What is Suricata?
Suricata is an open-source intrusion detection and prevention system (IDPS) developed by the Open Information Security Foundation (OISF). It is designed to monitor network traffic and detect malicious activity or security breaches in real-time. Suricata can analyze network packets using signature-based detection, protocol analysis, and anomaly detection techniques. It's often used to protect networks from a variety of threats such as malware, hacking attempts, denial-of-service (DoS) attacks, and more.
The adaptability of Suricata is its greatest asset. It is a high-performance tool that can handle high network traffic volumes and produce enormous amounts of network traffic data when properly tuned. It is also incredibly flexible, allowing you to tailor rule sets to your organization's unique requirements and perform in-depth analyses of a variety of protocols. Suricata is an open-source IDS/IPS that gains from a sizable, vibrant community that continuously enhances and expands its features.
In summary, Suricata is a strong and flexible tool that adds a strong layer of protection to any company's network security plan.
Installation
Before installing Suricata, you must add the Open Information Security Foundation (OISF) software repository information to your Ubuntu system. To accomplish this, run the add-apt-repository command.
To add the repository to your system and update the available package list, run the following command:
$ sudo add-apt-repository ppa:oisf/suricata-stable
When asked to confirm that you wish to add the repository, press ENTER. Once the new repository has been added, the command will update the list of packages that are available to you.
With the apt command, you can now install the suricata package:
$ sudo apt install suricata
After installing the package, enable the suricata.service so that it will run when the system restarts. To enable it, we can use the systemctl command:
$ sudo systemctl enable suricata.service
You should receive output like the following indicating the service is enabled:
Output
suricata.service is not a native service, redirecting to systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable suricata
We can start the service using systemctl:
$ sudo systemctl start suricata.service
To check the logs,
$ sudo tail -f /var/log/suricata/fast.log
And for stopping,
$ sudo systemctl stop suricata.service
By stopping Suricata, you can ensure that any changes you make to the configuration file during editing and testing will be verified and loaded upon restarting Suricata.
Rules
In Suricata, signatures are very significant. Most of the time, people follow the established rules.
Through suricata-update, one can use several free rulesets. The Emerging Threats Open ruleset is a useful resource that offers a variety of signature examples and is free of cost to help with rule writing education.
The following makes up a rule or signature:
1. The action, which decides what takes place when the rule is matched.
2. The header, which includes information about the protocol, IP addresses, ports, and rule direction.
3. Rule options that specify the details of the rule.
Here is an example of a rule:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP GET Request Containing Rule in URI"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"rule"; fast_pattern; classtype:bad-unknown; sid:123; rev:1;)
the options are blue, the header is green, and the action is red.
Action:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP GET Request Containing Rule in URI"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"rule"; fast_pattern; classtype:bad-unknown; sid:123; rev:1;)
Some actions are:
* alert - will generate an alert.
* pass - halt your further examination of the package.
* drop - drop the packet and produce an alert.
protocol:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP GET Request Containing Rule in URI"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"rule"; fast_pattern; classtype:bad-unknown; sid:123; rev:1;)
This signature keyword identifies the protocol that Suricata is concerned with. There are four fundamental protocols to select from:
* tcp (for tcp-traffic)
* udp
* icmp
* ip (ip stands for 'all' or 'any')
Source and Destination:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP GET Request Containing Rule in URI"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"rule"; fast_pattern; classtype:bad-unknown; sid:123; rev:1;)
You can designate the traffic's source and destination by using the source and destination parameters, respectively. IP addresses and IP ranges can be assigned (IPv4 and IPv6 are supported). Operators (/,! etc.) can be used to combine them. Typically, variables like $HOME_NET and $EXTERNAL_NET would also be used. The IP addresses for these concerns are specified in the suricata.yaml configuration file. The variables in your rules will be replaced by the corresponding $HOME_NET and $EXTERNAL_NET setting.
Ports (Source and Destination)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP GET Request Containing Rule in URI"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"rule"; fast_pattern; classtype:bad-unknown; sid:123; rev:1;)
The traffic goes through the ports. Port numbers vary amongst protocols. For instance, port 443 is usually used for HTTPS, but port 80 is the default for HTTP. However, the port will not decide which protocol to use in the communication; it will determine who is receiving the data.
In this way, we can set up the basic Suricata on the server.
To read more about How to Create & Configure Server Actions in the Odoo 17, refer to our blog How to Create & Configure Server Actions in the Odoo 17.