Suricata Intrusion Detection System: Part One

Suricata

The global settings tab in Suricata.

Suricata is an open source-based intrusion detection system (IDS). There are several advantages to running Suricata. [1] It is multi-threaded, so you can run one instance and it will balance the load processing across every processor. [2] The most common protocols are automatically recognized by Suricata as the stream starts, allowing rule writers to write a rule to the protocol, not to the port expected. [3] Suricata can identify thousands of file types on your network, and you can tag files for extraction so the file will be written to disk with a metadata file describing the capture situation and flow. Another advantage of Suricata is that it is compatible with Snort rules, so while it is an alternative to Snort, you can still use Snort updates. Suricata has been available as a pfSense package since March 2014; you must be running pfSense 2.1 or later to install the Suricata pfSense package.

Suricata Installation and Configuration

Suricata can easily be downloaded, compiled and installed under FreeBSD (the underlying OS for pfSense). The installation instructions can be found at the official Suricata website for FreeBSD 8 and later. Fortunately, if you are running pfSense 2.1 or later, you can just install Suricata from the package menu and configure it from the GUI. In this case, just navigate to System -> Packages, scroll down to Suricata in the package listing, and press the “plus” button on the right side of the row. On the next screen, press “Confirm” to confirm installation. It will take several minutes for the package installer to download, install and configure Suricata.


Once the package installer is done, there will be a new option on the “Services” menu called “Suricata”. You can now navigate to Services -> Suricata and begin configuration. The first step is to configure global settings, which you can do by clicking on the “Global Settings” tab. The first part of the page configures which rules you want to download. The first setting is “Install Emerging Threats rules“, which allows you to install ETOpen and ETPro. ETOpen is an open source set of Snort rules, while ETPro for Snort offers daily updates and extensive coverage of current malware threats. ETPro offers more extensive coverage of threats, but costs $500 a year. The “Install Snort VRT rules” check box allows you to install either Snort VRT free registered user or paid subscriber rules. The next option is “Install Snort Community rules“. Checking this check box will install the Snort Community Ruleset – a GPLv2 VRT-certified ruleset that is distributed free of charge without any VRT License restrictions. [If you are a Snort VRT paid subscriber, the community ruleset is already built into the Snort VRT rules, so you don’t need to install this.]

Next is the “Rules Update Settings” section. In the “Update Interval” dropdown box, you can select the interval for rule updates. Choosing NEVER disables auto-updates. The options range from 6 hours to 28 days, as well as never for no updates. Below that is the “Update Start Time” edit box, where you can enter the rule update start time in 24-hour format (the default is 00:30). Finally, the “Live Rule Swap on Update” check box, if checked, enables a “live swap” reload of the rules after downloading an update instead of a hard restart. [If you encounter problems with live reloads, you should probably uncheck this option.]

The final section on the “Global Settings” tab is “General Settings“. The “Remove Blocked Hosts Interval” dropdown box allows you to select the amount of time you would like hosts to be blocked (values run from 15 minutes to 28 days; never is also an option). The “Log to System Log” check box enables copying of Suricata mesages to the firewall system log. The “Keep Suricata Settings After Disinstall” checkbox, if checked will not remove any changed settings during package deinstallation. Press the “Save” button at the bottom of the page to save settings.

In the next article, we will continue our look at Suricata settings.


External Links:

The official Suricata web site

Nessus Vulnerability Scanner: An Introduction

Nessus

Introducing the Nessus Vulnerability Scanner

Modern computer networks have multiple potential areas of insecurity. How do you protect all these avenues of attack? You might feel that protecting your network is an impossible situation. You could spend all day, every day, just checking for these security holes manually. Even if you tried to automate it with scripts, would would seem to take dozens of programs. Fortunately, there are packages out there called vulnerability scanners that will automatically check all these areas and more.

Nessus is an excellent program. It is a great example of how well open source projects can work, although the project has been since been changed to a proprietary (closed source) license. [The Nessus 3 engine is still free of charge, though Tenable Network Security, the company founded by Nessus creator Renaud Deraison, charges $100/month per scanner for the ability to perform configuration audits for PCI, CIS, FDCC and other configuration standards, technical support, SCADA vulnerability audits, the latest network checks and patch audits, the ability to audit anti-virus configurations and the ability for Nessus to perform sensitive data searches to look for credit card, social security number and many other types of corporate data.] It is robust, well documented, well maintained, and the premiere vulnerability scanner. Nessus has consistently rated at the top of all vulnerability scanners, commercial or noncommercial. This is amazing when you consider its competitors cost thousands of dollars and are created by large companies. It continues to impress and improve, and most importantly, to protect thousands of companies’ networks. There are some design features that make Nessus unique and superior to other vulnerability scanners.


