Check if Suricata alerts are triggered correctly by observing the alert status.
sudo tail -f /var/log/suricata/fast.log
I configured the alert file for the ICMP protocol in suricata.yaml, so when I use another computer to ping, I can see the alert information in fast.log. View alerts in a pretty JSON format
sudo tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")'Setting up Suricata as an IPS (Intrusion Prevention System)
By default, Suricata runs as an Intrusion Detection System (IDS), not as an Intrusion Prevention System (IPS). So, it will only issue warnings when it encounters an attack. Therefore, we need to make some changes to Suricata.
Modify the parameter script
sudo vim /etc/default/suricata
This script will define whether Suricata will run as an IDS (only warnings) or an IPS (warnings + prevention). Change this line:
LISTENMODE=af-packet
To:
LISTENMODE=nfqueue
This will switch from IDS to IPS. It will wait for traffic to enter in the NFQUEUE.
The role of NFQUEUE
What is NFQUEUE? It is a core feature of Linux that allows network packets entering the system to be inspected and modified by regular applications. It is a target of iptables and ip6tables, used to delegate packets to user-space applications for decision making. Essentially:
sequenceDiagram
Network -> > NFQUEUE -> > Computer
Special Note If no program is running in NFQUEUE, the network connection will be lost. Therefore, the steps must not be out of order, or you will lose connection to the computer. (During my test, I messed up the steps and iptables blocked my SSH client, making it impossible to connect to the computer…)
Setting Suricata as an IPS
Modify the parameter script
sudo vim /etc/default/suricata
This script will define how Suricata will operate
Start Suricata to run in NFQUEUE
The parameter q indicates that Suricata runs in NFQUEUE. Parameter 0 signifies the 0th channel, which is the default channel. Parameter D means running in the background
Switch the network to NFQUEUE Ensure Suricata is running correctly, then switch the network to NFQUEUE. To filter traffic from the external network to our computer, enter the following command:
sudo iptables -I INPUT -j NFQUEUE
To filter traffic flowing from our internal network to the external network, enter this command. If the IPS misjudges, it may block itself, preventing messages from being sent out
sudo iptables -I OUTPUT -j NFQUEUE
Check the firewall configuration status Check if iptables stores the recent configuration
sudo iptables -vnL
If the network connection fails, you can reset the iptables firewall settings
sudo iptables -F
Properly shutting down IPS
Since we set up NFQUEUE, to properly shut down IPS, we need to first close NFQUEUE Clear firewall rules
sudo iptables -F
Shut down Suricata
# Find Suricata's PID
sudo ps -aux | grep suricata
# Shut down Suricata's PID
sudo kill -15 Suricata's PID
We can create start and stop scripts for Suricata with the above commands. Start script suricata-start.sh (be careful not to make mistakes, or you might lose access to the computer)
This is a reference method, please do not use it recklessly without evaluation, as I am not responsible for any losses (I am using it happily myself)
sudo suricata -c /etc/suricata/suricata.yaml -q 0 & sudo iptables -I INPUT -j NFQUEUE
Stop script suricata-stop.sh
sudo killall sudo suricata -q 0
while true
do
sudo iptables -D INPUT -j NFQUEUE > /dev/null 2>&1 || break
done
After that, start Suricata using the above two scripts.
The next post will introduce setting up ELK ELK setup