Suricata is an open source intrusion detection and prevention system. It can perform network security monitoring by analyzing network traffic and detecting threats through signatures. Suricata supports offline analysis of PCAP files, traffic recording, automatic protocol detection, and JSON output of events and alerts. It is configured through a YAML file and rules files, and can output logs to files, databases like MySQL, or syslog. Signatures use keywords to detect threats based on payload, HTTP, DNS, flow, file, and IP reputation attributes.

1. An Introduction to Suricata
By
Tex Morgan

2. What is Suricata?
Open Source IDS / IPS / NSM engine
IDS – Intrusion Detection System
IPS – Intrusion Prevention System
NSM – Network Security Monitoring

3. But Wait, There's More
● Off line analysis of PCAP files
● Traffic recording using PCAP logger
● Unix socket mode for automated processing
● Automatic Protocol Detection
● JSON event and alert outputs
– Logstache, etc.
http://suricata-ids.org/features/all-features/

4. Command Line (Weeee!)
● suricata
• -c <yaml configuration file location>
• -i <interface to sniff>
• -s <signatures file> (runs in addition to -c)
• -r <pcap recording file location>
• -l <default log directory location>
• -D }:-)
suricata -c suricata.yaml -s signatures.rules -i eth0

5. Default Files (/etc/suricata)
● suricata.yaml
● Signatures (aka Rules)
– decoder-events.rules
– dns-events.rules
– files.rules
– http-events.rules
– smtp-events.rules
– stream-events.rules
– tls-events.rules

6. Staying on Top
● Edit /etc/oinkmaster.conf
– Add url =
http://rules.emergingthreats.net/open/suricata/emerging.rules.tar
.gz
– save
● $ sudo oinkmaster -C /etc/oinkmaster.conf -o
/etc/suricata/rules
– Cronjob this for up-to-date rules
● Update the Classification and Reference file
– /etc/suricata/rules/classification.conf
– /etc/suricata/rules/reference.conf

7. Configuring for Rules
● Not all rules are loaded from /etc/suricata/rules
● You can add rules easily to suricata.yaml
• - <rule name>.rules
• # to comment out the rule temporarily
● To change a specific rule, edit oinkmaster.conf
– disablesid 2010495
– modifysid 2010495 “alert” | “drop”

8. EVE Logging
- eve-log:
enabled: yes
type: file #file|syslog|unix_dgram|unix_stream
filename: eve.json
types:
- alert
- http:
extended: yes # enable this for extended logging information
custom: [Accept-Encoding, Accept-Language, Authorization]
- dns
- tls:
extended: yes # enable this for extended logging information
- files:
force-magic: no # force logging magic on all logged files
force-md5: no # force logging of md5 checksums
- ssh

9. Multiple EVE Logs
- eve-log:
enabled: yes
type: file
filename: eve-ips.json
types:
- alert
- drop
- eve-log:
enabled: yes
type: file
filename: eve-nsm.json
types:
- http
- dns
- tls

10. Custom HTTP Logging
custom: yes
customformat:
%h - Host HTTP Header (remote host name). ie: google.com
%H - Request Protocol. ie: HTTP/1.1
%m - Request Method. ie: GET
%u - URL including query string. ie: /search?q=suricata
%{header_name}i - contents of the defined HTTP Request Header name. ie:
%{User-agent}i: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0
%{X-Forwarded-For}i: outputs the IP address contained in the X-Forwarded-For HTTP header (inserted by a reverse proxy)
%s - return status code. In the case of 301 and 302 it will print the url in brackets. ie: 200
%B - response size in bytes. ie: 15789
%{header_name}o - contents of the defined HTTP Response Header name
%{strftime_format]t - timestamp of the HTTP transaction in the selected strftime format. ie: 08/28/12-22:14:30
%z - precision time in useconds. ie: 693856
%a - client IP address
%p - client port number
%A - server IP address
%P - server port number

11. Saving to MySQL
mysql>create database filejsondb;
mysql> create user 'filejson'@'localhost' IDENTIFIED BY 'PASSWORD123';
mysql> grant all privileges on filejsondb.* to 'filejson'@'localhost' with grant
option;
mysql> flush privileges;
mysql> use filejsondb;
mysql> CREATE TABLE filejson( time_received VARCHAR(64), ipver
VARCHAR(4), srcip VARCHAR(40), dstip VARCHAR(40), protocol SMALLINT
UNSIGNED, sp SMALLINT UNSIGNED, dp SMALLINT UNSIGNED, http_uri
TEXT, http_host TEXT, http_referer TEXT, filename TEXT, magic TEXT, state
VARCHAR(32), md5 VARCHAR(32), stored VARCHAR(32), size BIGINT
UNSIGNED);
mysql> show columns from filejson;

