Having just celebrated it's 10th birthday, Suricata has learned a lot about monitoring network traffic during the past decade. Suricata today is more than IDS/IPS— it is also a metadata creating, lua scripting, multi threaded, json logging, rule alerting, network security monitoring beast. Development for Suricata is funded by the non-profit Open Information Security Foundation which, along with feedback and support from the community, has made Suricata what it is today. In this talk we will discuss various aspects of modern Suricata, such as deployment, alerting, rule writing, compilation, protocols, lua, and more. Join us for a look into where Suricata has been, what it does today, and where it's going to go in the future.

1. Suricata: A Decade under the
Influence (of packet sniffing)
Jack Mott / Jason Williams
Open Information Security Foundation

2. WHO IS INTERRUPTING MY 10AM COFFEE
Jack
● Security Research Analyst @
Proofpoint / Emerging Threats
● Malware analysis
● Signatures for ETPRO/OPEN,
ClamAV
● Core Team of OISF
JAe
● Security Research Analyst @
Proofpoint / Emerging Threats
● Malware analysis
● Phishing Research
● Signatures for ETPRO/OPEN,
ClamAV (Phishing)
● Core Team of OISF

3. An (abbreviated) history of Suricata
● Brainstormed by Matt Jonkman, Will Metcalf, and Victor
Julien
● Nov 2007 - First Lines of Code Written by Victor (VIPS)
● 2009 - Name changed to Suricata based on a community
recommendation to have a meerkat as the mascot
● Latin Genus Name for Meerkat: Suricata
● Victor and all the code contributors over the years have
really grown suricata...

6. Suricata is Open Source - GPL v2

7. OISF
● Open Information Security Foundation
● 501c(3) non-profit building Suricata
● Developers like to eat and have families, people deserve
to be paid for their hard work
● Consortium Members
● Trainings (Developer, Engineer, Analyst)

8. Consortium Members

9. What makes Suricata Unique
● Multithreading
● Protocol Parsing w/ buffers (http, dns, tls, smb, etc)
● HTTP, DNS, SMB Json Logs
● File Extraction
● IP reputation
● Lua Scripting to perform complicated rule detection logic
● Backed by non-profit (can’t be sold/bought out)
● Netflow Generation
● SMTP Support
● Native IPv6
● Things coming in 4.1… :)

10. Suricata Today - Suricata 4.0.4
● Detection capabilities extended for HTTP, TLS and more
○ More buffers!
● Further TLS improvements, incl STARTTLS
○ More buffers!
● Experimental Rust: NFS, DNS, NTP
● Extended EVE json log fields
○ More logs!
● Rewritten TCP stream reassembly engine
● Bypass SSL/TLS after the certificate happens
● Lots of bug fix in the minor releases
● CVE-2018-6794 detection bypass fixed in 4.0.4

11. Suricata Today - Suricata Update
● https://github.com/OISF/suricata-update
● No need to use snort tools to manage your suricata
sensors
● Written in python
● Well Documented
○ https://suricata-update.readthedocs.io/en/latest/
● Add Rule Sources
● Keep rules up to date
● Tune your rules without losing changes when the rules
update

12. Suricata Upcoming 4.1 (or maybe now in beta?)
● startswith / endswith
● Bsize
● Transforms!
○ Strip_whitespace
○ Compress_whitespace
○ to_sha256
● SMB Protocol (thanks FoxIT!)
○ Reimplementation of SMB1 and DCERPC
○ Add SMB2 and SMB3
○ Detection / File Extraction / Logging

13. Installing Suricata
● There are pretty good docs
○ https://suricata.readthedocs.io
● Build from Source
○ Add in hyperscan support, rust, experimental features
● Ubuntu with the oisf ppa
○ sudo add-apt-repository ppa:oisf/suricata-stable
● Lots of installation walkthroughs for common systems
○ https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suri
cata_Installation
● Even on windows!

14. Installing Suricata - Network Card Options
● Intel nics are best on commodity hardware for sub 1g
lines
● Recommend Napatech/Endace/Myricom specialized HW for
higher (requires compiling with support)
● Recommend a recent linux kernel w/ AFPacketv3 (native!)
● You can use PFring, but recompiling kernel kinda sucks
● Turn off all the optimization settings on your nic...

