Basics and Important Commands
Introduction
Suricata is a feature-rich and powerful network intrusion detection system (IDS), intrusion prevention system (IPS) and network security monitoring (NSM) tool. Developed by the Open Information Security Foundation (OISF), Suricata is known for its high performance and scalability, making it popular among security professionals for monitoring and protecting network infrastructures. This complete guide covers the basics of Suricata, its key features, installation process, configuration details and important commands to help you get the most out of its potential.
What is Suricata?
Suricata is a multi-threaded IDS/IPS system capable of performing deep packet inspection, network monitoring, and protocol analysis. It can detect intrusions and other malicious activities in real time, offering powerful security monitoring capabilities. Suricata supports various output formats and can integrate with other security tools, making it a very flexible and effective network security solution.
Key Features of Suricata
Multithreading: Suricata uses multiple CPU cores for high-speed packet processing, increasing performance and efficiency.
Definition and analysis of protocols: Automatic detection and analysis of multiple protocols such as HTTP, FTP, SMB, DNS, TLS and others.
Extracting files: Suricata can extract files from network traffic for further analysis and checking for malware.
Advanced logging: Suricata offers extensive logging capabilities, including JSON logs for easy integration with SIEM systems.
Processing rules: Supports rules specific to Suricata as well as rules written for Snort, making migration and customization easy.
Lua scripts: Allows the use of Lua scripts for custom detection logic.
TLS Logging and Detection: Suricata can log and analyze TLS connections to obtain security information.
Installing Suricata
Suricata can be installed on various operating systems, including Linux, macOS, and Windows. Here, we will focus on the installation process for a Debian-based system such as Ubuntu.
Installation steps
Update system packages:
sudo apt-get update
Install dependencies:
sudo apt-get install -y software-properties-common
Add the Suricata repository:
sudo add-apt-repository ppa:oisf/suricata-stable sudo apt-get update
Install Suricata:
sudo apt-get install -y suricata
Check installation:
suricata --build-info
Configuration Basics
The main configuration file of Suricata is located at /etc/suricata/suricata.yaml
. This YAML file controls various aspects of Suricata behavior, including logging, detection engine settings, and network interfaces.
Main configuration sections
Global settings: General settings for the engine, including default directories and performance parameters.
Capture settings: Specifies which network interfaces Suricata should run on.
Detection Engine: Settings for the rules engine, including path to rules files and configuration options.
Logging: Configuration for various output logs including
eve.json
,fast.log
and others.HTTP settings: Specific settings for parsing and logging the HTTP protocol.
Output Settings: Defines Suricata output formats and destinations, such as alerts and statistics.
Important commands
Launching Suricata:
sudo suricata -c /etc/suricata/suricata.yaml -i eth0
Starts Suricata using the specified configuration file and listens on the network interface.
eth0
.Running Suricata in test mode:
sudo suricata -T -c /etc/suricata/suricata.yaml
Test mode checks the configuration file for errors without starting the engine.
Ruleset Updates: Suricata relies on rulesets to detect threats. Emerging Threats (ET) rulesets are very popular.
Analysis of Suricata logs
Suricata generates various logs that can be found along the path
/var/log/suricata/
. The main log files include:eve.json: A JSON log containing all events detected by Suricata. This file is very useful for integration with SIEM systems.
fast.log: A simpler, text-based log file for quickly accessing alerts.
stats.log: Contains performance statistics about Suricata performance.
Checking Suricata Status:
sudo systemctl status suricata
Checks if Suricata is running and provides status information.
Stop Suricata:
systemctl stop suricata
Restarting Suricata:
systemctl restart suricata
IDS and IPS modes in Suricata and use of NFQ
Suricata can operate in two main modes: IDS and IPS. In addition, for IPS mode it is possible to use netfilter queue (NFQ) for more flexible traffic management. Let's look at each of these modes in more detail, including specific commands and configuration file settings.
IDS (Intrusion Detection System) mode
IDS mode is designed for passive monitoring and analysis of network traffic. In this mode, Suricata works as a sensor that detects suspicious activity and generates alerts without interfering with the traffic itself.
Running Suricata in IDS mode:
sudo suricata -c /etc/suricata/suricata.yaml -i eth0
This command starts Suricata using the specified configuration file and listens on the network interface eth0
.
