5: no # force logging of md5 checksums
- ssh
10. Custom HTTP Logging
custom: yes
customformat:
%h - Host HTTP Header (remote host name). ie: google.com
%H - Request Protocol. ie: HTTP/1.1
%m - Request Method. ie: GET
%u - URL including query string. ie: /search?q=suricata
%{header_name}i - contents of the defined HTTP Request Header name. ie:
%{User-agent}i: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0
%{X-Forwarded-For}i: outputs the IP address contained in the X-Forwarded-For HTTP header (inserted by a reverse proxy)
%s - return status code. In the case of 301 and 302 it will print the url in brackets. ie: 200
%B - response size in bytes. ie: 15789
%{header_name}o - contents of the defined HTTP Response Header name
%{strftime_format]t - timestamp of the HTTP transaction in the selected strftime format. ie: 08/28/12-22:14:30
%z - precision time in useconds. ie: 693856
%a - client IP address
%p - client port number
%A - server IP address
%P - server port number
11. Saving to MySQL
mysql>create database filejsondb;
mysql> create user 'filejson'@'localhost' IDENTIFIED BY 'PASSWORD123';
mysql> grant all privileges on filejsondb.* to 'filejson'@'localhost' with grant
option;
mysql> flush privileges;
mysql> use filejsondb;
mysql> CREATE TABLE filejson( time_received VARCHAR(64), ipver
VARCHAR(4), srcip VARCHAR(40), dstip VARCHAR(40), protocol SMALLINT
UNSIGNED, sp SMALLINT UNSIGNED, dp SMALLINT UNSIGNED, http_uri
TEXT, http_host TEXT, http_referer TEXT, filename TEXT, magic TEXT, state
VARCHAR(32), md5 VARCHAR(32), stored VARCHAR(32), size BIGINT
UNSIGNED);
mysql> show columns from filejson;
21. DNS Keywords
● dns_query
– Inspects DNS response
– all contents following it are affected by it!!
● Example:
alert dns any any -> any any (msg:"Test
dns_query option"; dns_query;
content:"google"; nocase; sid:1;)
24. IP Reputation Keywords
● iprep: <side>,<cat>,<operator>,<value>
– side to check: <any|src|dst|both>
– cat: the category short name
– operator: <, >, =
– Value: 1-127
● Disabled by default
25. Simple Example Rule
alert ip $EXTERNAL_NET any → $HOME_NET
any (msg: “Probably not a good idea to accept
these packets”; geoip: any, CN, RU, FR, A1,
A2, O1, BR, IQ, IR, KP; sid: 999999999; rev:1)
26. Detect SYN Flood
alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"LOCAL DOS Unusually fast SYN packets
inbound, Potential DOS"; flags: S,12; threshold: type
both, track by_dst, count 5000, seconds 5;
classtype:misc-activity; sid:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any
(msg:"LOCAL DOS Unusually fast SYN packets
outbound, Potential DOS"; flags: S,12; threshold:
type both, track by_dst, count 5000, seconds 5;
classtype:misc-activity; sid:6;)
27. Pass and Suppress
● Pass for safe traffic
– pass ip 1.2.3.4 any <> any any (msg:"pass all traffic
from/to 1.2.3.4"; sid:1;)
● Suppress is a bad idea
– Stops alerts
– Only considered post matching
– suppress gen_id 0, sig_id 0, track by_src, ip 1.2.3.4