Suricata: The Snort Replacer (Part 2: Configure & Test)

E

Eric Hansen

Guest
In part 1, we covered what Suricata is, why we are using it, and how to install it to our system. It wasn’t hard, and the following won’t be much worse, either. Now we are going to do some basic configuration of the program and get it working!
Specify Hosts on Network

Suricata analyzes packets differently based on the OS, mostly due to how the OS deals with fragmented packets. So how do we specify what OSes are on the network? By editing the config files, of course! I prefer to use nano but you can use whichever text editor you like.

You’re going to want to edit /etc/suricata/suricata.yaml and look for the line that starts with host-os-policy:, it’ll have a block of code like so:
Code:
# Host specific policies for defragmentation and TCP stream
# reassembly.  The host OS lookup is done using a radix tree, just
# like a routing table so the most specific entry matches.
host-os-policy:
# Make the default policy windows.
windows: [0.0.0.0/0]
bsd: []
bsd-right: []
old-linux: []
linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
old-solaris: []
solaris: ["::1"]
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []

What this block does is tell Suricata what IP address(es) belong to which OS. So in this example by default the OS will be Windows (0.0.0.0/0 matches everything on every subnet) if no IP can be matched elsewhere. Every IP in the 10.0.0.0/8 block, 192.168.1.100 and 8762... (IPv6) is Linux and the loalhost is a Solaris machine. Pretty simple, right? Once you set that up to match your network, we still need to make some changes to this.
Which Machine Is Home?

Just like in Snort, Suricata has a HOME_NET and EXTERNAL_NET, and it resides in the same file as above, but in the vars block, and looks like this:
Code:
  address-groups:
    HOME_NET: "[192.168.1.0/16]"
    EXTERNAL_NET: "!$HOME_NET"

For those who aren’t familiar with this, HOME_NET specifies which machine(s) are on the home network (LAN). This can either just be a single IP or a list of IPs, and should only match the local network’s IP. Personally I like to make things easier on the program so I’ll only specify my LAN’s IP range of 192.168.1.0/16. EXTERNAL_NET specifies which IPs aren’t on the local network, which by default is everything we assume is unknown to our LAN. Shorthand for that is to specify “!$HOME_NET” (“not home network”).
Handle the Servers

After that you’ll see a bunch of *_SERVERS lines that basically lets Suricata know which network handles the server group. If you want to get fancy you can specify different networks similar to HOME_NET and EXTERNAL_NET (i.e.: WEB_NET: “[10.0.1.0/8]”) then specify it for the server group (i.e.: HTTP_SERVERS: “$WEB_NET”), but we’ll keep it simple and assume every server we which to care about is on our LAN ($HOME_NET). If you don’t use a server (i.e.: don’t run a telnet server), you can comment it out by putting a “# “ (including the space) in front of it.

Ports, Ports Everywhere!

Doing great so far, aren’t we? Well now lets specify which ports we know for services to be running on. This is still in the vars group but is now port-groups, which looks like this:
Code:
# Holds the port group vars that would be passed in a Signature.
# These would be retrieved during the Signature port parsing stage.
port-groups:
    HTTP_PORTS: "80"
    SHELLCODE_PORTS: "!80"
    ORACLE_PORTS: 1521
    SSH_PORTS: 22
    DNP3_PORTS: 20000

What is this, exactly? Easy, this specifies which ports run what (this is to help with rules which we’ll get into later). Lets say you have a web server that listens on port 80 and you create a rule for it. Later on, you decide that port 8080 will also be used. Instead of having to edit numerous rules to replace “80” with “80,8080”, you can simply edit this one line (HTTP_PORTS) to look like HTTP_PORTS: “80,8080” and then just use $HTTP_PORTS in your rule. You can specify your own ports here too if you like, or even remove ones you don’t use (most people don’t use Oracle for their home networks, afterall ;) ).

Suricata My Network For A Dollar

Now we get to the fun part, testing it out! You might have to change the HOME_NET to exclude an IP or something to get this to work, but we’ll do a simple ping test (an easier way of doing this in part 3).