Even as Nessus 3 and subsequent versions went closed source, the Nessus 2 engine and a minority of the plugins are still GPL, leading to forked open source projects based on Nessus. Tenable Network Security has still maintained the Nessus 2 engine and has updated it several times since the release of Nessus 3. The current stable version of Nessus is 5.2.1 (released May 7, 2013).

Nessus currently offers over 2000 individual vulnerability tests that cover practically every area of potential weakness in systems. Very few scanners out there can compete with this level of testing, and new tests are being added daily by a worldwide network of developers. The speed of release of new tests for emerging vulnerabilities is usually measured in days if not hours. Its plug-in based architecture allows new tests to be added easily.

You can turn off whole categories of tests if they do not apply or if you are worried they could be dangerous to your systems, or you can deactivate individual tests if you have it concern about a specific one. For example, you may prefer to disable the untested category, which contains tests that haven’t been fully tested yet.

Nessus uses a client-server architecture to run its security checks. The server runs the tests and the client configures and controls the sessions. The fact that the client and server can be separated offers some unique advantages. This means that you can have your scanning server outside your network, yet access it from inside your network via the client. this also allows other operating systems to be supported via different clients. There are currently UNIX and Window clients available, with projects to create additional ones ongoing. These is also now a web client interface available, which makes Nessus truly platform independent (at least on the client end).

In the next article, we will continue our discussion of Nessus and its features.

External Links:

Nessus home page on www.tenable.com

Nessus on Wikipedia

Open Source Tools: Part Three (Even more nmap options)

nmap optionsWhen you specify your targets for scanning, nmap will accept specific IP addresses, address ranges in CIDR format, and octet format (i.e. x.x.x.x). If you have a host file, which may have been generated from your ping sweep earlier, you can specify it as well using the -iL flag. There are other, more formal nmap parsing programs out there, but awk can be used to create a quick and dirty hosts file from an nmap ping sweep. Scripting can be a very powerful addition to any tool, but remember to check all the available output options to avoid doing too much work.

nmap allows the user to specify the speed of the scan, or the amount of time from probe sent to replay received, and therefore how fast packets are sent. On a fast LAN, you can optimize your scanning by setting the -T option to 4, or Aggressive, usually without dropping any packets during send. If you find that a normal scan is taking very long due to ingress filtering or a firewall device, you may want to enable Aggressive scanning. If you know that an IDS sits between you and the target, and you want to be as stealthy as possible, the using -T0 or Paranoid should do what you want; however, it will take a long time to finish a scan, perhaps several hours, depending on your scan parameters.


By default, nmap 6.40 with Auditor scans 1000 ports for common services, which will catch most open TCP ports out there. However, sneaky sysadmins may run ports on uncommon ports, practicing security through obscurity. Without scanning those uncommon ports, you may be missing these services. If you have time, or suspect that a system may be running other services, run nmap with the -p1-65535 parameter, which will scan all 65k TCP ports. Even on a LAN with responsive systems, this will take anywhere from 30 minutes to a few hours. Performing a test like this over the Internet may take even longer, which will allow more time for the system owners, or watchers, to note the excessive traffic and shut you down.

Ping Sweeping with netenum

Finally, if you have a need for a very simple ICMP ping sweep program that you can use for scriptable applications, netenum might be useful. It performs a basic ICMP ping and then replies with only the reachable targets. One quirt about netenum is that it requires a timeout to be specified for the entire test. If no timeout is specified, it outputs a CR-delimited dump of the inputted addresses. If you have tools that will not accept a CIDR formatted range of addresses, you might use netenum to simply expand that into a listing of individual IP addresses. netenum is part of the Internetwork Routing Protocol Attack Suite, which also includes such utilities as cdp (for sending Cisco router Discovery protocol messages), and ass (Automated System Scanner).


External Links:

The official nmap site

Official site for the Internetwork Routing Protocol Attack Suite (IRPAS) – netenum is part of IRPAS

© 2013 David Zientara. All rights reserved. Privacy Policy