12. Follow JSON
https://redmine.openinfosecfoundation.org/project
s/suricata/wiki/Script_FollowJSON

13. Common MySQL Queries
https://redmine.openinfosecfoundation.org/project
s/suricata/wiki/Useful_queries_-
_for_MySQL_and_PostgreSQL

14. Rule Format
● Action: drop, alert, pass, reject
● Header: protocol address port direction address
port
– Protocol : ip(all/any), tcp, udp, icmp
– Address: IPv4, IPv6, $HOME_NET,
$EXTERNAL_NET
– Direction : →(from to) or <> (bidirectional)
● Rule Options

15. Address
● Suricata.yaml config
– $HOME_NET: [127.0.0.1, 192.168.1.128]
– $EXTERNAL_NET: !$HOME_NET #very good idea
● ![127.0.0.1, 192.168.1.128]
● 1.1.1.1/24

16. Ports
● !88
● [80:85]
● [80:85, !84]

17. Rule Options
● Meta-settings #no effect on inspection
● Payload Keywords
● HTTP Keywords
● DNS Keywords
● Flow Keywords
● File Keywords
● IP Reputation Keywords

18. Meta-Settings
● Msg: “hello”
● Sid: (signature id number)
● Rev: (revision of signature)
● Gid: (group type id)
● Classtype: trojan-activity
– Use classification.config values
● Reference : <type>, <value>
● Priority: 1-255 (normally 1-4, smaller = higher)
● Metadata: “faniofarnogirai”

19. Payload Keywords
● content : “abc”
● nocase
● distance: 3 #only with multiple content
● within: 3
● dsize
● replace: “def”

20. HTTP Keywords
● http_method
● http_uri / http_raw_uri
● uricontent / urilen
● http_header / http_header_raw
● http_cookie
● http_user_agent
● http_client_body / http_server_body
● file_data
● http_stat_msg / http_stat_code

21. DNS Keywords
● dns_query
– Inspects DNS response
– all contents following it are affected by it!!
● Example:
alert dns any any -> any any (msg:"Test
dns_query option"; dns_query;
content:"google"; nocase; sid:1;)

22. Flow Keywords
● Flowbits
● Flow: [<direction>] [<state>] [<stream>]
– Direction: to/from_client, to/from_server
– State: established or stateless
– Stream: only_stream, no_stream (packet only)
● Flowint
● stream_size

23. File Keywords
● filename
● Fileext
● Filemagic
● Filestore: <direction>, <scope>
● Filemd5
● Filesize: <value>

24. IP Reputation Keywords
● iprep: <side>,<cat>,<operator>,<value>
– side to check: <any|src|dst|both>
– cat: the category short name
– operator: <, >, =
– Value: 1-127
● Disabled by default

25. Simple Example Rule
alert ip $EXTERNAL_NET any → $HOME_NET
any (msg: “Probably not a good idea to accept
these packets”; geoip: any, CN, RU, FR, A1,
A2, O1, BR, IQ, IR, KP; sid: 999999999; rev:1)

26. Detect SYN Flood
alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"LOCAL DOS Unusually fast SYN packets
inbound, Potential DOS"; flags: S,12; threshold: type
both, track by_dst, count 5000, seconds 5;
classtype:misc-activity; sid:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any
(msg:"LOCAL DOS Unusually fast SYN packets
outbound, Potential DOS"; flags: S,12; threshold:
type both, track by_dst, count 5000, seconds 5;
classtype:misc-activity; sid:6;)

27. Pass and Suppress
● Pass for safe traffic
– pass ip 1.2.3.4 any <> any any (msg:"pass all traffic
from/to 1.2.3.4"; sid:1;)
● Suppress is a bad idea
– Stops alerts
– Only considered post matching
– suppress gen_id 0, sig_id 0, track by_src, ip 1.2.3.4

28. Snort.conf → Suricata.yaml
https://redmine.openinfosecfoundation.org/project
s/suricata/wiki/Snortconf_to_Suricatayaml

29. Kibana/Logstash
JSON Output:
https://redmine.openinfosecfoundation.org/proj
ects/suricata/wiki/_Logstash_Kibana_and_Surica
ta_JSON_output
Template:
https://github.com/pevma/Suricata-Logstash-Tem
plates