Suricata Intrusion Detection: Part Five


Logs management in Suricata.

In the previous articles on Suricata, we covered basic installation and configuration of this intrusion detection system, including deciding which rules to download and use, and setting up an interface, in this article, we take a look at log management.

Log Management in Suricata

The top level of tabs has 11 different tabs; click “Logs Mgmt” tab (in the current version of Suricata, it is the 9th tab). Under “General Settings”, there are two options. The first is the “Remove Suricata Log Files During Package Uninstall” check box, which will cause the Suricata log files to be removed when the package is unstalled. The “Auto Log Management” check box enables automatic unattended management of the Suricata logs using parameters set in the rest of the page.

The next section is “Log Directory Size Limit”. The radio buttons in this section allow you to enable or disable the directory size limit. Enabling a limit imposes a hard limit on the combined log directory size of all Suricata interfaces. When the size limit is reached, rotated logs for all interfaces will be removed, and any active logs will be pruned to zero length. The edit box in this section allows you to set the log directory size; the default value is 20% of available space.

The next section is “Log Size and Retention Limits”. Here, you can configure different size and retention limits for different logs. These options will only be enabled if you checked the “Auto Log Management” check box. Logs which can be configured here are: alerts (Suricata alerts and event details), block (Suricata blocked IPs and event details), dns (DNS request and reply details), eve-json (JavaScript Object Notation data), files-json (captured HTTP events and session information), sid_changes (log of security ID [SID] changes made by SID Management config files), stats (Suricata performance stats), and tls (SMTP TLS handshake details). Settings will be ignored for any log in this list not enabled on the Interface Settings tab. When a log reaches the maximum size limit, it will be rotated and tagged with a time stamp.

The next setting is the “Unified2 Log Limit”, which sets the maximum size for a unified2 log file before it is rotated and a new one created. Below that is the “Unified2 Archived Log Retention Period”. Here you can choose the retention period for the archived Barnyard2 binary log files. When Barnyard2 output is enabled, Suricata writes event data in binary format that Barnyard2 reads and processes. When finished processing a file, Barnyard2 moves it to an archive folder. The setting determines how long files remain in the archive folder before they are automatically deleted. Finally, there’s the “Captured Files Retention Period” dropdown box. Here you can choose the retention period for captured files. When file capture and storage is enabled, Suricata captures downloaded files from HTTP sessions and stores them, along with metadata, for later analysis. This setting determines how long files remain in the File Store folder before they are automatically deleted. Press the “Save” button at the bottom of the page to save settings.

External Links:

The official Suricata web site

Suricata Intrusion Detection: Part Four


Configuring app parser settings in Suricata.

In the previous articles on Suricata, we covered installation, configuring global settings and pass lists, and began looking at setting up an interface. In this article, we will continue setting up our first Suricata interface. In this example, we are configuring the WAN interface.

Configuring App Parsing

The next tab after “WAN Flow/Stream” is “WAN App Parsers“. This tab deals with parsers that operate on the application layer of the TCP/P model, the layer that specifies certain protocols that cover major aspects of functionality such as FTP, SMTP, and others.

The first setting is “Asn1 (Abstract Syntax One) Max Frames“. Abstract Syntax one is a standard and notation that describes rules and structures for representing, encoding, transmitting, and decoding data in telecommunications and computer networking. Application later protocols such as X.400 e-mail, X.500 and LDAP directory services, H.323 (for VoIP) and SNMP use ASN.1 to describe the protocol data units they exchange. “Asn Max Frames” sets a limit for the maximum number of ASN.1 frames to decode (the default is 256).

The next heading is “DNS App-Layer Parser Settings“. Here, you can set parameters relevant to DNS, UDP and TCP parsing. “Global Memcap” and “Flow/State Memcap” set the global memcap and flow/state memcap limits respectively. The default global memcap is 16 MB and the flow/state memcap is 512 KB. The “Request Flood Limit” determines how many unreplied DNS requests are considered a flood; if this limit is reached, an alert is set. The default is 500. Finally, “UDP Parser” and “TCP Parser” enables UDP detection and parsing and TCP detection and parsing. The default for both settings is “yes“.

