Basics and Important Commands

Introduction

Suricata is a feature-rich and powerful network intrusion detection system (IDS), intrusion prevention system (IPS) and network security monitoring (NSM) tool. Developed by the Open Information Security Foundation (OISF), Suricata is known for its high performance and scalability, making it popular among security professionals for monitoring and protecting network infrastructures. This complete guide covers the basics of Suricata, its key features, installation process, configuration details and important commands to help you get the most out of its potential.

What is Suricata?

Suricata is a multi-threaded IDS/IPS system capable of performing deep packet inspection, network monitoring, and protocol analysis. It can detect intrusions and other malicious activities in real time, offering powerful security monitoring capabilities. Suricata supports various output formats and can integrate with other security tools, making it a very flexible and effective network security solution.

Key Features of Suricata

1. Multithreading: Suricata uses multiple CPU cores for high-speed packet processing, increasing performance and efficiency.

2. Definition and analysis of protocols: Automatic detection and analysis of multiple protocols such as HTTP, FTP, SMB, DNS, TLS and others.

3. Extracting files: Suricata can extract files from network traffic for further analysis and checking for malware.

4. Advanced logging: Suricata offers extensive logging capabilities, including JSON logs for easy integration with SIEM systems.

5. Processing rules: Supports rules specific to Suricata as well as rules written for Snort, making migration and customization easy.

6. Lua scripts: Allows the use of Lua scripts for custom detection logic.

7. TLS Logging and Detection: Suricata can log and analyze TLS connections to obtain security information.

Installing Suricata

Suricata can be installed on various operating systems, including Linux, macOS, and Windows. Here, we will focus on the installation process for a Debian-based system such as Ubuntu.

Installation steps

1. Update system packages:

   sudo apt-get update

2. Install dependencies:

   sudo apt-get install -y software-properties-common

3. Add the Suricata repository:

   sudo add-apt-repository ppa:oisf/suricata-stable
   sudo apt-get update

4. Install Suricata:

   sudo apt-get install -y suricata

5. Check installation:

   suricata --build-info

Configuration Basics

The main configuration file of Suricata is located at /etc/suricata/suricata.yaml. This YAML file controls various aspects of Suricata behavior, including logging, detection engine settings, and network interfaces.

Main configuration sections

1. Global settings: General settings for the engine, including default directories and performance parameters.

2. Capture settings: Specifies which network interfaces Suricata should run on.

3. Detection Engine: Settings for the rules engine, including path to rules files and configuration options.

4. Logging: Configuration for various output logs including eve.json, fast.log and others.

5. HTTP settings: Specific settings for parsing and logging the HTTP protocol.

6. Output Settings: Defines Suricata output formats and destinations, such as alerts and statistics.

Important commands

1. Launching Suricata:

   sudo suricata -c /etc/suricata/suricata.yaml -i eth0

   Starts Suricata using the specified configuration file and listens on the network interface. eth0.

2. Running Suricata in test mode:

   sudo suricata -T -c /etc/suricata/suricata.yaml

   Test mode checks the configuration file for errors without starting the engine.

3. Ruleset Updates: Suricata relies on rulesets to detect threats. Emerging Threats (ET) rulesets are very popular.

   Analysis of Suricata logs

   Suricata generates various logs that can be found along the path /var/log/suricata/. The main log files include:

   1. eve.json: A JSON log containing all events detected by Suricata. This file is very useful for integration with SIEM systems.

   2. fast.log: A simpler, text-based log file for quickly accessing alerts.

   3. stats.log: Contains performance statistics about Suricata performance.

4. Checking Suricata Status:

   sudo systemctl status suricata

   Checks if Suricata is running and provides status information.

5. Stop Suricata:

   systemctl stop suricata

6. Restarting Suricata:

   systemctl restart suricata

IDS and IPS modes in Suricata and use of NFQ

Suricata can operate in two main modes: IDS and IPS. In addition, for IPS mode it is possible to use netfilter queue (NFQ) for more flexible traffic management. Let's look at each of these modes in more detail, including specific commands and configuration file settings.

IDS (Intrusion Detection System) mode

IDS mode is designed for passive monitoring and analysis of network traffic. In this mode, Suricata works as a sensor that detects suspicious activity and generates alerts without interfering with the traffic itself.

Running Suricata in IDS mode:

sudo suricata -c /etc/suricata/suricata.yaml -i eth0

This command starts Suricata using the specified configuration file and listens on the network interface eth0.

