Network security

How to configure & use Suricata for threat detection

March 8, 2018 by

Suricata is an excellent, low-cost tool that gives you greater insight into a network. Despite this, it needs to be viewed as a single layer in a comprehensive security plan, rather than a complete solution for security issues.

The engine is designed to take advantage of the newest multi-core CPU chip sets, as well as utilize hardware acceleration for greater processing power. The high efficiency of Suricata, its IP reputation support and automated protocol detection make it an effective tool for giving greater visibility into a network.

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

What Is Suricata?

In 2010, Open Information Security Foundation (OISF) released an open source threat detection engine known as Suricata. Suricata can act as an intrusion detection system (IDS), and intrusion prevention system (IPS), or be used for network security monitoring. It was developed alongside the community to help simplify security processes.

What is Suricata used for?

You can set up Suricata in three main ways:

  1. The simplest way is to set it up as a host-based IDS, which monitors the traffic of an individual computer.
  2. As a passive IDS, Suricata can monitor all of the traffic through a network and notify the administrator when it comes across anything malicious.
  3. When Suricata is set up as an active, inline IDS and IPS, it can monitor inbound and outbound traffic. It can stop malicious traffic before it enters the network, as well as alert the administrator.

How can I configure Suricata?

Begin by creating a virtual machine for the IDS. Ubuntu 32 bit with default options will be fine.

Once the machine is created, the adapter 2 interface can be added for the internal network.

Once the adaptor is added, try installing the operating system (Ubuntu 32 bit for this tutorial).

Once the operating system is installed, configure a static address for the internal interface.

Once the interfaces are configured, try adding an OISF Suricata stable repository and installing Suricata using following command:

sudo add-apt-repository ppa:oisf/suricata-stable

sudo apt-get update

sudo apt-get install suricata

This tutorial demonstrates Suricata running as a NAT gateway device. The following steps require elevated privileges. Setup the NAT by editing /etc/sysctl.conf as follows:

net.ipv4.ip_forward = 1

Once this is done, try loading sysctl settings manually by using following command:

sysctl -p

Once this is done, we can finally try configuring iptables to forward packets between the internal and external interfaces.

iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE

iptables -A FORWARD -i enp0s3 -o enp0s8 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i enp0s8 -o enp0s3 -j ACCEPT

iptables-save >> fw_rules

Once the Suricata is installed, we can create a virtual machine for the test workstation.

Once the machine is created, we can attach the primary interface to the internal network used above.

Once the interface is configured, try installing the operation system. We need to configure an IP address manually when prompted.

We can use the Suricata address as the gateway, so traffic should pass through the IDS.

Once installed, we need to verify the network connectivity by pinging the test environment and Suricata.

Return to the IDS and configure Suricata. Edit /etc/suricata/suricata.yaml by changing the af-packet interface to the internal interface.

Configure the file-store and file-log outputs.

Configure the stream and libhtp settings using the following commands:

stream.checksum_validation                 no

libhtp.default-config.request-body-limit    0

libhtp.default-config.response-body-limit    0

Add a local rule file to the top of the rule list. Add a test rule to /etc/suricata/rules/local.rules. Using following command.

alert http any any -> any any (msg:"FILE store all"; filestore; sid:1; rev:1;)

Once this is done, we can put into effect all the configuration by restarting both the systems.

How can I test my Suricata lab environment?

We can test this lab setup by downloading a test site on the test workstation. Wget is the command we will use for this purpose.

As you can see, Suricata will now save files it detects in the traffic stream to disk. Setup a directory watch on the IDS and download some files from the test workstation.

The detected files are renamed to file.x and their metadata is stored in the corresponding file.x.met

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

This type of visibility provides immediate, actionable threat intelligence -- hashes to blacklist, URLs to block, machines to quarantine, etc. Whether it is traditional malware executables, weaponized macros, malicious PDFs or anything else, this type of visibility can be the difference between watching a breach in progress and stopping a breach in progress.



SecRat works at a start-up. He's interested in Windows Driver Programming.