15. Installing Suricata - Sub 1gps
● Basically anything will work
● A Raspberry pi will handle a few hundred mbps
● Unless you throw a few hundred thousand really bad rules
at it
● That 3 year old DB server that’s out of support now will
probably make a good sensor

16. Installing Suricata - Sub 10 gps
● You’re going to be tuning
● At least 16 cores
● Accelerated Capture Cards
● Potentially generating 100’s of gigs of logs a day
● Utilizing bypass

17. Installing Suricata - Above that
● Entirely possible - we know of 100gps+ implementations
● Something we get into in the advanced user training
● Serious Tuning and Hardware Optimization
● SEPTun
○ https://github.com/pevma/SEPTun/blob/master/SEPTun.rst
○ https://github.com/pevma/SEPTun-Mark-II/blob/master/SEPTun-Mark-II.rs
t

18. Suricata Runmodes
NSM - Network Security Monitoring (no rules)
IDS - Intrusion Detection (no metadata)
IPS - Intrusion Prevention (get off my lawn)
NSM + IDS is the most common implementation we see
NSM / IDS usually run off a TAP/Span Port
IPS is inline (potential failure point)

19. Suricata - The YAML Configuration file
● Used to be /etc/suricata/suricata.yaml
● Now is /usr/local/etc/suricata/suricata.yaml
● Everything is configured here for your sensor
● Many configurations can be overwritten at runtime
● Each section has explanations of the configuration
settings
● https://suricata.readthedocs.io is your friend

22. Suricata Deployment Considerations
● Typically still on perimeter
● We see them moving inside more lately
● On the host occasionally
● Be sure to set your HOME_NET and EXTERNAL_NET properly
● Rules can be expensive - only use what you need

23. Logging - fast.log
A fast log.
Contains relevant and quick information regarding a rule
hit:

24. Logging - eve.json
● Amazing log containing *everything* around traffic going
through a sensor
● JSON format: easy to parse, easy to add into log
aggregation (ELK, Splunk, etc)
● Prints alert information in in the same way as fast.log
but has everything else associated with the traffic
● Makes Suricata more of NSM than just IDS/IPS

25. eve.json

27. What is an IDS rule?
Consider this traffic:

28. What is an IDS rule?
alert http $HOME_NET any -> $EXTERNAL_NET any
(msg:"DetoxCrypto Ransomware CnC Activity";
flow:established,to_server; content:"POST"; http_method;
content:"/generate.php"; http_uri; isdataat:!1,relative;
content:”DetoxCrypto”; fast_pattern; http_user_agent;
content:"publickey="; depth:10; http_client_body;
http_header_names; content:!”Referer”; sid:1; rev:1;)

29. IDS Rule Basic Format
action protocol from_ip port -> to_ip port
(msg:”something"; content:"something";
content:"something else"; sid:10000000; rev:1;)Rule Action:
● Determines action made by IDS when rule matches traffic
● 99% of the time we use “alert”
● Other common actions include:
○ pass
○ drop
○ reject
Rule Protocol:
● Determines protocol to be inspected
● Basics are tcp, udp, icmp, ip
● Suricata specific protocols:
○ http
○ dns
○ tls
○ smtp
○ ftp
○ more...
Hosts:
● Indicate originator and recipient of traffic
● Can be single IP, IP range, or Variable (configurable)
● Often use default variables:
○ $HOME_NET (what you monitor, rfc 1918)
○ $EXTERNAL_NET (!$HOME_NET)
Ports:
● Correspond with hosts
● Can be single port, port range, or Variable (configurable)
● Can also be “any”
○ Used often when in conjunction with Suricata
protocols
Rule message:
● Arbitrary text that will appear in logs when rule
fires
● Useful to be as detailed as possible
● Consistency is key!
Rule contents:
● The building blocks of a rule
● The actual bytes present in traffic that we want to
detect
● Unique, interesting, malicious, etc.
● Can be ascii, hex, or combination
Rule metadata:
● Signature ID
● Revision Number
● Classtype
● References
● Other stuff

30. Rule Contents
Consider this traffic:

31. Rule Contents
content:”POST”;
content:”/generate.php”;
content:”DetoxCrypto”;
content:”publickey=“;

32. alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"DetoxCrypto
Ransomware CnC Activity"; flow:established,to_server; content:"POST";
content:"/generate.php"; content:”DetoxCrypto”; content:"publickey=";
content:!”Referer”; sid:1; rev:1;)
Rule Contents

33. HTTP Rules
● HTTP is a common protocol we write a lot of sigs for
● Like dns and tls, http protocol also exists
● http content is placed into buffers
● Buffers are much faster than raw byte matching
● LOTS of buffers available

