Introduction to Suricata: A Best of Breed Open Source IDS and IPS

Share and earn Cybytes
Facebook Twitter LinkedIn Email

“ESG research indicates network security monitoring is most often the center of gravity for threat detection. In other words, SOC analysts detect suspicious activity on the network first and then pivot elsewhere for further investigation.” So, wrote, Jon Oltsik a security analyst for ESG, in a piece for CSO Online summarizing observations from the RSA Conference.

In his assessment, network security monitoring can provide security leaders and CISOs with the most value for their investment. Among the technologies he cited were open source tools including Snort, Suricata and Zeek (formerly known as the Bro framework).

Since our founding in 2014, Bricata has been a staunch advocate of open source technologies. To that end, it’s encouraging to see a prominent analyst highlighting open source security tools and the unique value they offer security teams in the never-ending battle that is cybersecurity. We’ve previously explored Zeek in-depth and thought this was a good opportunity to do the same with Suricata.

What is Suricata?

Suricata is an open source network threat detection engine that provides capabilities including intrusion detection (IDS), intrusion prevention (IPS) and network security monitoring. It does extremely well with deep packet inspection and pattern matching which makes it incredibly useful for threat and attack detection.

While many of the features and functionalities are similar to Snort – Suricata is different in several important ways:

·       It’s multi-threaded so a single instance can perform at much higher traffic volumes;

·       There is more support available for application layer protocols;

·       It supports hashing and file extraction; and

·       It has hooks for the Lua scripting language, which can be used to modify outputs and even create complex and detailed signature detection logic.

In summary, Suricata is a best-of-breed signature-based intrusion detection platform – and it’s one of three important detection engines on the Bricata platform.

What is the advantage of a multi-threaded signature detection platform?

Enterprise networks today are handling more and more traffic and many typically carry 10 gigabytes per second on a backbone. So, the multi-threaded nature of Suricata allows its users to scale horizontally on a single appliance by adding packet processing threads as the traffic volume makes necessary.

In the Bricata platform, we’ve done this in an automated fashion under the hood. There are no special configurations or anything an administrator needs to do – and that’s a unique capability that Bricata provides.

There are a lot of signature detection engines out there so why should a cybersecurity team consider making it part of their tool kit?

One of the distinguishing traits of Suricata, especially in comparison to Snort, is that it has a dynamic protocol protection capability that is port agnostic. This means it can identify some of the more common application layer protocols, like HTTP, DNS, TLS, when these are communicating over non-standard ports. The rule language allows you to construct matching conditions in the application layer protocol to a much greater extent than comparable IDS tools.

For example, you can match HTTP header fields and values, or write rules to look at the HTTP post body. This gives you an awareness of the context for that network transaction, which can influence that matching logic that you’re using. By comparison, with other IDS tools, you’d write a rule that looks for a content match – a certain string inside a packet payload – without that context.

To be clear, it is possible to understand this context without the additional application layer protocol support – it just requires a deeper level of understanding around the packet and protocol structure. In those cases, context is applied to content by matching the byte values at predefined offsets – the distances from one another – that represent demarcations in the packet structure. This is complicated and easy to get wrong.

The application layer support Suricata provides simplifies this dramatically. Instead of having to know specific byte values and field lengths, if you want to match on a value in an HTTP host header you simply use the rule option keyword: http_host. This is much easier to get right.

There’s a lot more to this post! Read the rest here: What is Suricata? Intro to a Best of Breed Open Source IDS and IPS

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Bricata
Bricata is a cybersecurity solutions provider that combines a powerful network threat hunting platform into a comprehensive threat detection and prevention solution to help determine the true scope and severity threats. Bricata simplifies network threat hunting by identifying hidden threats using specifically designed hunting workflows that use detailed metadata provided clearly and eases your transition from the known to unknown malicious activities in conjunction with an advanced threat detection and prevention platform which detects zero-day malware conviction.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge



We recommend always using caution when following any link

Are you sure you want to continue?