44 %
56 %
Information about Suricata

Published on January 28, 2016

Author: tex_morgan


1. An Introduction to Suricata By Tex Morgan

2. What is Suricata? Open Source IDS / IPS / NSM engine IDS – Intrusion Detection System IPS – Intrusion Prevention System NSM – Network Security Monitoring

3. But Wait, There's More ● Off line analysis of PCAP files ● Traffic recording using PCAP logger ● Unix socket mode for automated processing ● Automatic Protocol Detection ● JSON event and alert outputs – Logstache, etc.

4. Command Line (Weeee!) ● suricata • -c <yaml configuration file location> • -i <interface to sniff> • -s <signatures file> (runs in addition to -c) • -r <pcap recording file location> • -l <default log directory location> • -D }:-) suricata -c suricata.yaml -s signatures.rules -i eth0

5. Default Files (/etc/suricata) ● suricata.yaml ● Signatures (aka Rules) – decoder-events.rules – dns-events.rules – files.rules – http-events.rules – smtp-events.rules – stream-events.rules – tls-events.rules

6. Staying on Top ● Edit /etc/oinkmaster.conf – Add url = .gz – save ● $ sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules – Cronjob this for up-to-date rules ● Update the Classification and Reference file – /etc/suricata/rules/classification.conf – /etc/suricata/rules/reference.conf

7. Configuring for Rules ● Not all rules are loaded from /etc/suricata/rules ● You can add rules easily to suricata.yaml • - <rule name>.rules • # to comment out the rule temporarily ● To change a specific rule, edit oinkmaster.conf – disablesid 2010495 – modifysid 2010495 “alert” | “drop”

8. EVE Logging - eve-log: enabled: yes type: file #file|syslog|unix_dgram|unix_stream filename: eve.json types: - alert - http: extended: yes # enable this for extended logging information custom: [Accept-Encoding, Accept-Language, Authorization] - dns - tls: extended: yes # enable this for extended logging information - files: force-magic: no # force logging magic on all logged files force-md5: no # force logging of md5 checksums - ssh

9. Multiple EVE Logs - eve-log: enabled: yes type: file filename: eve-ips.json types: - alert - drop - eve-log: enabled: yes type: file filename: eve-nsm.json types: - http - dns - tls

10. Custom HTTP Logging custom: yes customformat: %h - Host HTTP Header (remote host name). ie: %H - Request Protocol. ie: HTTP/1.1 %m - Request Method. ie: GET %u - URL including query string. ie: /search?q=suricata %{header_name}i - contents of the defined HTTP Request Header name. ie: %{User-agent}i: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0 %{X-Forwarded-For}i: outputs the IP address contained in the X-Forwarded-For HTTP header (inserted by a reverse proxy) %s - return status code. In the case of 301 and 302 it will print the url in brackets. ie: 200 %B - response size in bytes. ie: 15789 %{header_name}o - contents of the defined HTTP Response Header name %{strftime_format]t - timestamp of the HTTP transaction in the selected strftime format. ie: 08/28/12-22:14:30 %z - precision time in useconds. ie: 693856 %a - client IP address %p - client port number %A - server IP address %P - server port number

