suricata

suricata

Suricata

Suricata is a free and open source, mature, fast and robust network threat detection engine.

The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing.

Documentation

Once we have Suricata installed and running the best way to check all the available options is to go to the official doc site: http://suricata.readthedocs.io/en/latest/

Configuration files

/etc/suricata/suricata.yaml

Remember to set your $HOMENET variable in /etc/suricata/suricata.yaml, any traffic out of the value set in this variable will be ignored also make sure you are logging to /var/log/suricata, and that the directory exists.

Configuring Suricata to log to disk: Configure the logging outputs for Suricata, in suricata.yaml configuration file, enable “file” logging by changing the value of the “enabled” key values set to “yes” from “no”. The config file should look like the following:

  # Define your logging outputs.  If none are defined, or they are all
  # disabled you will get the default - console output.
  outputs:
  - console:
      enabled: yes
  - file:
      enabled: yes
      filename: /var/log/suricata/suricata.log
  - syslog:
      enabled: no
      facility: local5
      format: "[%i] <%d> -- "

Configuring Suricata to enable DNS and TLS logging In suricata.yaml configuration file ensure that http-log, tls-log and dns-log have the “enabled” key values set to “yes”. When you have completed this step. The config file should look like the following:

  - http-log:
      enabled: yes
      filename: http.log
      append: yes
      #extended: yes     # enable this for extended logging information
      #custom: yes       # enabled the custom logging format (defined by customformat)
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

  # a line based log of TLS handshake parameters (no alerts)
  - tls-log:
      enabled: yes  # Log TLS connections.
      filename: tls.log # File to store TLS logs.
      append: yes
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
      #extended: yes # Log extended information like fingerprint
      certs-log-dir: certs # directory to store the certificates files

  # a line based log of DNS requests and/or replies (no alerts)
  - dns-log:
      enabled: yes
      filename: dns.log
      append: yes

Log files

/var/log/suricata/suricata-start.log
/var/log/suricata/suricata.log
/var/log/suricata/stats.log
/var/log/suricata/core/

The folder /var/log/suricata/core/ will contain any core dumps in case of a segfault. Further reading on what to do and how to report Suricata bugs.

Check drops in stats.log file:

tail -f /var/log/suricata/stats.log | grep -i capture.kernel_drops
tail -f /var/log/suricata/stats.log | grep -i drop

Manual start

Run the command with the –init-errors-fatal option at first to see if there are any issues.

/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 --init-errors-fatal

-D option to run in daemon mode and –pfring option. PF_RING is a new type of network socket that dramatically improves the packet capture speed, and is available for Linux kernels 2.6.32 and newer.

/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -D --pfring=eth0

Manually start in debug mode:

/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -D --pfring=eth0 --enable-debug

Run in pcap offline mode

Reading files from pcap file:

suricata -r <PCAP>

Threads used by Suricata

Using top to see if the individual af_packet threads

  1. Enter top -H to view threads in top
  2. Press o to add a filter
  3. Enter COMMAND=AFPacket then press Enter key

Testing Suricata

1- Check that you have enable the next rule in /etc/suricata/rules/emerging-user_agents.rules

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (BlackSun)"; flow:to_server,established; content:"User-Agent|3a| BlackSun"; nocase; http_header; reference:url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008983; classtype:trojan-activity; sid:2008983; rev:6;)

2- Issue traffic to google.com using the user-agent string “BlackSun”

# apt-get install curl
# curl -A "BlackSun" www.google.com

3- Generate fake malware traffic

# wget testmyids.com 

4- Create a fake scan to generate port scan traffic

nmap -sS <NETWORK INTERNAL HOST IP> -D 118.186.71.134

Tools

py-idstools: Snort and Suricata Rule and Event Utilities in Python (Including an easy to use Unified2 File Reader)

Check the documentation for further analysis: https://idstools.readthedocs.io

With u2json you can read the alerts generated and convert to JSON, for example:

idstools-u2json /var/log/suricata/unified2.alert.1473071280

idstools-u2json --snort-conf /etc/suricata/suricata.yaml --directory /var/log/suricata  --prefix unified2.alert  --follow  --delete --output /tmp/alerts.json 

idstools-u2json --snort-conf /etc/suricata/suricata.yaml --directory /var/log/suricata  --prefix unified2.alert  --follow  --output /tmp/alerts.json 

The next example will read the unified2.alert files generated by Suricata and will print the output of every alert/event:

#!/usr/bin/env python
# -*- coding: UTF-8 -*-
from idstools import unified2

# Event Reader
reader = unified2.SpoolEventReader("/var/log/suricata", "unified2.alert", follow=True)
# Output
for event in reader:
    print(event)