Hi Cybrarians,I recently integrated Suricata tool into our application to block malicious traffic. Here are my 2 cents in this article on why Suricata is a great engine to be installed to mark your traffic prior communicating to the world.About Suricata
Suricata is a signature based system, built to perform Intrusion Detection, Prevention, and Network Monitoring along with Offline Pcap captures.Installing Suricata on Ubuntu: https://linuxpitstop.com/install-suricata-ids-on-ubuntu-16-04/Suricata.To configure Suricata engine, we need to tweak the suricata.yaml file.
Once you have configured the engine, it's all about launching the engine and inspection.Suricata Rule Set
Suricata has been integrated with VRT Ruleset
and Emerging Threats Suricata ruleset
. However, we can write our custom rules to block based on the malicious behavior, Threats or Policy Violation.Below is a sample rule which I have written to block all ICMP traffic.drop icmp any any -> any any (msg:"DROP test ICMP ping from any network ";icode:0; itype:8; classtype:trojan-activity; sid:99999999; rev:1;)
Suricata has a capability for a deep inspection when the above rule is triggered, it inspects each UDP packet for itype: 8 ( Ech0) and blocks ICMP traffic. We can block traffic based on inspection of protocol parameters, contents and port and this is regardless of any type of traffic.How is Suricata better than other IPS engines?
How to make Suricata work as an IPS Engine
- It provides Multithreading functionality which is not available in traditional Snort-based IPS.
- The Outputs can be integrated with dashboards such as Kibana, Logstash.
- We can monitor even TLS keys to check if there are any communication with less reputable CA.
For Suricata to work in IPS mode, below was my workflow
- Setup an IPSEC tunnel between the client computer and server using Strong Swan.
- Using Strong Swan plugin, I was able to capture the Source IP address.
- Python Script: It's going to fetch the Source IP address and create custom rules.
- Python Script: Custom rules are loaded for Suricata and a live reload.
- Customer send a traffic to Strongswan
- Python script creates an NFQUEUE and forwards all the traffic to Suricata.
- Suricata based on the custom rules blocks the traffic which hit the custom rules.