Basic configuration parameters for IDS mode:

In the configuration file /etc/suricata/suricata.yaml Make sure the following sections are configured correctly:

1. Setting up interfaces:

   af-packet:
     - interface: eth0
       threads: auto
       cluster-id: 99
       cluster-type: cluster_flow
       defrag: yes
   

2. Setting output formats:

   outputs:
     - eve-log:
         enabled: yes
         filetype: regular
         filename: eve.json
         types:
           - alert:
               payload: yes
               payload-printable: yes
               packet: yes
               http-body: yes
               http-body-printable: yes
               metadata: yes
           - http:
               extended: yes
           - dns:
               query: yes
               answer: yes
           - tls:
               extended: yes
   

IPS (Intrusion Prevention System) mode

IPS mode is designed for active intrusion prevention. In this mode, Suricata not only detects suspicious activity, but also takes action to block it in real time.

Running Suricata in IPS mode:

sudo suricata -c /etc/suricata/suricata.yaml --af-packet -D

This command starts Suricata using the specified configuration file in IPS mode, using the mechanism af-packet for working with network packets.

Basic configuration parameters for IPS mode:

In the configuration file /etc/suricata/suricata.yaml Make sure the following sections are configured correctly:

1. Configuring interfaces with IPS mode:

   af-packet:
     - interface: eth0
       threads: auto
       cluster-id: 99
       cluster-type: cluster_flow
       defrag: yes
       use-mmap: yes
       ring-size: 200000
       buffer-size: 64535
       checksum-checks: auto
   

2. Setting up output formats:

   outputs:
     - eve-log:
         enabled: yes
         filetype: regular
         filename: eve.json
         types:
           - alert:
               payload: yes
               payload-printable: yes
               packet: yes
               http-body: yes
               http-body-printable: yes
               metadata: yes
           - http:
               extended: yes
           - dns:
               query: yes
               answer: yes
           - tls:
               extended: yes
   

Using NFQ (Netfilter Queue)

NFQ (Netfilter Queue) allows Suricata to interact with iptables for more flexible network traffic management. This is especially useful for integrating Suricata in IPS mode.

Configuring iptables to use NFQ:

sudo iptables -I FORWARD -j NFQUEUE --queue-num 0

This command adds a rule to the iptables table that directs all forwarded traffic to NFQUEUE queue number 0.

Running Suricata using NFQ:

sudo suricata -c /etc/suricata/suricata.yaml --nfqueue --nfqueue-mode=repeat --nfqueue-id=0

This command starts Suricata using the specified configuration file and enables NFQ mode, processing traffic from NFQUEUE queue number 0.

Basic configuration parameters for NFQ:

In the configuration file /etc/suricata/suricata.yaml Make sure the following sections are configured correctly:

1. NFQ setup:

   nfqueue:
     mode: repeat
     fail-open: yes
     qids: [ 0 ]
     batchcount: 20
     max-pending-packets: 1024
     defrag: yes
   

2. Setting up output formats:

   outputs:
     - eve-log:
         enabled: yes
         filetype: regular
         filename: eve.json
         types:
           - alert:
               payload: yes
               payload-printable: yes
               packet: yes
               http-body: yes
               http-body-printable: yes
               metadata: yes
           - http:
               extended: yes
           - dns:
               query: yes
               answer: yes
           - tls:
               extended: yes

Suricata Log Analysis

Suricata generates various logs that can be found along the way /var/log/suricata/. Main log files include:

1. eve.json: A JSON log containing all events detected by Suricata. This file is very useful for integration with SIEM systems.

2. fast.log: A simpler, text-based log file for quickly accessing alerts.

3. stats.log: Contains performance statistics about Suricata's operation.

Creating Custom Rules in Suricata

Creating custom rules in Suricata allows you to tailor the intrusion detection system (IDS) to the specific needs of your network and detect specific threats and suspicious activities. Custom rules are written in a format similar to Snort rules, making the transition easier for users familiar with the tool. Let's look at the structure of Suricata rules, their main components, and examples of how to write different rules.

Suricata Rule Structure

A Suricata rule consists of two parts: a header and a body. The header defines the basic parameters of the packets that the rule will respond to, and the body contains detailed conditions and actions.

Header Format:

<действие> <протокол> <IP-источник> <порт-источник> -> <IP-назначение> <порт-назначение>

Body Format:

(<ключевое слово>:<значение>; ...)

Example of a rule:

alert http any any -> any any (msg:"Example rule"; content:"example"; sid:1000001; rev:1;)

This rule generates an alert for any HTTP traffic containing the word “example”.

Basic components of the rule

1. Action: Defines what Suricata should do when a rule is matched. Possible actions:

   • alert — create an alert.