Basic configuration parameters for IDS mode:
In the configuration file /etc/suricata/suricata.yaml
Make sure the following sections are configured correctly:
Setting up interfaces:
af-packet: - interface: eth0 threads: auto cluster-id: 99 cluster-type: cluster_flow defrag: yes
Setting output formats:
outputs: - eve-log: enabled: yes filetype: regular filename: eve.json types: - alert: payload: yes payload-printable: yes packet: yes http-body: yes http-body-printable: yes metadata: yes - http: extended: yes - dns: query: yes answer: yes - tls: extended: yes
IPS (Intrusion Prevention System) mode
IPS mode is designed for active intrusion prevention. In this mode, Suricata not only detects suspicious activity, but also takes action to block it in real time.
Running Suricata in IPS mode:
sudo suricata -c /etc/suricata/suricata.yaml --af-packet -D
This command starts Suricata using the specified configuration file in IPS mode, using the mechanism af-packet
for working with network packets.
Basic configuration parameters for IPS mode:
In the configuration file /etc/suricata/suricata.yaml
Make sure the following sections are configured correctly:
Configuring interfaces with IPS mode:
af-packet: - interface: eth0 threads: auto cluster-id: 99 cluster-type: cluster_flow defrag: yes use-mmap: yes ring-size: 200000 buffer-size: 64535 checksum-checks: auto
Setting up output formats:
outputs: - eve-log: enabled: yes filetype: regular filename: eve.json types: - alert: payload: yes payload-printable: yes packet: yes http-body: yes http-body-printable: yes metadata: yes - http: extended: yes - dns: query: yes answer: yes - tls: extended: yes
Using NFQ (Netfilter Queue)
NFQ (Netfilter Queue) allows Suricata to interact with iptables for more flexible network traffic management. This is especially useful for integrating Suricata in IPS mode.
Configuring iptables to use NFQ:
sudo iptables -I FORWARD -j NFQUEUE --queue-num 0
This command adds a rule to the iptables table that directs all forwarded traffic to NFQUEUE queue number 0.
Running Suricata using NFQ:
sudo suricata -c /etc/suricata/suricata.yaml --nfqueue --nfqueue-mode=repeat --nfqueue-id=0
This command starts Suricata using the specified configuration file and enables NFQ mode, processing traffic from NFQUEUE queue number 0.
Basic configuration parameters for NFQ:
In the configuration file /etc/suricata/suricata.yaml
Make sure the following sections are configured correctly:
NFQ setup:
nfqueue: mode: repeat fail-open: yes qids: [ 0 ] batchcount: 20 max-pending-packets: 1024 defrag: yes
Setting up output formats:
outputs: - eve-log: enabled: yes filetype: regular filename: eve.json types: - alert: payload: yes payload-printable: yes packet: yes http-body: yes http-body-printable: yes metadata: yes - http: extended: yes - dns: query: yes answer: yes - tls: extended: yes
Suricata Log Analysis
Suricata generates various logs that can be found along the way /var/log/suricata/
. Main log files include:
eve.json: A JSON log containing all events detected by Suricata. This file is very useful for integration with SIEM systems.
fast.log: A simpler, text-based log file for quickly accessing alerts.
stats.log: Contains performance statistics about Suricata's operation.
Creating Custom Rules in Suricata
Creating custom rules in Suricata allows you to tailor the intrusion detection system (IDS) to the specific needs of your network and detect specific threats and suspicious activities. Custom rules are written in a format similar to Snort rules, making the transition easier for users familiar with the tool. Let's look at the structure of Suricata rules, their main components, and examples of how to write different rules.
Suricata Rule Structure
A Suricata rule consists of two parts: a header and a body. The header defines the basic parameters of the packets that the rule will respond to, and the body contains detailed conditions and actions.
Header Format:
<действие> <протокол> <IP-источник> <порт-источник> -> <IP-назначение> <порт-назначение>
Body Format:
(<ключевое слово>:<значение>; ...)
Example of a rule:
alert http any any -> any any (msg:"Example rule"; content:"example"; sid:1000001; rev:1;)
This rule generates an alert for any HTTP traffic containing the word “example”.
Basic components of the rule
Action: Defines what Suricata should do when a rule is matched. Possible actions:
alert
— create an alert.log
– write down information.pass
— skip the package.drop
— drop the packet (for IPS only).