For right now though we’ll create our own basic rule that will notify us once alerts are received. To do so, open up your favorite editor again and put this in:
Code:
alert ip any any -> any any (msg:"ICMP detected"; sid:2; rev:1;)
Save it to /etc/suricata/rules/test.rules and close. Now we need to open up suricata.yaml again and look for this block:
Code:
default-rule-path: /etc/suricata/rules
rule-files:
# - botcc.rules
# - ciarmy.rules
# - compromised.rules
# - drop.rules
# - dshield.rules
# - emerging-activex.rules
# - emerging-attack_response.rules
# - emerging-chat.rules
…
Yours won’t have the “#” in front of the dashes, I did that to cut down on loading times (advisable but not mandatory). At the end of that list add “ - test.rules” to that (including the space), save and exit. This will tell Suricata to load our new rule we created above.

Now that we got that done we’ll start up Suricata on eth0 (where it will monitor the packet flow on eth0, change if your adapter is different) and test some incoming pings. What I did to make this easier is in the suricata.yaml file, change “HOME_NET” to the IP of the machine Suricata is installed on only. This way I could send pings from any computer on the network and it’d work. To run, just enter the following command as root:
Code:
suricata -c /etc/suricata/suricata.yaml -i eth0
Don’t do anything until you see a line similar to this:
Code:
24/7/2013 -- 21:37:20 - <Info> - all 2 packet processing threads, 3 management threads initialized, engine started.
That means that Suricata is roaring to go now. From a different machine than the one Suricata is running on send a ping command to it now:
Code:
ping -c 1 suricata.machine
Assuming you’re sending a ping to the IP that is assigned to the adapter Suricata is sniffing on (in this case eth0), you should receive something like this in /var/log/suricata/fast.log:
Code:
07/24/2013-21:38:17.547119  [**] [1:2:1] ICMP detected [**] [Classification: (null)] [Priority: 3] {ICMP} 10.0.3.1:8 -> 10.0.3.10:0
07/24/2013-21:38:17.547173  [**] [1:2:1] ICMP detected [**] [Classification: (null)] [Priority: 3] {ICMP} 10.0.3.10:0 -> 10.0.3.1:0
07/24/2013-21:38:18.546050  [**] [1:2:1] ICMP detected [**] [Classification: (null)] [Priority: 3] {ICMP} 10.0.3.1:8 -> 10.0.3.10:0
07/24/2013-21:38:18.546085  [**] [1:2:1] ICMP detected [**] [Classification: (null)] [Priority: 3] {ICMP} 10.0.3.10:0 -> 10.0.3.1:0
That’s it! Suricata is up and running, and even more so you can make magic happen! In the next part we’ll cover the rules aspect, as that’s a topic all in itself anyways.
 

Attachments

  • slide.jpg
    slide.jpg
    39.3 KB · Views: 179,010


when i run the the command "suricata -c /etc/suricata/suricata.yaml -i eth0" it just shows an error about not such a file or directory for the whole rules. you did not show hoe to install the rules in the first part. botcc.rules, ciarme.rules, drop.rules. dshield.rules. i dont have snort in this computer so. I though I can use Suricata instead of snort in here. I am using Centos 7 tho.
 
when i run the the command "suricata -c /etc/suricata/suricata.yaml -i eth0" it just shows an error about not such a file or directory for the whole rules. you did not show hoe to install the rules in the first part. botcc.rules, ciarme.rules, drop.rules. dshield.rules. i dont have snort in this computer so. I though I can use Suricata instead of snort in here. I am using Centos 7 tho.
When I wrote this I had all the rules in the package. But if you are missing them used Pull Pork (https://code.google.com/p/pulledpork/) to fetch and maintain them.
 
Where should i download the tar file into /etc/suricata/rules ?
? i could not find any rpm for it. just a tar file from snort website
 
Hi Eric - Thanks for the fantastic articles on Suricata! They've helped quite a bit. But wondering... did you write another article about the rules aspect of it (if so, I missed it!)?
I have it up and running and am able to see the ping tests but having troubles locating articles to help tweak it.

Thanks again!
 
Hello.
Thank you so much for guidance.
I changed IP address ranges in "suricata.yaml" and use below command :

suricata -c /etc/suricata/suricata.yaml -i eth0

Is it enough? It can be stop hackers?
 
Suricata by default isn't a IDS/IPS, its just a IDS. So its just going to detect when someone does unwanted on the server. If you enabled the IPS portion of it though then it should be good, but you shouldn't rely on a single point for anything when it comes to IT.
 
Suricata by default isn't a IDS/IPS, its just a IDS. So its just going to detect when someone does unwanted on the server. If you enabled the IPS portion of it though then it should be good, but you shouldn't rely on a single point for anything when it comes to IT.

Thank you. How can I enable IPS portion?
 

Staff online

Members online


Top