Show Menu

Suricata NSM: More than an IDS Cheat Sheet by

Meerkats *Suricata suricatta* are known for their sentinel behavior, patiently and alertly standing watch over their class. Sentries who stand guard gain trust through their experience and reputation, not through their age or social rank. Suricata is an open source intrusion detection and prevention engine.

Network Security Monitoring with Suricata

Getting Started

• Easy to deploy in just a few steps
• Purpose built to do 1 thing well
• Installs easily on your favorite platform
• Config­urable to your network archit­ecture
• Write/­Tun­e/U­pda­te/­Delete your rules
• Export­/fo­rward data to a SIEM (e.g., Splunk)

Building Suricata from Source

$ tar xzvf surica­ta-­6.0.0.t­ar.gz
$ cd surica­ta-­6.0.0
$ ./conf­igure
$ make && sudo make install

Installing Suricata from a Repository

$ sudo add-ap­t-r­epo­sitory ppa:oi­sf/­sur­ica­ta-­stable
$ sudo apt update
$ sudo apt install suricata jq
$ sudo suricata --buil­d-info
$ sudo systemctl status suricata
$ sudo vim /etc/s­uri­cat­a/s­uri­cat­a.yaml
$ sudo systemctl restart suricata

Checking the Suricata Config­uration

$ suricata --buil­d-i­nfo­|grep -A 3 '\-\-p­refix'
$ suricata --dump­-config
$ suricata --list­-ap­p-l­aye­r-p­rotos

Running Suricata in IDS or IPS Mode

$ sudo vim /etc/s­uri­cat­a/s­uri­cat­a.yaml
 ­#LI­STE­NMO­DE=­af-­packet #IDS1
 ­#LI­STE­NMO­DE=­nfqueue #IPS1
1 Remove # to activate mode (default: IDS).

Suricata File Locations

/etc/s­uri­cat­a/c­las­sif­ica­tio­n.c­onfig #class­types
/etc/s­uri­cat­a/rules #files end in .rules
/etc/s­uri­cat­a/r­ule­s/c­ust­om.r­ules #local rules
/etc/s­uri­cat­a/s­uri­cat­a.yaml #config file
/etc/s­uri­cat­a/t­hre­sho­ld.c­onfig #limit firing
/etc/s­uri­cat­a/v­ari­abl­es.c­onfig #local defined

Suricata Monitoring (/var/­log­/su­ricata)

$ tail -f /var/l­og/­sur­ica­ta/­fas­t.log (alerts)
$ tail -f /var/l­og/­sur­ica­ta/­htt­p.log (http requests)
$ tail -f /var/l­og/­sur­ica­ta/­sur­ica­ta.log (changes)
$ tail -f /var/l­og/­sur­ica­ta/­sta­ts.log (counters)

Suricata Monitoring (JSON Log)

$ jq 'selec­t(.e­ve­nt_­typ­e==­"­ale­rt")' /var/l­og/­sur­ica­ta/­eve.json #watch all alerts fire
$ jq 'selec­t(.a­lert .signa­tur­e_i­d==­210­0498)' /var/l­og/­sur­ica­ta/­eve.json #specific alert fire
$ jq 'selec­t(.e­ve­nt_­typ­e==­"­sta­ts")' /var/l­og/­sur­ica­ta/­eve.json #monitor statistics
$ jq 'selec­t(.e­ve­nt_­typ­e==­"­sta­ts")­|.s­tat­s.c­apt­­rne­l_p­ackets' /var/l­og/­sur­ica­ta/­eve.json #kernel stats

Troubl­esh­ooting Suricata

$ sudo suricata -c /etc/s­uri­cat­a/s­uri­cat­a.yaml -T -vvv #check config­/look for <No­tic­e> - Config­uration provided was succes­sfully loaded. Exiting. in the output
$ sudo systemctl restart suricata #restart
$ sudo systemctl status -l suricata #status
$ grep -Ril <SI­­D#> #get flagged SID in rules
[ERRCODE: SC_ERR­­_C­O­N­F_­­YAM­­L_­E­R­RO­­R(242)] - App-Layer protocol sip enable status not set (Enable in surica­­ta.yaml app-layer stanza)

Writing Suricata Rules

• Target the vulner­abi­lity, not the exploit
• Target activity outside normal hours
• Target to eliminate traffic of no interest
• Target IP ranges based on your network
• Target unusual conns, ports/­pro­tocols
• Test, tune, and validate!

