Suricata is a free and open source, mature, fast and robust network threat detection engine.
The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing.
Documentation
Once we have Suricata installed and running the best way to check all the available options is to go to the official doc site: http://suricata.readthedocs.io/en/latest/
Configuration files
/etc/suricata/suricata.yaml
Remember to set your $HOMENET variable in /etc/suricata/suricata.yaml, any traffic out of the value set in this variable will be ignored also make sure you are logging to /var/log/suricata, and that the directory exists.
Configuring Suricata to log to disk: Configure the logging outputs for Suricata, in suricata.yaml configuration file, enable “file” logging by changing the value of the “enabled” key values set to “yes” from “no”. The config file should look like the following:
# Define your logging outputs. If none are defined, or they are all
# disabled you will get the default - console output.
outputs:
- console:
enabled: yes
- file:
enabled: yes
filename: /var/log/suricata/suricata.log
- syslog:
enabled: no
facility: local5
format: "[%i] <%d> -- "
Configuring Suricata to enable DNS and TLS logging In suricata.yaml configuration file ensure that http-log, tls-log and dns-log have the “enabled” key values set to “yes”. When you have completed this step. The config file should look like the following:
- http-log:
enabled: yes
filename: http.log
append: yes
#extended: yes # enable this for extended logging information
#custom: yes # enabled the custom logging format (defined by customformat)
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
# a line based log of TLS handshake parameters (no alerts)
- tls-log:
enabled: yes # Log TLS connections.
filename: tls.log # File to store TLS logs.
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
#extended: yes # Log extended information like fingerprint
certs-log-dir: certs # directory to store the certificates files
# a line based log of DNS requests and/or replies (no alerts)
- dns-log:
enabled: yes
filename: dns.log
append: yes
Log files
/var/log/suricata/suricata-start.log
/var/log/suricata/suricata.log
/var/log/suricata/stats.log
/var/log/suricata/core/
The folder /var/log/suricata/core/ will contain any core dumps in case of a segfault. Further reading on what to do and how to report Suricata bugs.
Check drops in stats.log file:
tail -f /var/log/suricata/stats.log | grep -i capture.kernel_drops
tail -f /var/log/suricata/stats.log | grep -i drop
Manual start
Run the command with the –init-errors-fatal option at first to see if there are any issues.
/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 --init-errors-fatal
-D option to run in daemon mode and –pfring option. PF_RING is a new type of network socket that dramatically improves the packet capture speed, and is available for Linux kernels 2.6.32 and newer.
/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -D --pfring=eth0
Manually start in debug mode:
/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -D --pfring=eth0 --enable-debug
Run in pcap offline mode
Reading files from pcap file:
suricata -r <PCAP>
Threads used by Suricata
Using top to see if the individual af_packet threads
- Enter
top -Hto view threads in top - Press
oto add a filter - Enter
COMMAND=AFPacketthen press Enter key
Testing Suricata
1- Check that you have enable the next rule in /etc/suricata/rules/emerging-user_agents.rules
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (BlackSun)"; flow:to_server,established; content:"User-Agent|3a| BlackSun"; nocase; http_header; reference:url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008983; classtype:trojan-activity; sid:2008983; rev:6;)
2- Issue traffic to google.com using the user-agent string “BlackSun”
# apt-get install curl
# curl -A "BlackSun" www.google.com
3- Generate fake malware traffic
# wget testmyids.com
4- Create a fake scan to generate port scan traffic
nmap -sS <NETWORK INTERNAL HOST IP> -D 118.186.71.134
Tools
py-idstools: Snort and Suricata Rule and Event Utilities in Python (Including an easy to use Unified2 File Reader)
Check the documentation for further analysis: https://idstools.readthedocs.io
With u2json you can read the alerts generated and convert to JSON, for example:
idstools-u2json /var/log/suricata/unified2.alert.1473071280
idstools-u2json --snort-conf /etc/suricata/suricata.yaml --directory /var/log/suricata --prefix unified2.alert --follow --delete --output /tmp/alerts.json
idstools-u2json --snort-conf /etc/suricata/suricata.yaml --directory /var/log/suricata --prefix unified2.alert --follow --output /tmp/alerts.json
The next example will read the unified2.alert files generated by Suricata and will print the output of every alert/event:
#!/usr/bin/env python
# -*- coding: UTF-8 -*-
from idstools import unified2
# Event Reader
reader = unified2.SpoolEventReader("/var/log/suricata", "unified2.alert", follow=True)
# Output
for event in reader:
print(event)