Suricata

Suricata ↗ is an open-source intrusion detection system, intrusion prevention system, and network analysis tool.. It was developed by the Open Information Security Foundation.

Signature Rules #

Rules or signatures are used to identify specific patterns, behavior, and conditions of network traffic that might indicate malicious activity. The terms rule and signature are often used interchangeably in Suricata.

Suricata uses signatures analysis, which is a detection method used to find events of interest. Signatures consist of three components:

Action:#

• The first component of a signature. It describes the action to take if network or system activity matches the signature. Examples include: alert, pass, drop, or reject.
  • The alert keyword instructs to alert on selected network traffic. The IDS will inspect the traffic packets and send out an alert in case it matches.
  • Note that the drop action also generates an alert, but it drops the traffic. A drop action only occurs when Suricata runs in IPS mode.
  • The pass action allows the traffic to pass through the network interface. The pass rule can be used to override other rules. An exception to a drop rule can be made with a pass rule.
  • The reject action does not allow the traffic to pass. Instead, a TCP reset packet will be sent, and Suricata will drop the matching packet. A TCP reset packet tells computers to stop sending messages to each other.

Header:#

• The header includes network traffic information like source and destination IP addresses, source and destination ports, protocol, and traffic direction.
  • The parameters to the protocol http field are $HOME_NET any -> $EXTERNAL_NET any. The arrow indicates the direction of the traffic coming from the $HOME_NET and going to the destination IP address $EXTERNAL_NET.
  • $HOME_NET is a Suricata variable defined in /etc/suricata/suricata.yaml that you can use in your rule definitions as a placeholder for your local or home network to identify traffic that connects to or from systems within your organization.

Rule options:#

• The rule options provide you with different options to customize signatures.

  • Configuring rule options helps narrow down network traffic so you can find exactly what you’re looking for.

  • rule options are typically enclosed in a pair of parentheses and separated by semicolons.

  • • The msg: option provides the alert text. In this case, the alert will print out the text “GET on wire”, which specifies why the alert was triggered.

  • The flow:established,to_server option determines that packets from the client to the server should be matched. (In this instance, a server is defined as the device responding to the initial SYN packet with a SYN-ACK packet.)

  • The content:"GET" option tells Suricata to look for the word GET in the content of the http.method portion of the packet.

  • The sid:12345 (signature ID) option is a unique numerical value that identifies the rule.

  • The rev:3 option indicates the signature’s revision which is used to identify the signature’s version. Here, the revision version is 3.

eg:

Access suricata rules

 cd /etc/suricata/rules
 less custom.rules

Suricata’s configuration file is suricata.yaml, which uses the YAML file format for syntax and structure.

Suricata log files#

There are two log files that Suricata generates when alerts are triggered:

• eve.json: The eve.json file is the standard Suricata log file. This file contains detailed information and metadata about the events and alerts generated by Suricata stored in JSON format. For example, events in this file contain a unique identifier called flow_id  which is used to correlate related logs or alerts to a single network flow, making it easier to analyze network traffic. The eve.json file is used for more detailed analysis and is considered to be a better file format for log parsing and SIEM log ingestion.
  • The eve.json file is generated when Suricate runs, and can be located in the /var/log/suricata directory.
• fast.log: The fast.log file is used to record minimal alert information including basic IP address and port details about the network traffic. The fast.log file is used for basic logging and alerting and is considered a legacy file format and is not suitable for incident response or threat hunting tasks.
  • The fast.log file can be located in the /var/log/suricata directory after Suricata runs.

The main difference between the eve.json file and the fast.log file is the level of detail that is recorded in each. The fast.log file records basic information, whereas the eve.json file contains additional verbose information.

When you create a new rule, you’ll need to test the rule to confirm whether or not it worked as expected. You can use the fast.log file to quickly compare the number of alerts generated each time you run Suricata to test a signature against the sample.pcap file.

Usage#

sudo suricata -r sample.pcap -S custom.rules -k none

• The -r sample.pcap option specifies an input file to mimic network traffic. In this case, the sample.pcap file.
• The -S custom.rules option instructs Suricata to use the rules defined in the custom.rules file.
• The -k none option instructs Suricata to disable all checksum checks.

Resources#

• Suricata user guide ↗ 
• Suricata features ↗ 
• Rule management ↗
• Rule performance analysis ↗
• Suricata threat hunting webinar ↗
• Introduction to writing Suricata rules ↗
• Eve.json jq examples ↗