Explore OISF’s Suricata: Comprehensive Guide to Intrusion Detection, Prevention, and Rule Management

1. Introduction to OISF Suricata

Suricata is a powerful, versatile open-source threat detection engine that provides intrusion detection (IDS), intrusion prevention (IPS), and network security monitoring capabilities. It performs deep packet (network traffic) inspection and pattern matching, making it highly effective in threat detection. Workflow: Key Features:

• IDS/IPS – Suricata is a rule-based intrusion detection and prevention engine that uses externally developed rule sets (such as Talos rule sets and Emerging Threats Suricata rule sets) to monitor network traffic for any malicious activity, policy violations, and threats.
• Automatic Protocol Detection – The Suricata engine automatically detects protocols such as HTTP and HTTPS. FTP and SMB on any port, and applies appropriate detection and logging logic. This is useful in detecting malware and CnC channels.
• Lua Scripting – Suricata can invoke Lua scripts to provide advanced malware detection, enabling the detection and decoding of otherwise hard-to-detect malicious traffic.
• Multithreading – Suricata offers speed and significance in determining network traffic. The engine is designed to leverage the enhanced processing capabilities provided by modern multi-core hardware chipsets.

2. Installing and Using Suricata (OISF)

2.1 OISF Installation

Refer to 2. Quickstart guide — Suricata 7.0.2-dev documentation because the official PPA can be used for installation. To install the latest stable version of Suricata, follow these steps: sudo add-apt-repository ppa:oisf/suricata-stablesudo apt-get updatesudo apt-get install suricata jq After adding the dedicated PPA repository and updating the index, you can install Suricata. We recommend installing the jq tool at this point as it will help display information from Suricata’s EVE JSON output. After installing Suricata, you can check the version, options, and service status of the running Suricata: sudo suricata –build-infosudo systemctl status suricata

Executable file: /usr/bin/suricata Configuration and rule sets: /etc/suricata/ Key files to focus on are suricata.yaml and the rules folder

• The suricata.yaml file is for the configuration of the Suricata software.
• The rules folder contains related detection rules. If packet analysis during Suricata’s operation triggers a detection rule, it will be output as a log.

Log files: /var/log/suricata/, which can also be changed in the configuration file suricata.yaml default-log-dir

• eve.json: Detailed information on alerts and events
• fast.log: Simple summary of alerts, one line per alert, not detailed information
• stats.log: Engine statistics, such as memory usage counts and packet counts
• suricata.log: Logs related to the Suricata startup process

Basic Command Operations: Upgrade Suricata: $ sudo apt-get update $ sudo apt-get upgrade suricata

Remove Suricata: $ sudo apt-get remove suricata

To enable built-in (enabled) debugging in Suricata: $ sudo apt-get install suricata-dbg

2.2 Configuring Suricata

> First, configure the internal and external network parameters by modifying the configuration file /etc/suricata/suricata.yaml HOME_NET: “[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]” # The internal network is the HOME_NET parameter, set to the internal network segment of the system EXTERNAL_NET: “!$HOME_NET” # Specify the external network > Specify the network interface that Suricata will inspect for network traffic (check with ip addr):

> Ensure that the default-rule-path attribute is set to /etc/suricata/rules:

> Save the changes and close the configuration file. Then restart Suricata to apply the changes: sudo systemctl restart suricata

2.3 Updating Suricata Rule Sets

By default, Suricata comes with a limited set of detection rules located in the /etc/suricata/rules/ directory. However, these rules have limited capabilities in detecting threats and intrusions. You can update to well-known third-party rule sets in the industry to improve detection effectiveness.

Suricata provides a tool called suricata-update that allows you to fetch rules from rule set providers. Some are free, such as the ET Open set, while others require a paid subscription. It is a Python-based tool that can be globally installed using pip for all users: pip3 install — upgrade suricata – update

To fetch the latest rule sets for your server, run the following commands : $ sudo suricata-update update-sources # Update the rule set index $ sudo suricata-update list-sources # List the default rule provider sets $ sudo suricata-update enable-source et/open # Add the et/open rule set $ sudo suricata-update -o /etc/suricata/rules From the output, you can see that suricata-update fetches the free Emerging Threats ET Open Rules and saves them to Suricata’s /etc/suricata/rules/suricata.rules file. Additionally, it indicates the number of rules processed. In this example, a total of 45,266 rules were added. Of these, 35,359 were enabled, 6 were removed, and 131 were modified.