   • log – write down information.

   • pass — skip the package.

   • drop — drop the packet (for IPS only).

2. Protocol: Indicates the protocol to which the rule applies (for example, http, tcp, udp, icmp).

3. Source IP and Port: Defines the IP address and port of the traffic source. Usage any means any IP or port.

4. Destination IP and Port: Specifies the IP address and port of the traffic destination. Usage any means any IP or port.

5. Rule Body: Contains keywords and values ​​that define the conditions for the rule and action to fire.

Main keywords of the rule body

• msg: A message describing the rule. It appears in the logs.

• content: Template for searching in traffic.

• sid: Unique identifier of the rule.

• rev: Version of the rule.

• classtype: Classification of attack type.

• priority: Rule priority.

• flow: Defines the direction of data flow, e.g. to_client or to_server.

• pcr: Uses regular expressions to search traffic.

• threshold: Sets thresholds to prevent the rule from firing excessively.

Examples of custom rules

1. Alert when a specific HTTP request is detected:

   alert http any any -> any any (msg:"Detected specific HTTP request"; content:"/admin"; http_uri; sid:1000002; rev:1;)

   This rule generates an alert when it encounters the string “/admin” in the URI.

2. Alert when usage of a specific user agent is detected:

   alert http any any -> any any (msg:"Detected suspicious user-agent"; content:"SuspiciousAgent"; http_header; sid:1000003; rev:1;)

   This rule generates an alert when the string “SuspiciousAgent” is found in the HTTP request header.

3. Alert when a specific DNS query is detected:

   alert dns any any -> any any (msg:"Detected DNS request for example.com"; content:"example.com"; sid:1000004; rev:1;)

   This rule generates an alert when a request for the domain “example.com” is detected.

4. Alert when a command is detected in FTP:

   alert ftp any any -> any any (msg:"Detected FTP command"; content:"USER admin"; sid:1000005; rev:1;)

   This rule generates an alert when the “USER admin” command is detected in FTP traffic.

5. Using regular expressions to find patterns in traffic:

   alert http any any -> any any (msg:"Detected SQL Injection attempt"; pcre:"/select.+from.+users/i"; sid:1000006; rev:1;)

   This rule uses a regular expression to detect SQL injection attempts.

Testing custom rules

After creating the rules, it is important to test them to ensure that they work correctly and that there are no errors. This can be done using the test mode command:

sudo suricata -T -c /etc/suricata/suricata.yaml -S /path/to/custom.rules

This command checks the configuration file and specified rules for errors without running Suricata in production mode.

Advanced Features and Usage

1. Protocol detection and analysis: Suricata automatically detects and analyzes various protocols, providing detailed logs and information. The configuration of these protocols can be fine-tuned in the file suricata.yaml.

2. Extracting and analyzing files: Suricata can extract files from network traffic, allowing further analysis for malware or sensitive data. This function is configured in the section file-store in the configuration file.

3. Performance optimization: Performance optimization involves adjusting threading, binding, and other settings to optimize Suricata performance based on your specific network environment. Key parameters include detect-thread-ratio, stream.memcap And flow.memcap.

4. Integration with other tools: Suricata can be integrated with various tools to expand functionality. For example:

   • Elasticsearch and Kibana: For log visualization and analysis.

   • Zeek (formerly Bro): For additional network monitoring and analysis.

   • Scirius: Web interface for managing Suricata rules and alerts.

Troubleshooting and general problems

1. High CPU usage: High CPU usage can occur if Suricata is overloaded with traffic. Solutions include optimizing rulesets, enabling multithreading, and tweaking performance-related settings.

2. Packet Loss: Packet loss may be caused by insufficient hardware resources or incorrect configuration. Monitoring file stats.log and setting parameters such as max-pending-packetscan help solve this problem.

3. Configuration errors: Running Suricata in test mode (-T) helps identify configuration errors before changes are implemented.

Conclusion

Suricata is a powerful and flexible network security monitoring tool capable of performing a wide range of tasks from intrusion detection to protocol analysis and file extraction. By mastering its configuration and essential commands, security professionals can effectively deploy and manage Suricata to protect their networks from emerging threats. This comprehensive guide provides the necessary foundation to start using Suricata and explore its advanced features to improve network security.

Resources

For further reading and advanced configurations, please refer to the official Suricata documentation and community forums. These resources provide in-depth information on optimizing Suricata for various network environments and use cases.

1. Suricata Documentation

2. OISF Suricata GitHub Repository

By following this guide, you will have a solid foundation to start using Suricata in your network security practice, ensuring a more secure and resilient infrastructure.