Suricata Intrusion Detection: Part Four

Suricata

Configuring app parser settings in Suricata.

In the previous articles on Suricata, we covered installation, configuring global settings and pass lists, and began looking at setting up an interface. In this article, we will continue setting up our first Suricata interface. In this example, we are configuring the WAN interface.

Configuring App Parsing

The next tab after “WAN Flow/Stream” is “WAN App Parsers“. This tab deals with parsers that operate on the application layer of the TCP/P model, the layer that specifies certain protocols that cover major aspects of functionality such as FTP, SMTP, and others.

The first setting is “Asn1 (Abstract Syntax One) Max Frames“. Abstract Syntax one is a standard and notation that describes rules and structures for representing, encoding, transmitting, and decoding data in telecommunications and computer networking. Application later protocols such as X.400 e-mail, X.500 and LDAP directory services, H.323 (for VoIP) and SNMP use ASN.1 to describe the protocol data units they exchange. “Asn Max Frames” sets a limit for the maximum number of ASN.1 frames to decode (the default is 256).

The next heading is “DNS App-Layer Parser Settings“. Here, you can set parameters relevant to DNS, UDP and TCP parsing. “Global Memcap” and “Flow/State Memcap” set the global memcap and flow/state memcap limits respectively. The default global memcap is 16 MB and the flow/state memcap is 512 KB. The “Request Flood Limit” determines how many unreplied DNS requests are considered a flood; if this limit is reached, an alert is set. The default is 500. Finally, “UDP Parser” and “TCP Parser” enables UDP detection and parsing and TCP detection and parsing. The default for both settings is “yes“.


Below that is “HTTP App-Layer Parser Settings“. “Memcap” sets the memcap limit for the HTTP parser; the default is 64 MB. The “HTTP Parser” dropdown box allows you to enable or disable detection and parsing; there is also a third setting, “detection-only“, which enables detection but disables the parser. The final setting in this section is “Server Configurations“. Pressing the “plus” button allows you to add a new HTTP server policy configuration. You can set the “Engine Name“, as well an alias for the IP list to which the engine will be bound (you can specify “all” to bind the engine to all HTTP servers). The “Target Web Server Personality” allows you to choose the web server personality appropriate for the protected hosts. The default value is “IDS“, but you can set it for Apache 2 and different versions of Microsoft’s Internet Information Services. Below that are parameters for the request body limit and the response body limit, specifying the maximum number of HTTP request body and response body bytes to inspect, respectively. The default in each case is 4096 bytes. Setting either parameter to 0 causes Suricata to inspect the entire client-body or server-body. Finally, there are “Decode Settings“, which if set, will allow Suricata to decode the path and query. Checking the “URI Include-All” check box will include username, password, hostname and port in the normalized URI. Press “Save” at the bottom of the page to save settings for the server configuration or “Cancel” to cancel.

The last heading is “Other App-Layer Parser Settings“. Here, you can set detection and parsing options for several application-layer protocols such as TLS and SMTP. Each protocol has the option of [1] enabling detection and parsing; [2] disabling both detection and parsing, or [3] enabling detection but disabling parsing (“detection-only”). You can press “Save” to save your settings before you exit or “Reset“. Pressing sabe will rebuild the rules file, which may take several seconds. Suricata must also be restarted to activate any changes made.

Finally, the “Variables” tab allows you to set variables which can be used in rules. This prevents you from having to set IP addresses rule by rule. For example, after HOME_NET you can enter your home-IP address. Press “Save” at the bottom when you are done setting these variables.

That covers interface setup. Now that we have at least one interface configured, we can look at the logs. We will cover log settings in the next article.


External Links:

The official Suricata web site

Suricata Intrusion Detection System: Part One

Suricata

The global settings tab in Suricata.

Suricata is an open source-based intrusion detection system (IDS). There are several advantages to running Suricata. [1] It is multi-threaded, so you can run one instance and it will balance the load processing across every processor. [2] The most common protocols are automatically recognized by Suricata as the stream starts, allowing rule writers to write a rule to the protocol, not to the port expected. [3] Suricata can identify thousands of file types on your network, and you can tag files for extraction so the file will be written to disk with a metadata file describing the capture situation and flow. Another advantage of Suricata is that it is compatible with Snort rules, so while it is an alternative to Snort, you can still use Snort updates. Suricata has been available as a pfSense package since March 2014; you must be running pfSense 2.1 or later to install the Suricata pfSense package.

Suricata Installation and Configuration

Suricata can easily be downloaded, compiled and installed under FreeBSD (the underlying OS for pfSense). The installation instructions can be found at the official Suricata website for FreeBSD 8 and later. Fortunately, if you are running pfSense 2.1 or later, you can just install Suricata from the package menu and configure it from the GUI. In this case, just navigate to System -> Packages, scroll down to Suricata in the package listing, and press the “plus” button on the right side of the row. On the next screen, press “Confirm” to confirm installation. It will take several minutes for the package installer to download, install and configure Suricata.