Protocol: Indicates the protocol to which the rule applies (for example,
http
,tcp
,udp
,icmp
).Source IP and Port: Defines the IP address and port of the traffic source. Usage
any
means any IP or port.Destination IP and Port: Specifies the IP address and port of the traffic destination. Usage
any
means any IP or port.Rule Body: Contains keywords and values that define the conditions for the rule and action to fire.
Main keywords of the rule body
msg: A message describing the rule. It appears in the logs.
content: Template for searching in traffic.
sid: Unique identifier of the rule.
rev: Version of the rule.
classtype: Classification of attack type.
priority: Rule priority.
flow: Defines the direction of data flow, e.g.
to_client
orto_server
.pcr: Uses regular expressions to search traffic.
threshold: Sets thresholds to prevent the rule from firing excessively.
Examples of custom rules
Alert when a specific HTTP request is detected:
alert http any any -> any any (msg:"Detected specific HTTP request"; content:"/admin"; http_uri; sid:1000002; rev:1;)
This rule generates an alert when it encounters the string “/admin” in the URI.
Alert when usage of a specific user agent is detected:
alert http any any -> any any (msg:"Detected suspicious user-agent"; content:"SuspiciousAgent"; http_header; sid:1000003; rev:1;)
This rule generates an alert when the string “SuspiciousAgent” is found in the HTTP request header.
Alert when a specific DNS query is detected:
alert dns any any -> any any (msg:"Detected DNS request for example.com"; content:"example.com"; sid:1000004; rev:1;)
This rule generates an alert when a request for the domain “example.com” is detected.
Alert when a command is detected in FTP:
alert ftp any any -> any any (msg:"Detected FTP command"; content:"USER admin"; sid:1000005; rev:1;)
This rule generates an alert when the “USER admin” command is detected in FTP traffic.
Using regular expressions to find patterns in traffic:
alert http any any -> any any (msg:"Detected SQL Injection attempt"; pcre:"/select.+from.+users/i"; sid:1000006; rev:1;)
This rule uses a regular expression to detect SQL injection attempts.
Testing custom rules
After creating the rules, it is important to test them to ensure that they work correctly and that there are no errors. This can be done using the test mode command:
sudo suricata -T -c /etc/suricata/suricata.yaml -S /path/to/custom.rules
This command checks the configuration file and specified rules for errors without running Suricata in production mode.
Advanced Features and Usage
Protocol detection and analysis: Suricata automatically detects and analyzes various protocols, providing detailed logs and information. The configuration of these protocols can be fine-tuned in the file
suricata.yaml
.Extracting and analyzing files: Suricata can extract files from network traffic, allowing further analysis for malware or sensitive data. This function is configured in the section
file-store
in the configuration file.Performance optimization: Performance optimization involves adjusting threading, binding, and other settings to optimize Suricata performance based on your specific network environment. Key parameters include
detect-thread-ratio
,stream.memcap
Andflow.memcap
.Integration with other tools: Suricata can be integrated with various tools to expand functionality. For example:
Elasticsearch and Kibana: For log visualization and analysis.
Zeek (formerly Bro): For additional network monitoring and analysis.
Scirius: Web interface for managing Suricata rules and alerts.
Troubleshooting and general problems
High CPU usage: High CPU usage can occur if Suricata is overloaded with traffic. Solutions include optimizing rulesets, enabling multithreading, and tweaking performance-related settings.
Packet Loss: Packet loss may be caused by insufficient hardware resources or incorrect configuration. Monitoring file
stats.log
and setting parameters such asmax-pending-packets
can help solve this problem.Configuration errors: Running Suricata in test mode (
-T
) helps identify configuration errors before changes are implemented.
Conclusion
Suricata is a powerful and flexible network security monitoring tool capable of performing a wide range of tasks from intrusion detection to protocol analysis and file extraction. By mastering its configuration and essential commands, security professionals can effectively deploy and manage Suricata to protect their networks from emerging threats. This comprehensive guide provides the necessary foundation to start using Suricata and explore its advanced features to improve network security.
Resources
For further reading and advanced configurations, please refer to the official Suricata documentation and community forums. These resources provide in-depth information on optimizing Suricata for various network environments and use cases.
By following this guide, you will have a solid foundation to start using Suricata in your network security practice, ensuring a more secure and resilient infrastructure.