Rules Protocols (Basic)

1 ip stands for ‘all’ or ‘any’

Rules Protocols (Appli­cation Layer)

tls (incl ssl)
1 disabled by default

Suricata Rules: The 3 Elements of a Rule

action (what happens on a rule match)
header (protocol, address, port, direction)
options (specifics of the rule)

Element #1: Rule Actions

Alert generates an alert for later analysis
Pass stops scanning, allows packet to pass, no alert
Drop (IPS) stops proces­sin­g/c­reates alert
Reject (IPS) rst sent, matching packet dropped
Rejectsrc same as just reject
Rejectdst send RST/ICMP error packet to receiver of the matching packet
Rejectboth send RST/ICMP error packets to both sides of the conver­sation

Element #2: Rule Headers

<pr­oto­><s­rc_­ip>­<po­rt> -> <ds­t_i­p><­por­t>
• ip any any -> any any
• tcp $EXTER­NAL_NET any -> 80
• ssh any any -> 203.0.1­13.0/24 !2
• tcp $EXTER­NAL_NET any -> $HOME_NET 80
• source -> destin­­ation
• source <> destin­­ation (both direct­­ions)

Element #3: Rule Options

• arguments contain option­s/k­eyword modifiers
• match in packet, classify rule, log custom messages
• separated by "­;" (may use key: value format)

Rule Classtypes

• catego­rizes traffic: config classi­fic­ati­on:­sho­rtn­ame­,short descri­pti­on,­pri­ority
• 3 fields (machine readable name, descri­ption, priority): config classi­fic­ation: bad-un­kno­wn,­Pot­ent­ially Bad Traffic, 2

Rule Priority

• implicit priority assigned by classtype in /etc/s­uri­cat­a/c­las­sif­ica­tio­n.c­onfig
• to override classtype default priority add the priority:n option to a signature (where n is 1 to 255)

Rule Reference Keyword

• find more info/links (Do NOT put http:// into reference string, assumed with url)
• use to tag CVE refere­nce­:cv­e,2­014­-0160; or MITRE T-Codes refere­nce­:tc­ode­,1194;

Rule Numbering (SID Alloca­tion)

• 100000­0-1­999999 Custom
• 200000­0-2­099999 Emerging Threats (ET)
• 210000­0-2­103999 Forked Snort GPL
• 220000­0-2­200999 Decoder events
• 221000­0-2­210999 Stream events
• 222000­0-2­299999 Reserved
• 280000­0-2­899999 ET Pro (subscrip. only)
• 240000­0-2­528999 Dynami­cally updated
Note: Signature ID (SID) provided as last keyword (or second­-to­-last if a rev # included) in the rule

Example Rule for ICMP Ping

alert icmp any any -> any any (msg:"PING detect­­ed­"; sid:2; rev:1;)

Example Rule for HTTP GET Request

alert http $HOME_NET any -> $EXTER­NAL_NET any (msg:”HTTP GET Request Containing Rule in URI”; flow:e­sta­bli­she­d,t­o_s­erver; http.m­ethod; conten­t:”­GET”; http.uri; conten­t:”­rule”; fast_p­attern; classt­ype­:ba­d-u­nknown; sid:123; rev:1;)

Reloading Rules

$ sudo systemctl restart suricata
$ sudo kill -USR1 $(pidof suricata)1
$ sudo suricatasc -c reload­-rules2
1 When enabled in surica­ta.yaml (prefe­rred)
2 When using the Unix socket feature

Triggering Rules (Testing)

$ curl http:/­/te­stm­yni­ds.o­rg­/ui­d/i­nde­x.html
$ grep 2100498 /var/l­og/­sur­ica­ta/­fas­t.log

Thresh­olding Rules (Criteria)

• Limit to 1 alert every 60 seconds for sid #2404000: threshold gen_id 1, sig_id 2404000, type threshold, track by_dst, count 1, seconds 60
• Limit to 10 alerts every 60 seconds for each source host: threshold gen_id 0, sig_id 0, type threshold, track by_src, count 10, seconds 60

Suppre­ssing Rules (Traffic)

• suppress to ensure no alerts are generated (suppr­ession only considered post-m­atc­hing): suppress gen_id 0, sig_id 0, track by_src, ip

Offline Processing

• Read pcap files just like network traffic
$ sudo suricata -c /etc/s­uri­cat­a/s­uri­cat­a.yaml -r <pc­ap_­loc­ati­on> -l <where to log result­s>^1
$ tail -f /var/l­og/­sur­ica­ta/­fas­t.log
1 Same directory as pcap file if -l not used

Learn More



Nice job!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          Settlers of Catan Cheat Sheet
          JSON Cheat Sheet
          JQ Cheat Sheet