Below that is “HTTP App-Layer Parser Settings“. “Memcap” sets the memcap limit for the HTTP parser; the default is 64 MB. The “HTTP Parser” dropdown box allows you to enable or disable detection and parsing; there is also a third setting, “detection-only“, which enables detection but disables the parser. The final setting in this section is “Server Configurations“. Pressing the “plus” button allows you to add a new HTTP server policy configuration. You can set the “Engine Name“, as well an alias for the IP list to which the engine will be bound (you can specify “all” to bind the engine to all HTTP servers). The “Target Web Server Personality” allows you to choose the web server personality appropriate for the protected hosts. The default value is “IDS“, but you can set it for Apache 2 and different versions of Microsoft’s Internet Information Services. Below that are parameters for the request body limit and the response body limit, specifying the maximum number of HTTP request body and response body bytes to inspect, respectively. The default in each case is 4096 bytes. Setting either parameter to 0 causes Suricata to inspect the entire client-body or server-body. Finally, there are “Decode Settings“, which if set, will allow Suricata to decode the path and query. Checking the “URI Include-All” check box will include username, password, hostname and port in the normalized URI. Press “Save” at the bottom of the page to save settings for the server configuration or “Cancel” to cancel.

The last heading is “Other App-Layer Parser Settings“. Here, you can set detection and parsing options for several application-layer protocols such as TLS and SMTP. Each protocol has the option of [1] enabling detection and parsing; [2] disabling both detection and parsing, or [3] enabling detection but disabling parsing (“detection-only”). You can press “Save” to save your settings before you exit or “Reset“. Pressing sabe will rebuild the rules file, which may take several seconds. Suricata must also be restarted to activate any changes made.

Finally, the “Variables” tab allows you to set variables which can be used in rules. This prevents you from having to set IP addresses rule by rule. For example, after HOME_NET you can enter your home-IP address. Press “Save” at the bottom when you are done setting these variables.

That covers interface setup. Now that we have at least one interface configured, we can look at the logs. We will cover log settings in the next article.

External Links:

The official Suricata web site

Suricata Intrusion Detection System: Part Three


Interface settings in Suricata.

In the previous article, we covered some additional Suricata configuration details, including downloading rules and setting up your first Suricata interface. In this article, we will continue to configure that interface.

Since we already covered the “WAN Settings” tab, we’ll move on to the “WAN Categories” tab. The first heading covers automatic flowbit resolution. Flowbits are a powerful tool that were first implemented in Snort. Many times, you need to look at more than just one packet to know whether an event is occurring. Flowbits give you the ability to do this. With flowbits, you can set a flag that another rule can check and take into consideration. In other words, if condition 1 is met, we can set a flag. If the flag is set and condition 2 is met, then we can take further action (for example, generate an alert).

The first option is the “Resolve Flowbits” check box. If this is checked, Suricata will examine the enabled rules in your chosen rule categories for checked flowbits. Any other rules that set these dependent flowbits will be automatically enabled (even if they were not otherwise enabled) and added to the list of the files in the interface rules directory. By pressing the “View” button, you can view the auto-enabled rules required to satisfy the flowbit dependencies.

The next heading is “Selecting the rulesets Suricata will load at startup”. Here you can select individual rulesets from the rules you have already downloaded. For example, the ET Open Rules have individual rulesets for ActiveX, protecting against DNS hacks, protecting against denial of service (DoS) attacks, and other threats. There are check boxes next to each individual ruleset, and at the top there are buttons to “Select All”, “Unselect All” and “Save” (to save changes and auto-resolve flowbit rules). There is also a “Save” button at the bottom of the page.

Enabling and Disabling Rules

The next tab is “WAN Rules”. Here you can see things on a more granular level, as you can actually view, enable and disable individual rules, as well as enable and disable all rules in an individual category. At the top of the page, there is an “Available Rule Categories” dropdown box that allows you to select rule categories to view. Next to each individual rule, there is a red check mark on the left side of the row; you can click on this to enable/disable the rule. At the top of the list, there are buttons to disable and enable all rules in the current category, as well as buttons to remove all enable/disable changes in the current category or all categories. There is also an option to view the full file contents for the current category. Finally, above the list of rules is an “Apply” button to apply any changes made.

The next tab is “WAN Flow/Stream”. The first heading is “Host-Specific Defrag and Stream Settings”. Here, you can set different defrag and stream settings for different hosts. By pressing the “plus” button on the right side, you can add new settings; you can also press the “edit” button (the lowercase e) to edit existing settings. The “Policy Name” and “Bind-To IP Address” alias can be edited for everything except the default engine (the “Bind-To IP Address” defines the IP list for this configuration). The “Target Policy” dropdown box allows you to choose an OS target policy appropriate for the protected hosts. The default is BSD, but there are many choices, including IRIX, Linux, MacOS, and variants of Windows. The “Save” button at the bottom allows you to save a configuration, while the “Cancel” button discards the changes.

The next section deals with IP fragmentation. The Internet Protocol (IP) implements datagram fragmentation, breaking it into smaller pieces, so that packet may be formed that can pass through a link with a smaller maximum transmission unit (MTU) than the original datagram size. These settings allow you to control such fragmentation, with settings such as the maximum memory to be used for fragmentation and the maximum number of fragments. Below this is “Flow Manager” settings, which allows you to control parameters for the flow engine. “Flow Timeout Settings” covers timeouts for TCP connections, UDP connections, and ICMP connections. Finally, “Stream Engine Settings” covers parameters for the stream engine, such as the maximum memory to be used be the stream engine and the maximum concurrent stream engine sessions.

In the next article, we will continue our look at Suricata interface settings.

External Links:

The official Suricata web site

Suricata Intrusion Detection System: Part Two


Defining a pass list in Suricata.

In the first article about Suricata, we covered basic installation as well as global settings. In this article, we will continue our look at configuration.

In Global Settings, you must choose a set of rules to download, as well as update settings for those rules. Once you do that and save the settings, you can move on to the “Update Rules” tab. I chose the ETOpen rule and Snort VRT rules, set my update interval to 12 hours, and my update start time to 04:00, and saved the settings.

By clicking on the “Update Rules” tab, you can download the enabled rule sets. Under “Update Your Rule Set“, you can press “Check“, which will download an update if available, or “Force” to force an update. A separate screen will load once downloading begins; press the “Return” button to return to the “Update Rules” tab. The “Installed Rule Set MD5 Signature” should now be updated with both the MD5 signature hash and MD5 signature date of the downloaded rules. You can also view the log by clicking on the “View” button.

If you are running Suricata for the first time, you can skip past the “Alerts” and “Blocked” tabs for now, and go straight to “Pass Lists“. Here you can create pass lists, which are lists of hosts which will never be blocked by Suricata. Click on the “plus” button on the right side to add a pass list. You can specify a “Name” and “Description” for the file in the top two edit boxes. In the “Add auto-generated IP Addresses” section, there are six check boxes covering categories such as local networks, WAN IPs, and VPNs. Check whichever categories of IPs you don’t want to be blocked. Beneath that is the “Assigned Aliases” edit box, which allows you to add a custom IP address from a configured alias. If you have any aliases that you do not want to be blocked, you can add them here. Press the “Save” button at the bottom of the page to save these settings.

Adding an Interface with Suricata

You should be ready to add your first Suricata interface now. Click on the “Suricata Interfaces” tab and press the “plus” button on the right side of the page to add an interface. Once you do, there will be seven new additional tabs covering all the settings for that interface. On the first tab, there are several sections. In “General Settings“, the “Enable” check box will enable Suricata inspection on the interface. The “Interface” dropdown box allows you to select the interface. In this case, we will leave it set to WAN. In the “Description” field; we can enter a meaningful description for this interface; we’ll leave it as “WAN“. In “Logging Settings“, you can set a number of preferences related to logging, but we should take note of a few of these settings. First there is the “Send Alerts to System Log” (to send alerts to the firewall’s system log) and “Enable Stats Log” (to log statistics for the interface). Next is the “Stats Update Interval” (in seconds). The default is 10 seconds. If you’re concerned about the size of the log file, you may want to alter “Max Packet Log File Size” (the maximum size in megabytes of the packet log file) and “Max Packet Log Files” (the maximum number of packet log files to maintain).

The next section is “Alert Settings“. The “Block Offenders” check box will automatically block hosts that generate a Suricata alert. Once a host is blocked, they may still have entries in the firewall’s state table and persistent connections; checking the “Kill States” check box will kill firewall states for the blocked IP so the host will no longer have access through your firewall. The “Which IP to Block” dropdown list allows you to select which IP from the packet you wish to block: the source IP, destination IP, or both. Choosing both is the recommended option and is the default value.

