Suricata IPS: A Deep Inspecting of Your Traffic

December 27, 2016 | Views: 7290

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hi Cybrarians,

I recently integrated Suricata tool into our application to block malicious traffic. Here are my 2 cents in this article on why Suricata is a great engine to be installed to mark your traffic prior communicating to the world.

About Suricata  

Suricata is a signature based system, built to perform Intrusion Detection, Prevention, and Network Monitoring along with Offline Pcap captures.

Installing Suricata on Ubuntu: http://linuxpitstop.com/install-suricata-ids-on-ubuntu-16-04/Suricata.

To configure Suricata engine, we need to tweak the suricata.yaml file. Once you have configured the engine, it’s all about launching the engine and inspection.

Suricata Rule Set 

Suricata has been integrated with VRT Ruleset and Emerging Threats Suricata ruleset. However, we can write our custom rules to block based on the malicious behavior, Threats or Policy Violation.

Below is a sample rule which I have written to block all ICMP traffic.

drop icmp any any -> any any (msg:”DROP test ICMP ping from any network “;icode:0; itype:8; classtype:trojan-activity; sid:99999999; rev:1;)

Suricata has a capability for a deep inspection when the above rule is triggered, it inspects each UDP packet for itype: 8 ( Ech0) and blocks ICMP traffic. We can block traffic based on inspection of protocol parameters, contents and port and this is regardless of any type of traffic.

How is Suricata better than other IPS engines?

  1. It provides Multithreading functionality which is not available in traditional Snort-based IPS.
  2. The Outputs can be integrated with dashboards such as Kibana, Logstash.
  3. We can monitor even TLS keys to check if there are any communication with less reputable CA.

How to make Suricata work as an IPS Engine

For Suricata to work in IPS mode, below was my workflow

  1.  Setup an IPSEC tunnel between the client computer and server using Strong Swan.
  2. Using Strong Swan plugin, I was able to capture the Source IP address.
  3. Python Script: It’s going to fetch the Source IP address and create custom rules.
  4. Python Script: Custom rules are loaded for Suricata and a live reload.
  5. Customer send a traffic to Strongswan
  6. Python script creates an NFQUEUE and forwards all the traffic to Suricata.
  7. Suricata based on the custom rules blocks the traffic which hit the custom rules.
Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel