Suricata: What is it and how can we use it
What is Suricata?
Suricata is an open-source detection engine that can act as an intrusion detection system (IDS) and an intrusion prevention system (IPS). It was developed by the Open Information Security Foundation (OSIF) and is a free tool used by enterprises, small and large. The system uses a rule set and signature language to detect and prevent threats. Suricata can run on Windows, Mac, Unix and Linux.
As discussed in the previous articles, intrusion detection "detects" and "alerts" a threat. In contrast, an intrusion prevention system also takes action on the event and attempts to block the traffic. Suricata can do both and also does well with deep packet inspection. Making it perfect for pretty much any kind of standard security monitoring initiatives your company might have.
Why should we care?
Suricata is lightweight, low cost and can provide great insight into what is occurring on your network from a security perspective. An alternative to Suricata is Snort.
The main difference between these two tools is that Suricata is multi-threaded. Meaning that the tool can use multiple cores at once, allowing for greater load balancing. This allows us to process more data without dialing back on the number of rules we implement, giving Suricata a slight advantage over Snort.
The tool has a great developer and support community and is regularly updated with how-to guides and installation processes. Security information and event management (SIEM) systems can also leverage output from Suricata to enhance their detection rules and processes.
Suricata best practices
1. Always start by setting up Suricata (or any network monitoring/blocking tool) in IDS mode. This allows you to test the software and see what works or doesn't before you start blocking anything.
2. After the initial installation and setup, be sure to tune the system to account for your network's needs and requirements. Suricata and most IDS come with pre-built rules. However, many might not be relevant to your business.
3. Update the rules engine with your findings after an investigation. As you begin to work through alerts, continually update the engine with any false positives or whitelists artifacts.
Learn Network Security Fundamentals
Suricata installation and setup
Suricata can be installed on various Mac, Windows, Linux and Unix distributions. Depending on how you plan to use the tool and what type of server you use, you may need more or less CPU and RAM. Typically, you need between 4-8GB of RAM and at LEAST two CPUs for a production environment. Once you have the tool up and running, you can scale and allocate resources as needed depending on your needs.
There are multiple methods of deployment outlined in the "Suricata Docs." A popular installation process is using an Ubuntu system as the distribution to run the software.
Once you install the software from their website (or via the command line), you must configure the system. The standard configuration file that ships with each installation come with a wide range of use-cases that will be an excellent start for your network security monitoring needs. The default mode is IDS (passive, detection only). This mode allows you to fully understand the tool, how it works and the traffic occurring within your network before switching over to IPS mode (active blocking). One thing to note is that depending on which network interface you want to monitor. You might need to override the default configuration settings.
Use case for Suricata
Now that we've talked about what Suricata is, how to configure it and a few best practices, let's dive into a practical, real-world use case. Using the data produced by the tool for network traffic baselining.
Suricata is a great tool to have in your intrusion detection arsenal. I've used it many times as a lightweight IDS to enrich the detections coming from my SIEM platform. The data produced from Suricata can help create a geographic breakdown of the traffic entering and leaving your network. If you use a SIEM tool (such as ELK) you can take the parsed Suricata logs, ingest them and use a map widget to easily understand your traffic distribution. As a security professional, knowing what 'normal' looks like is crucial for you to spot bad, abnormal activity. This principle applies to every dataset in your environment. Whether you're working with network data, endpoint data, tool/system data, knowing what normal looks like will help you spot potential bad actors in your network.
Whether you plan to use Suricata logs/alerts independently or ship the data to a SIEM tool for additional analysis, there are numerous use-cases and benefits from having this tool in place.
Coming next: Using Zeek
The next article will walk through a popular open-source network monitoring tool called Zeek. Zeek has numerous uses but is commonly used for network monitoring and analysis of various protocols. We'll walk through what Zeek is, how to use it and overview some popular use-cases for the tool.
Want to learn more? Take my Advanced Intrusion Detection courses in Infosec Skills.
- Expert instruction
- Hands-on labs
- Unlimited access
In this Series
- Suricata: What is it and how can we use it
- What is zero trust architecture (ZTA)? Pillars of zero trust and trends for 2024
- A deep dive into network security protocols: Safeguarding digital infrastructure 2024
- Asset mapping and detection: How to implement the nuts and bolts
- The Pentagon goes all-in on Zero Trust
- How to configure a network firewall: Walkthrough
- 4 network utilities every security pro should know: Video walkthrough
- How to use Nmap and other network scanners
- Security engineers: The top 13 cybersecurity tools you should know
- Converting a PCAP into Zeek logs and investigating the data
- Using Zeek for network analysis and detections
- Intrusion detection software best practices
- What is intrusion detection?
- How to use Wireshark for protocol analysis: Video walkthrough
- 9 best practices for network security
- Securing voice communications
- Introduction to SIEM (security information and event management)
- VPNs and remote access technologies
- Cellular Networks and Mobile Security
- Secure network protocols
- Network security (101)
- IDS/IPS overview
- Exploiting built-in network protocols for DDoS attacks
- Firewall types and architecture
- Wireless attacks and mitigation
- Wireless network overview
- Open source IDS: Snort or Suricata? [updated 2021]
- PCAP analysis basics with Wireshark [updated 2021]
- What is a firewall: An overview
- NSA report: Indicators of compromise on personal networks
- Securing the home office: Printer security risks (and mitigations)
- Email security
- Data integrity and backups
- Cost of non-compliance: 8 largest data breach fines and penalties
- How to find weak passwords in your organization’s Active Directory
- Monitoring business communication tools like Slack for data infiltration risks
- Firewalls and IDS/IPS
- IPv4 and IPv6 overview
- The OSI model and TCP/IP model
- Endpoint hardening (best practices)
- Wireless Networks and Security
- Networking fundamentals (for network security professionals)
- How your home network can be hacked and how to prevent it
- Network design: Firewall, IDS/IPS
- Work-from-home network traffic spikes: Are your employees vulnerable?
- RTS threshold configuration for improved wireless network performance [updated 2020]
- Web server protection: Web server security monitoring
- Web server security: Active defense
- Web server security: Infrastructure components
- Web server protection: Web application firewalls for web server protection
- Web server security: Command line-fu for web server protection
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
