Suricata FundamentalsP
Suricata, managed by the Open Information Security Foundation (OISF), is an open-source network security solution ideal for Network Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and Network Security Monitoring (NSM). It excels in deep packet inspection and offers extensive logging, helping administrators detect and respond to suspicious activities within network traffic.
Suricata Operation Modes
Intrusion Detection System (IDS): Passively monitors traffic, flags potential threats, and enhances network visibility but does not intervene.
Intrusion Prevention System (IPS): Acts proactively by blocking suspicious traffic before it enters the network, enhancing security at the cost of added latency.
Intrusion Detection Prevention System (IDPS): Combines IDS and IPS features, passively monitoring but also capable of sending reset packets (RST) to terminate suspicious sessions.
Network Security Monitoring (NSM): Purely logs all network data, focusing on capturing every data transaction for forensic and retrospective analysis.
Suricata Inputs
Offline Input: Processes stored PCAP files, suitable for retrospective analysis and rule testing.
Live Input:
LibPCAP: Reads packets from network interfaces; limited in performance.
NFQ: Linux-only, inline IPS mode leveraging IPTables to pass packets to Suricata for inspection.
AF_PACKET: Enhanced version of LibPCAP, supporting multi-threading; suitable for live analysis on compatible Linux systems.
Suricata Outputs
Suricata logs various outputs, including alerts, DNS requests, HTTP requests, and network flow data. Key outputs include:
EVE JSON: Logs events in JSON format for compatibility with tools like Logstash, covering event types such as alerts, DNS, HTTP, and TLS.
Unified2: Snort-compatible binary alert format, allowing integration with Snort tools like
u2spewfoo.
Example of Viewing EVE JSON
Configuring Suricata & Custom Rules
Listing Rule Files: View available rule files.
Modifying Suricata Variables: Define
$HOME_NETand$EXTERNAL_NETinsuricata.yamlto represent trusted and untrusted network segments, respectively.Adding Custom Rules:
Example rule to alert on HTTP transactions:
Hands-on with Suricata Inputs
Offline Analysis:
Live Input using AF_PACKET:
Using
tcpreplayto Simulate Traffic:
Suricata Logs
EVE JSON: A comprehensive JSON format log containing event types like alerts, HTTP, DNS, and TLS metadata.
To view only alert events:
fast.log: Text-based log recording alerts only, useful for quick review.
stats.log: Displays statistics and resource usage, useful for performance monitoring.
File Extraction
Suricata can extract files transferred over protocols for forensic analysis.
Enabling File Extraction in
suricata.yaml:Adding a Custom Extraction Rule:
Example:
Running Suricata on a PCAP:
Inspecting Extracted Files:
Updating and Reloading Rules
Enable Live Rule Reloading:
Reload rules:
Updating Rulesets with
suricata-update:Listing Available Ruleset Sources:
Enabling Specific Rulesets:
Validating Suricata Configuration
Validate the configuration file to ensure Suricata is correctly set up.
Key Features of Suricata
Deep Packet Inspection: Full inspection of packet content and headers.
Protocol Detection: Supports multiple protocols, providing comprehensive network monitoring.
Intrusion Detection and Prevention: Versatile modes for both passive and active defense.
File Extraction: Captures files transferred over certain protocols for forensic analysis.
Live Rule Reloading: Updates rules without service interruption.
Extensive Logging: JSON, fast.log, and more, for customizable insights into network traffic.
Suricata's functionality makes it an effective tool for maintaining network security through vigilant and detailed monitoring of network traffic.
Last updated