  • 11. Saving to MySQL mysql>create database filejsondb; mysql> create user 'filejson'@'localhost' IDENTIFIED BY 'PASSWORD123'; mysql> grant all privileges on filejsondb.* to 'filejson'@'localhost' with grant option; mysql> flush privileges; mysql> use filejsondb; mysql> CREATE TABLE filejson( time_received VARCHAR(64), ipver VARCHAR(4), srcip VARCHAR(40), dstip VARCHAR(40), protocol SMALLINT UNSIGNED, sp SMALLINT UNSIGNED, dp SMALLINT UNSIGNED, http_uri TEXT, http_host TEXT, http_referer TEXT, filename TEXT, magic TEXT, state VARCHAR(32), md5 VARCHAR(32), stored VARCHAR(32), size BIGINT UNSIGNED); mysql> show columns from filejson;
  • 12. Follow JSON s/suricata/wiki/Script_FollowJSON
  • 13. Common MySQL Queries s/suricata/wiki/Useful_queries_- _for_MySQL_and_PostgreSQL
  • 14. Rule Format ● Action: drop, alert, pass, reject ● Header: protocol address port direction address port – Protocol : ip(all/any), tcp, udp, icmp – Address: IPv4, IPv6, $HOME_NET, $EXTERNAL_NET – Direction : →(from to) or <> (bidirectional) ● Rule Options
  • 15. Address ● Suricata.yaml config – $HOME_NET: [,] – $EXTERNAL_NET: !$HOME_NET #very good idea ● ![,] ●
  • 16. Ports ● !88 ● [80:85] ● [80:85, !84]
  • 17. Rule Options ● Meta-settings #no effect on inspection ● Payload Keywords ● HTTP Keywords ● DNS Keywords ● Flow Keywords ● File Keywords ● IP Reputation Keywords
  • 18. Meta-Settings ● Msg: “hello” ● Sid: (signature id number) ● Rev: (revision of signature) ● Gid: (group type id) ● Classtype: trojan-activity – Use classification.config values ● Reference : <type>, <value> ● Priority: 1-255 (normally 1-4, smaller = higher) ● Metadata: “faniofarnogirai”
  • 19. Payload Keywords ● content : “abc” ● nocase ● distance: 3 #only with multiple content ● within: 3 ● dsize ● replace: “def”
  • 20. HTTP Keywords ● http_method ● http_uri / http_raw_uri ● uricontent / urilen ● http_header / http_header_raw ● http_cookie ● http_user_agent ● http_client_body / http_server_body ● file_data ● http_stat_msg / http_stat_code
  • 21. DNS Keywords ● dns_query – Inspects DNS response – all contents following it are affected by it!! ● Example: alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google"; nocase; sid:1;)
  • 22. Flow Keywords ● Flowbits ● Flow: [<direction>] [<state>] [<stream>] – Direction: to/from_client, to/from_server – State: established or stateless – Stream: only_stream, no_stream (packet only) ● Flowint ● stream_size
  • 23. File Keywords ● filename ● Fileext ● Filemagic ● Filestore: <direction>, <scope> ● Filemd5 ● Filesize: <value>
  • 24. IP Reputation Keywords ● iprep: <side>,<cat>,<operator>,<value> – side to check: <any|src|dst|both> – cat: the category short name – operator: <, >, = – Value: 1-127 ● Disabled by default
  • 25. Simple Example Rule alert ip $EXTERNAL_NET any → $HOME_NET any (msg: “Probably not a good idea to accept these packets”; geoip: any, CN, RU, FR, A1, A2, O1, BR, IQ, IR, KP; sid: 999999999; rev:1)
  • 26. Detect SYN Flood alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL DOS Unusually fast SYN packets inbound, Potential DOS"; flags: S,12; threshold: type both, track by_dst, count 5000, seconds 5; classtype:misc-activity; sid:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL DOS Unusually fast SYN packets outbound, Potential DOS"; flags: S,12; threshold: type both, track by_dst, count 5000, seconds 5; classtype:misc-activity; sid:6;)
  • 27. Pass and Suppress ● Pass for safe traffic – pass ip any <> any any (msg:"pass all traffic from/to"; sid:1;) ● Suppress is a bad idea – Stops alerts – Only considered post matching – suppress gen_id 0, sig_id 0, track by_src, ip
  • 28. Snort.conf → Suricata.yaml s/suricata/wiki/Snortconf_to_Suricatayaml
  • 29. Kibana/Logstash JSON Output: ects/suricata/wiki/_Logstash_Kibana_and_Surica ta_JSON_output Template: plates
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.


    #very presentations

    Add a comment

    Related pages

    Suricata | Open Source IDS / IPS / NSM engine

    Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the ...
    Read more

    Erdmännchen – Wikipedia

    Das Erdmännchen (Suricata suricatta), auch Surikate oder veraltet Scharrtier genannt, ist eine Säugetierart aus der Familie der Mangusten (Herpestidae).
    Read more

    Suricata IT - Webdesign und IT Services aus München

    IT Services Unser junges Unternehmen 'Suricata IT' aus dem Herzen Münchens bietet ihnen anspruchsvolle Lösungen in verschiedenen Bereichen der ...
    Read more

    Open Information Security Foundation

    Community driven, open source. The Open Information Security Foundation is a non-profit foundation organized to build community and to support open-source ...
    Read more

    Docs | Suricata

    Suricata is being documented on our wiki. Everyone is invited to help improve the documentation. Users For Suricata users several guides are available ...
    Read more

    Meerkat - Wikipedia, the free encyclopedia

    The meerkat or suricate (Suricata suricatta) is a small carnivoran belonging to the mongoose family (Herpestidae). It is the only member of the genus ...
    Read more

    Suricata – Open Information Security Foundation

    Suricata is a high performance, open source Network IDS, IPS and Network Security Monitoring engine. MORE
    Read more

    Suricata | heise Download

    Software und Apps zum Download für Windows, Mac, Linux, iPhone, iPad und Android - gratis, schnell und sicher. Inklusive deutschen Beschreibungen ...
    Read more

    Open Information Security Foundation

    Open Information Security Foundation. Home. Suricata ... Suricata is licensed under the GPLv2. A copy of this license is available in this tarball, or at:
    Read more

    suricatta IT GmbH

    Die suricatta IT Gmbh trifft technische und organisatorische Vorkehrungen, um die Sicherheit ihrer personenbezogenen Daten zu gewährleisten.
    Read more