According to statistics, the volume of network traffic increases by about 50% every year. This leads to an increase in the load on the equipment and, in particular, increases the performance requirements of IDS / IPS. You can buy expensive specialized hardware, but there is a cheaper option - the introduction of one of the open source systems. Many novice administrators find it difficult to install and configure free IPS. In the case of Suricata, this is not entirely true - you can install it and start repelling typical attacks with a set of free rules in a few minutes.
Why do we need another open IPS?
Long considered the standard, Snort has been in development since the late nineties, so it was originally single-threaded. Over the years, all modern features have appeared in it, such as IPv6 support, the ability to analyze application-level protocols, or a universal data access module.
The core Snort 2.X engine has learned to work with multiple cores, but has remained single-threaded and therefore cannot optimally take advantage of modern hardware platforms.
The problem was solved in the third version of the system, but it took so long to prepare that Suricata, written from scratch, managed to appear on the market. In 2009, it began to be developed precisely as a multi-threaded alternative to Snort, which has IPS functions out of the box. The code is distributed under the GPLv2 license, but the financial partners of the project have access to a closed version of the engine. Some scalability problems arose in the first versions of the system, but they were quickly resolved.
Why Surica?
Suricata has several modules (similar to Snort): capture, capture, decode, detection, and output. By default, the captured traffic goes before decoding in one stream, although this loads the system more. If necessary, threads can be divided in the settings and distributed among processors - Suricata is very well optimized for specific hardware, although this is no longer a HOWTO level for beginners. It is also worth noting that Suricata has advanced HTTP inspection tools based on the HTP library. They can also be used to log traffic without detection. The system also supports IPv6 decoding, including IPv4-in-IPv6 tunnels, IPv6-in-IPv6 tunnels, and more.
Different interfaces can be used to intercept traffic (NFQueue, IPFRing, LibPcap, IPFW, AF_PACKET, PF_RING), and in Unix Socket mode, you can automatically analyze PCAP files captured by another sniffer. In addition, Suricata's modular architecture makes it easy to plug in new elements to capture, decode, parse, and process network packets. It is also important to note that in Suricata, traffic is blocked by means of a regular filter of the operating system. GNU/Linux has two options for how IPS works: via the NFQUEUE queue (NFQ mode) and via zero copy (AF_PACKET mode). In the first case, the packet that enters iptables is sent to the NFQUEUE queue, where it can be processed at the user level. Suricata runs it according to its own rules and issues one of three verdicts: NF_ACCEPT, NF_DROP and NF_REPEAT. The first two are self-explanatory, while the last allows packets to be tagged and sent to the top of the current iptables table. The AF_PACKET mode is faster, but it imposes a number of restrictions on the system: it must have two network interfaces and work as a gateway. The blocked packet is simply not forwarded to the second interface.
An important feature of Suricata is the ability to use developments for Snort. The administrator has access, in particular, to the Sourcefire VRT and OpenSource Emerging Threats rule sets, as well as the commercial Emerging Threats Pro. The unified output can be parsed using popular backends, PCAP and Syslog output is also supported. System settings and rules are stored in YAML files, which are easy to read and can be processed automatically. The Suricata engine recognizes many protocols, so the rules do not need to be tied to a port number. In addition, the concept of flowbits is actively practiced in the rules of Suricata. To track the trigger, session variables are used to create and apply various counters and flags. Many IDSs treat different TCP connections as separate entities and may not see a connection between them that indicates the start of an attack. Suricata tries to see the whole picture and in many cases recognizes malicious traffic distributed over different connections. You can talk about its advantages for a long time, we'd better move on to installation and configuration.
How to install?
We will be installing Suricata on a virtual server running Ubuntu 18.04 LTS. All commands must be executed on behalf of the superuser (root). The most secure option is to SSH into the server as a normal user and then use the sudo utility to elevate privileges. First you need to install the packages that we need:
sudo apt -y install libpcre3 libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev libjansson-dev pkg-config libnetfilter-queue-dev geoip-bin geoip-database geoipupdate apt-transport-httpsConnecting an external repository:
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get updateInstall the latest stable version of Suricata:
sudo apt-get install suricataIf necessary, edit the configuration files name, replacing the default eth0 with the actual name of the server's external interface. Default settings are stored in the /etc/default/suricata file, and custom settings are stored in /etc/suricata/suricata.yaml. Configuring IDS is mostly limited to editing this configuration file. It has a lot of parameters that, by name and purpose, coincide with analogues from Snort. The syntax is quite different, however, but the file is much easier to read than Snort configs, and is well commented.
sudo nano /etc/default/suricata
и
sudo nano /etc/suricata/suricata.yaml
Attention! Before starting, it is worth checking the values of the variables from the vars section.
To complete the setup, you will need to install suricata-update to update and load the rules. It's pretty easy to do this:
sudo apt install python-pip
sudo pip install pyyaml
sudo pip install <a href="https://github.com/OISF/suricata-update/archive/master.zip">https://github.com/OISF/suricata-update/archive/master.zip</a>
sudo pip install --pre --upgrade suricata-updateNext, we need to run the suricata-update command to install the Emerging Threats Open rule set:
sudo suricata-update
To view the list of rule sources, run the following command:
sudo suricata-update list-sources
Update rule sources:
sudo suricata-update update-sources
Revisiting updated sources:
sudo suricata-update list-sourcesIf necessary, you can include available free sources:
sudo suricata-update enable-source ptresearch/attackdetection
sudo suricata-update enable-source oisf/trafficid
sudo suricata-update enable-source sslbl/ssl-fp-blacklistAfter that, you need to update the rules again:
sudo suricata-updateThis completes the installation and initial configuration of Suricata in Ubuntu 18.04 LTS. Then the fun begins: in the next article, we will connect a virtual server to the office network via VPN and start analyzing all incoming and outgoing traffic. We will pay special attention to blocking DDoS attacks, malware activity and attempts to exploit vulnerabilities in services accessible from public networks. For clarity, attacks of the most common types will be simulated.
Source: habr.com