Suricata Intrusion Detection System: Part Three

Suricata

Interface settings in Suricata.

In the previous article, we covered some additional Suricata configuration details, including downloading rules and setting up your first Suricata interface. In this article, we will continue to configure that interface.

Since we already covered the “WAN Settings” tab, we’ll move on to the “WAN Categories” tab. The first heading covers automatic flowbit resolution. Flowbits are a powerful tool that were first implemented in Snort. Many times, you need to look at more than just one packet to know whether an event is occurring. Flowbits give you the ability to do this. With flowbits, you can set a flag that another rule can check and take into consideration. In other words, if condition 1 is met, we can set a flag. If the flag is set and condition 2 is met, then we can take further action (for example, generate an alert).

The first option is the “Resolve Flowbits” check box. If this is checked, Suricata will examine the enabled rules in your chosen rule categories for checked flowbits. Any other rules that set these dependent flowbits will be automatically enabled (even if they were not otherwise enabled) and added to the list of the files in the interface rules directory. By pressing the “View” button, you can view the auto-enabled rules required to satisfy the flowbit dependencies.

The next heading is “Selecting the rulesets Suricata will load at startup”. Here you can select individual rulesets from the rules you have already downloaded. For example, the ET Open Rules have individual rulesets for ActiveX, protecting against DNS hacks, protecting against denial of service (DoS) attacks, and other threats. There are check boxes next to each individual ruleset, and at the top there are buttons to “Select All”, “Unselect All” and “Save” (to save changes and auto-resolve flowbit rules). There is also a “Save” button at the bottom of the page.


Enabling and Disabling Rules

The next tab is “WAN Rules”. Here you can see things on a more granular level, as you can actually view, enable and disable individual rules, as well as enable and disable all rules in an individual category. At the top of the page, there is an “Available Rule Categories” dropdown box that allows you to select rule categories to view. Next to each individual rule, there is a red check mark on the left side of the row; you can click on this to enable/disable the rule. At the top of the list, there are buttons to disable and enable all rules in the current category, as well as buttons to remove all enable/disable changes in the current category or all categories. There is also an option to view the full file contents for the current category. Finally, above the list of rules is an “Apply” button to apply any changes made.

The next tab is “WAN Flow/Stream”. The first heading is “Host-Specific Defrag and Stream Settings”. Here, you can set different defrag and stream settings for different hosts. By pressing the “plus” button on the right side, you can add new settings; you can also press the “edit” button (the lowercase e) to edit existing settings. The “Policy Name” and “Bind-To IP Address” alias can be edited for everything except the default engine (the “Bind-To IP Address” defines the IP list for this configuration). The “Target Policy” dropdown box allows you to choose an OS target policy appropriate for the protected hosts. The default is BSD, but there are many choices, including IRIX, Linux, MacOS, and variants of Windows. The “Save” button at the bottom allows you to save a configuration, while the “Cancel” button discards the changes.

The next section deals with IP fragmentation. The Internet Protocol (IP) implements datagram fragmentation, breaking it into smaller pieces, so that packet may be formed that can pass through a link with a smaller maximum transmission unit (MTU) than the original datagram size. These settings allow you to control such fragmentation, with settings such as the maximum memory to be used for fragmentation and the maximum number of fragments. Below this is “Flow Manager” settings, which allows you to control parameters for the flow engine. “Flow Timeout Settings” covers timeouts for TCP connections, UDP connections, and ICMP connections. Finally, “Stream Engine Settings” covers parameters for the stream engine, such as the maximum memory to be used be the stream engine and the maximum concurrent stream engine sessions.

In the next article, we will continue our look at Suricata interface settings.


External Links:

The official Suricata web site

© 2013 David Zientara. All rights reserved. Privacy Policy