2.4 Testing Suricata Rules

Before starting to test Suricata, it is recommended to first test if the configuration is correct: $ sudo suricata -T -c /etc/suricata/suricata.yaml -v

Here, as suggested by Suricata’s quick start guide, we will test the ET Open rule set by simulating an intrusion. By sending an HTTP request to the testmynids.org website, which acts as a NIDS (
Network Intrusion Detection System ) framework, the IDS functionality will be tested using signature ID 2100498.

2100498: 2100498 exists in /etc/suricata/rules/suricata.rules:
alert ip
any any -> any any ( msg
: “GPL ATTACK_RESPONSE id check returned root” ; content
: “uid=0|28|root|29|” ; classtype
: bad
– unknown
; sid
: 2100498 ; rev
: 7 ; metadata
: created_at
2010_09_23 ,
–data-dir Set alternate data directory (default: /var/lib/suricata)
-c , –config Path to suricata-update configuration file (default: /etc/suricata/update.yaml)
–suricata-conf Path to suricata configuration file (default: /etc/suricata/suricata.yaml)
–suricata Path to Suricata program
–suricata-version Set Suricata version to a specific version instead of checking for Suricata version on path.
–user-agent Set custom user agent string for HTTP requests
–no-check-certificate Disable server SSL/TLS certificate verification
-V, –version Show version of suricata-update
-o , –output Directory to output rules to
-f, –force Force remote rule file download if they were not just downloaded, or if remote checksum matches cached copy
–yaml-fragment Output YAML fragment for rule inclusion
–url URL to download rules from. This option can be used multiple times
–local Filename or path to directory of local rule files to include
–sid-msg-map Generate a sid-msg.map file
–sid-msg-map-2 Generate a v2 sid-msg.map file
–disable-conf Filename of rule disable filters
–enable-conf Filename of rule enable filters
–modify-conf Filename of rule modification filters
–drop-conf Filename of drop rule filters
–ignore Filenames to ignore (can be specified multiple times; default: *deleted.rules)
–no-ignore Disables the ignore option.
–threshold-in Filename of rule thresholding configuration
–threshold-out Output of processed threshold configuration
–dump-sample-configs Dump sample config files to current directory
–etopen Download ET/Open ruleset by default
–reload-command Command to run after update if modified
–no-reload Disable Suricata rule reloading
-T , –test-command Specify a custom test command to test the rules before reloading Suricata
–no-test Disable the test command and proceed as if it had passed
–no-merge Do not merge the rules into a single rule file. WARNING: If 2 input rule files have the same name, no attempt will be made to resolve the conflict.

–offline Run offline using most recent cached rules
–fail Strictly fail and exit in case of an error
other commands:
update-sources Update the source index
list-sources List available sources
enable-source Enable a source from the index
disable-source Disable an enabled source
remove-source Remove a source from the index
source Remove an enabled or disabled source add – source Add a new source by URL check – versions Check version of suricata – update

4. Suricata Rules

Suricata rules consist of three parts:

• Action: The action taken when a rule matches;
• Header: Defines the protocol, source and destination IP addresses, ports, and traffic direction of the rule;
• Options: Specifies options such as signature ID (sid), log information, regular expressions to match packet content, classification types, and other modifiers that help distinguish between legitimate and suspicious traffic.

A custom rule example:

alert http any any <> $HOME_NET 80 ( msg : “Web server returned 404 status code” ; content : “404” ; http_stat_code ; sid : 561001 😉

Action values are as follows:

• pass: If the rule matches, Suricata stops scanning and allows the packet through.
• drop: If the rule matches, the packet is blocked and not sent to the destination. Drop is only available in IPS/inline mode. Drawback: The receiver is unaware of the event, leading to a timeout (TCP), and Suricata generates an alert for the packet.
• reject: Unlike Drop, which silently discards the packet, Reject actively denies the packet when the rule matches. Two types of rejection packets are automatically chosen. For TCP-related packets, a Reset-Packet is sent. For all other protocols, an ICMP-error packet is sent. Suricata also generates an alert. In Inline/IPS mode, the offending packet is also dropped, similar to the Drop action.
• alert: When the rule matches, Suricata does not take any action on the packet and allows it through as normal, except it logs an alert that only administrators can see.

These four actions also have a priority order, with the default being: Pass > Drop > Reject > Alert. This means that when a rule matches, Suricata will prioritize rules with Pass, followed by Drop, then Reject, and finally Alert.

Header includes the following elements:

• Protocol: This field tells Suricata which protocol the rule applies to. Values can be: tcp, udp, icmp, ip, http, ftp, tls (including ssl), smb, dns, etc. The availability of these protocols depends on the configuration in the suricata.yaml file.
• Source/Destination Address: The source/destination address can be set to an IP address or a variable defined in the Suricata.yaml configuration file;
• Ports: Different protocols use different port numbers, for example, HTTP uses port 80, while HTTPS uses port 443. Typically, the port number is set to any, affecting all protocols;
• Direction: Direction tells the rule which traffic to match, whether it’s one-way traffic from source IP to destination IP, or bidirectional traffic between two IPs. Each rule must have an arrow such as -> or <>.

