Suricata IPS

It has been a long time since the first installation of Snort-inline as my favourite intrusion protection system (IPS for friends). Unfortunately the project was abandoned because the main developers started a new project, writing a new IPS from scratch: Suricata. Snort is probably the most famous intrusion detection system (IDS) but the possibility to block attacks resetting or blocking network connections, which converts it into an IPS, has always been missing, difficult to achieve or done in a workaround way.
Suricata is an ambitious project developed by the Open Information Security Foundation, a non-profit foundation organized to build, in their words, a next generation IDS/IPS engine. This new engine supports multi-threading, automatic protocol detection (IP, TCP, UDP, ICMP, HTTP, TLS, FTP and SMB), gzip decompression, fast IP matching and hardware acceleration on CUDA and OpenCL GPU cards.
In inline mode Suricata accepts packets from iptables (NFQUEUE), the linux integrated stateful firewall. Like Snort, it is based on rules to detect a variety of attacks by searching packet content. It is fully compatible with Snort rules, so the switch is really simple.
I have been using it for a while and I have to say I’m impressed by the good job done. If you use debian squeeze 64bit and want to try it, don’t waste time using dated versions: pickup version 1.3.3 from my stuff page. You’ll need an updated version of the HTP library too to have full functionalities. This HTP library is an HTTP normalizer and parser written by Ivan Ristic of ModSecurity for the OISF. This library integrates and provides advanced processing of HTTP streams for Suricata.
Suricata comes with no rules so you have to subscribe for free to download the registered user release of VRT snort rules. These rules are a month behind the subscriber release which is, of course, a payment service.
Automating the process of updating the rules, changing their behaviour from alert to drop and disabling some of them is done by Oinkmaster.
In a production environment you will probably need a graphical interface to deal with the alerts: there’s no way you can deal with false positives looking through a log file! One simple and practical interface is Base (or AcidBase as it is named in debian). This web front-end is written in PHP to query and analyze the alerts coming from an IDS/IPS system. It uses MySQL or PostgreSQL as database backends.
Writing log alerts from Suricata directly to a database is considered a bad idea unless your network is really small. Another tool may help picking up Suricata unified2 output, formatting it and sending to the database.
This tool is Barnyard2, originally developed to be an output parser for Snort. You can use it with both Snort and Suricata setting them to properly create unified2 binary output format file. Barnyard2 reads this file, and then resends the data to a database backend. Unlike the database output plug-in used in Snort or Suricata, Barnyard2 is aware of a failure to send the alerts to the database, and it stops sending them. It is also aware when the database can accept connections again and will start sending the alerts again. So Barnyard2 allows the IDS/IPS to write to disk in an efficient manner by leaving the task of parsing binary data to a separate process that will not cause our IDS/IPS to miss network traffic. You can use the latest version 2-1.10 for debian stable from my stuff page.
Comments are always welcome!


This entry was posted on Wednesday, November 14th, 2012 at 1:49 PM and is filed under security, software, stuff.

You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.