Once the package installer is done, there will be a new option on the “Services” menu called “Suricata”. You can now navigate to Services -> Suricata and begin configuration. The first step is to configure global settings, which you can do by clicking on the “Global Settings” tab. The first part of the page configures which rules you want to download. The first setting is “Install Emerging Threats rules“, which allows you to install ETOpen and ETPro. ETOpen is an open source set of Snort rules, while ETPro for Snort offers daily updates and extensive coverage of current malware threats. ETPro offers more extensive coverage of threats, but costs $500 a year. The “Install Snort VRT rules” check box allows you to install either Snort VRT free registered user or paid subscriber rules. The next option is “Install Snort Community rules“. Checking this check box will install the Snort Community Ruleset – a GPLv2 VRT-certified ruleset that is distributed free of charge without any VRT License restrictions. [If you are a Snort VRT paid subscriber, the community ruleset is already built into the Snort VRT rules, so you don’t need to install this.]

Next is the “Rules Update Settings” section. In the “Update Interval” dropdown box, you can select the interval for rule updates. Choosing NEVER disables auto-updates. The options range from 6 hours to 28 days, as well as never for no updates. Below that is the “Update Start Time” edit box, where you can enter the rule update start time in 24-hour format (the default is 00:30). Finally, the “Live Rule Swap on Update” check box, if checked, enables a “live swap” reload of the rules after downloading an update instead of a hard restart. [If you encounter problems with live reloads, you should probably uncheck this option.]

The final section on the “Global Settings” tab is “General Settings“. The “Remove Blocked Hosts Interval” dropdown box allows you to select the amount of time you would like hosts to be blocked (values run from 15 minutes to 28 days; never is also an option). The “Log to System Log” check box enables copying of Suricata mesages to the firewall system log. The “Keep Suricata Settings After Disinstall” checkbox, if checked will not remove any changed settings during package deinstallation. Press the “Save” button at the bottom of the page to save settings.

In the next article, we will continue our look at Suricata settings.


External Links:

The official Suricata web site

Intrusion Detection Systems: An Introduction

intrusion detection systemAn intrusion detection system (IDS) is the high-tech equivalent of a burglar alarm. It is a device or software application that is configured to monitor information gateways, hostile activities, and known intruders, and produces reports to a management station. An IDS is a specialized tool that knows how to parse and interpret network traffic and/or host activities. This data can range from network packet analysis to the contents of log files from routers, firewalls, and servers, local system logs and access calls, network flow data, and more. Furthermore, an IDS often stores a database of known attack signatures and can compare patterns of activity, traffic, or behavior it sees in the data it’s monitoring against those signatures to recognize when a close match between a signature and current or recent behavior occurs. At that point, the IDS can issue alarms or alerts, take various kinds of automated actions ranging from shutting down Internet links or specific servers to launching back-traces, and make other active attempts to identify attackers and collect evidence of their nefarious activities.

By analogy, an IDS does for a network what an antivirus software package does for files that enter a computer system: it inspects the contents of network traffic to look for and deflect possible attacks just as an antivirus software package inspects the contents of incoming files, e-mail attachments, active Web content, and so forth to look for virus signatures or for possible malicious actions.


Intrusion detection means detecting unauthorized use of or attacks upon a system or network. An IDS is designed and used to detect such attacks or unauthorized use of systems, networks, and related resources, and then in many cases to deflect or deter them if possible. Like firewalls, IDSes can be software-based or can combine hardware and software in the form of pre-installed and preconfigured stand-alone IDS devices. IDS software may run on the same device or server where the firewall or other services are installed will monitor those devices with particular closeness and care. Although such devices tend to be deployed at network peripheries, IDSes can detect and deal with insider attacks as well as external attacks, and are often very useful in detecting violations of corporate security policy and other internal threats.

Types of Intrusion Detection Systems

There are several types of IDSes. It is possible to distinguish IDSes by the kinds of activities, traffic, transactions, or systems they monitor. IDSes that monitor network links and backbones looking for attack signatures are called network-based IDSes, whereas those that operate on hosts and defend and monitor the operating and file systems for signs of intrusion are called host-based IDSes. Groups of IDSes functioning as remote sensors and reporting to a central management station are know as distributed IDSes (DIDSes). A gateway IDS is a network IDS deployed at the gateway between your network and another network, monioriting the traffic passing in and out of your network at the transit point. IDSes that focus on understanding and parsing application-specific traffic with regard to the flow of application logic well as the underlying protocols are often called application IDSes.

Most commercial environments use a combination of network, host and/or application-based IDSes to observe what is happening on their networks while also monitoring key hosts and applications more closely. In addition, some IDSes use signature detection, using a database of traffic or activity patterns known as attack signatures. Another approach is called anomaly detection, whereby rules or predefined concepts about normal and abnormal system activity, called heuristics, to distinguish anomalies from normal system behavior and to monitor, report or block anomalies as they occur.


To summarize, intrusion detection systems have many different characteristics:

  • They can be software-based, or a combination of software and hardware.
  • They can be network-based, host-based, or distributed
  • The primary job of the intrusion detection system is to detect attacks and inform the administrator, not to block attacks; however, many intrusion detection systems will go a step further and take measures to block attacks.

External Links:

Intrusion detection system on Wikipedia

© 2013 David Zientara. All rights reserved. Privacy Policy