Options include a series of options, existing in the form of key:value or key, separated by semicolons: < keyword > : < settings > ; < keyword > ; Common options include : 6. Suricata Rules — Suricata 6.0.3 documentation

5. Adding Your Own Suricata Rules

6.13. HTTP Keywords — Suricata 7.0.0-dev Documentation (osgeo.cn) Suricata HTTP Keywords – 23 Cloud Love 49 Maple – Blog Park (cnblogs.com) 1. Create a my.rules file under /etc/suricata/rules/

2. Write your own rules into my.rules

 # Baidu Search
alert tcp any any -> any any (msg:"hit baidu.com..."; content:"baidu"; reference:url, www.baidu.com; sid:888888890;)
alert tcp any any -> any any (msg:"hit baidu.com"; content:"baidu"; sid:888888891;)
 
# Login to DVWA
alert http any any <> any any (msg:"dvwa url"; content:"/login.php"; http_uri; nocase; sid:8880; rev:1;)
alert http any any -> any any (msg:"dvwa protocol"; flow:to_server; http_protocol; content:"HTTP/1.1"; sid:8881; rev:1;)
alert http any any -> any any (msg:"dvwa request header"; content:"application/x-www-form-urlencoded"; http_header; sid:8882; rev:1;)
alert http any any -> any any (msg:"dvwa request referer"; http_referer; content:"http://192.168.11.45/login.php"; sid:8883; rev:1;)
alert http any any -> any any (msg:"dvwa request user agent"; content:"Mozilla/5.0"; http_user_agent; nocase; sid:8884; rev:1;)
alert http any any -> any any (msg:"dvwa request cookie"; content:"security=impossible"; http_cookie; nocase; sid:8885; rev:1;)
alert http any any -> any any (msg:"dvwa request body"; content:"username=admin"; http_client_body; nocase; sid:8886; rev:1;)
alert http any any -> any any (msg:"dvwa request body"; file_data; content:"username=admin"; content:"password=password"; nocase; sid:88861; rev:1;)
alert http any any <> any any (msg:"dvwa"; content: "200"; http_stat_code; sid:8887; rev:1;)
alert http any any <> any any (msg:"dvwa"; content: "302"; http_stat_code; sid:8888; rev:1;)
alert http any any <> any any (msg:"dvwa code"; content:"impossible"; nocase; sid:8889; rev:1;)
# sqli-lab
alert http any any -> any any (msg:"SQL Injection Attack"; content:"/Less-1"; http_uri; nocase; sid:562001; rev:1;)
alert http any any -> any any (msg:"SQL Injection Attack-union."; content:"select"; http_uri; nocase; classtype:web-sql-injection; sid:562002; rev:1;)
alert http any any -> any any (msg:"SQL Injection Attack---."; content:"--"; http_uri; nocase; classtype:web-sql-injection; sid:562003; rev:1;)
alert http any any -> any any (msg:"SQL Injection Attack response."; content:"Your Login name"; http_server_body; nocase; classtype:web-sql-injection; sid:562004; rev:1;)
alert http any any -> any any (msg:"SQL Injection Attack response_1."; http_server_body; content:"Your Login name"; content:"Your Password"; nocase; classtype:web-sql-injection; sid:562005; rev:1;) # Syntax Parsing Error
alert http any any -> any any (msg:"SQL Injection Attack response_2."; file_data; content:"Your Login name"; content:"Your Password"; nocase; classtype:web-sql-injection; sid:562006; rev:1;)

3. Update the Suricata configuration file `/etc/suricata/suricata.yaml` to ensure your local rules file is added to the rules list:

4. If you need to correct your rules and/or modify the Suricata YAML configuration file, you must restart Suricata. Use the command: `systemctl restart suricata`

5. Run Suricata and check if the rules are being loaded. Use the command: `suricata -c /etc/suricata/suricata.yaml -i ens160` For example, if there are errors in the rules, they will be detected: If the rules fail to load, Suricata will display as much information as it can about why it thinks the rule is not loadable. Pay special attention to details: look for errors in special characters, spaces, capitalization, etc.

6. On the virtual machine, access the webpage `baidu.com` or use `curl http://baidu.com`

7. On the laptop, access the webpage `http://192.168.11.45/login.php`, enter the username and password, and log in

8. Access the webpage `http://192.168.11.45:8080/Less-1/?id=-1′ UNION SELECT 1,2,3 –+`