Scrolling further down the page, we reach the “Networks Suricata Should Inspect and Protect” section. The “Home Net” dropdown box allows you to define the home net you want this interface to use; the default is local networks, WAN IPs, gateways, VPNs and virtual IPs, but you can create an alias to define friendly IPs. The “External Net” dropdown box defines networks not in the home net. The “Pass List” allows you to choose the pass list you want this interface to use; if you defined one or more pass lists earlier, you can specify them here. Clicking on the “Save” button at the bottom of the page allows you to save these settings.

This is a good start, but we have only scratched the surface on interface settings. In the next article, we we continue our look at these settings.

External Links:

The official Suricata web site

Suricata Intrusion Detection System: Part One


The global settings tab in Suricata.

Suricata is an open source-based intrusion detection system (IDS). There are several advantages to running Suricata. [1] It is multi-threaded, so you can run one instance and it will balance the load processing across every processor. [2] The most common protocols are automatically recognized by Suricata as the stream starts, allowing rule writers to write a rule to the protocol, not to the port expected. [3] Suricata can identify thousands of file types on your network, and you can tag files for extraction so the file will be written to disk with a metadata file describing the capture situation and flow. Another advantage of Suricata is that it is compatible with Snort rules, so while it is an alternative to Snort, you can still use Snort updates. Suricata has been available as a pfSense package since March 2014; you must be running pfSense 2.1 or later to install the Suricata pfSense package.

Suricata Installation and Configuration

Suricata can easily be downloaded, compiled and installed under FreeBSD (the underlying OS for pfSense). The installation instructions can be found at the official Suricata website for FreeBSD 8 and later. Fortunately, if you are running pfSense 2.1 or later, you can just install Suricata from the package menu and configure it from the GUI. In this case, just navigate to System -> Packages, scroll down to Suricata in the package listing, and press the “plus” button on the right side of the row. On the next screen, press “Confirm” to confirm installation. It will take several minutes for the package installer to download, install and configure Suricata.

Once the package installer is done, there will be a new option on the “Services” menu called “Suricata”. You can now navigate to Services -> Suricata and begin configuration. The first step is to configure global settings, which you can do by clicking on the “Global Settings” tab. The first part of the page configures which rules you want to download. The first setting is “Install Emerging Threats rules“, which allows you to install ETOpen and ETPro. ETOpen is an open source set of Snort rules, while ETPro for Snort offers daily updates and extensive coverage of current malware threats. ETPro offers more extensive coverage of threats, but costs $500 a year. The “Install Snort VRT rules” check box allows you to install either Snort VRT free registered user or paid subscriber rules. The next option is “Install Snort Community rules“. Checking this check box will install the Snort Community Ruleset – a GPLv2 VRT-certified ruleset that is distributed free of charge without any VRT License restrictions. [If you are a Snort VRT paid subscriber, the community ruleset is already built into the Snort VRT rules, so you don’t need to install this.]

Next is the “Rules Update Settings” section. In the “Update Interval” dropdown box, you can select the interval for rule updates. Choosing NEVER disables auto-updates. The options range from 6 hours to 28 days, as well as never for no updates. Below that is the “Update Start Time” edit box, where you can enter the rule update start time in 24-hour format (the default is 00:30). Finally, the “Live Rule Swap on Update” check box, if checked, enables a “live swap” reload of the rules after downloading an update instead of a hard restart. [If you encounter problems with live reloads, you should probably uncheck this option.]

The final section on the “Global Settings” tab is “General Settings“. The “Remove Blocked Hosts Interval” dropdown box allows you to select the amount of time you would like hosts to be blocked (values run from 15 minutes to 28 days; never is also an option). The “Log to System Log” check box enables copying of Suricata mesages to the firewall system log. The “Keep Suricata Settings After Disinstall” checkbox, if checked will not remove any changed settings during package deinstallation. Press the “Save” button at the bottom of the page to save settings.

In the next article, we will continue our look at Suricata settings.

External Links:

The official Suricata web site

© 2013 David Zientara. All rights reserved. Privacy Policy