34. HTTP Rules
content:”POST”; http_method;
content:”/generate.php”; http_uri;
content:”DetoxCrypto”; http_user_agent;
content:”publickey=“; http_client_body;
alert http $HOME_NET any -> $EXTERNAL_NET any
(msg:"DetoxCrypto Ransomware CnC Activity";
flow:established,to_server; content:"POST";
http_method; content:"/generate.php"; http_uri;
isdataat:!1,relative; content:”DetoxCrypto”;
fast_pattern; http_user_agent;
content:"publickey="; depth:10; http_client_body;
http_header_names; content:!”Referer”; sid:1;
rev:1;)

35. HTTP Rules
● New keywords in 4.0.1
● http_header_names; is a good one
● Takes header names and puts them into a string, separated
by |0d 0a|
● Useful for tracking order of headers
● Much more efficient than PCRE
Host: www.evil.com
User-Agent: Mozilla/4.0
|0d 0a|Host|0d 0a|User-Agent|0d 0a 0d 0a|

36. HTTP Rules
Other cool 4.0+ buffers:
http_request_line;
http_start;
http_referer;
http_accept;
http_accept_lang;
http_accept_enc;
http_content_len;
http_content_type;
http_connection;

37. DNS Rules
● Because Suricata can parse protocols like DNS, rules are
much easier to write
● Instead of relying on just inspecting UDP and using DNS
request flags as content, we have more flexibility
● dns protocol
○ Includes UDP and TCP
● dns_query; keyword

38. DNS Rules

39. DNS Rules
The old way…
● udp protocol
● Using destination port 53
● Using DNS query flags
● Matching on non-normalized domain name
● Higher likelihood of False Negative

40. DNS Rules
The new(ish) way :D
● dns protocol
● Using destination port ‘any’
● Matching on normalized domain name in request
○ Using the dns_query; keyword
● More accurate, more efficient

41. TLS Rules
● A blind spot for most IDS/IPS
● Cannot see into the traffic, just that it's happening
● Unless MITM, which is cool too!
● Let’s Encrypt!
● Wait!
● We can do something with SSL/TLS

42. TLS Rules

43. TLS Rules
● tls protocol
○ Like dns proto
○ Port agnostic
● tls_subject;
● tls_cert_serial;
● tls_sni;
● more...

44. TLS Rules
The old way...
● tls protocol
● Using destination port ‘any’
● Matching on the Cert Serial using raw hex
● Matching on Cert Organization using raw hex

45. TLS Rules
The new way :D
● tls protocol
● Using destination port ‘any’
● Matching on the Cert Serial using tls_cert_serial;
● Matching on Cert Organization using tls_subject;

46. Common Rulesets
Emerging Threats
● ET OPEN
○ https://rules.emergingthrea
ts.net/open/
● ETPRO
○ Paid
Talos (Cisco/VRT/Snort)
● Community
○ https://snort.org/downloads
/#rule-downloads
● Snort Subscriber Ruleset
○ Paid
Other orgs with Suricata specific rulesets:
Attack Detection (PT Security), CrowdStrike, SecureWorks

47. Awesome NSM projects using Suricata
● SELKS - Stamus Networks
○ Suricata Elasticsearch Logstash Kibana Scirius
○ Scirius - Graphical Rule Manager
○ https://www.stamus-networks.com/open-source/
● Security Onion
○ Ubuntu based (now with elasticsearch) cornucopia of NSM tools
○ https://securityonion.net/
● RockNSM
○ Response Operation Collection Kit
○ http://rocknsm.io/

48. Community - Connect with us packet nerds
● Mailing lists:
○ Emerging Threats
■ Discussion about ET OPEN sigdev, etc.
■ https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
○ OISF
■ General Suricata discussion
■ https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
● Twitter
○ @oisfoundation
○ @Suricata_IDS
○ @ET_Labs
● IRC
○ #suricata on freenode

49. Upcoming Events
● OISF - https://suricata-ids.org/training/
○ Suricata User Training (2 Day)
■ Suricon - Nov 14-16 2018 https://suricon.net/
○ Suricata Sigdev (2 Day)
■ Suricon
○ Suricata Developer Training
■ 5 Days!
○ Private trainings available

50. Questions?

51. Thanks!
Jack Mott
@malwareforme
jmott@oisf.net
Jason Williams
@switchingtoguns
jwilliams@oisf.net