Suricata: What is it and how can we use it
What is Suricata?
Suricata is an open-source detection engine that can act as an intrusion detection system (IDS) and an intrusion prevention system (IPS). It was developed by the Open Information Security Foundation (OSIF) and is a free tool used by enterprises, small and large. The system uses a rule set and signature language to detect and prevent threats. Suricata can run on Windows, Mac, Unix and Linux.
As discussed in the previous articles, intrusion detection “detects” and “alerts” a threat. In contrast, an intrusion prevention system also takes action on the event and attempts to block the traffic. Suricata can do both and also does well with deep packet inspection. Making it perfect for pretty much any kind of standard security monitoring initiatives your company might have.
Why should we care?
Suricata is lightweight, low cost and can provide great insight into what is occurring on your network from a security perspective. An alternative to Suricata is Snort.
The main difference between these two tools is that Suricata is multi-threaded. Meaning that the tool can use multiple cores at once, allowing for greater load balancing. This allows us to process more data without dialing back on the number of rules we implement, giving Suricata a slight advantage over Snort.
The tool has a great developer and support community and is regularly updated with how-to guides and installation processes. Security information and event management (SIEM) systems can also leverage output from Suricata to enhance their detection rules and processes.
Suricata best practices
1. Always start by setting up Suricata (or any network monitoring/blocking tool) in IDS mode. This allows you to test the software and see what works or doesn’t before you start blocking anything.
2. After the initial installation and setup, be sure to tune the system to account for your network’s needs and requirements. Suricata and most IDS come with pre-built rules. However, many might not be relevant to your business.
3. Update the rules engine with your findings after an investigation. As you begin to work through alerts, continually update the engine with any false positives or whitelists artifacts.
Suricata installation and setup
Suricata can be installed on various Mac, Windows, Linux and Unix distributions. Depending on how you plan to use the tool and what type of server you use, you may need more or less CPU and RAM. Typically, you need between 4-8GB of RAM and at LEAST two CPUs for a production environment. Once you have the tool up and running, you can scale and allocate resources as needed depending on your needs.
There are multiple methods of deployment outlined in the “Suricata Docs.” A popular installation process is using an Ubuntu system as the distribution to run the software.
Once you install the software from their website (or via the command line), you must configure the system. The standard configuration file that ships with each installation come with a wide range of use-cases that will be an excellent start for your network security monitoring needs. The default mode is IDS (passive, detection only). This mode allows you to fully understand the tool, how it works and the traffic occurring within your network before switching over to IPS mode (active blocking). One thing to note is that depending on which network interface you want to monitor. You might need to override the default configuration settings.
Use case for Suricata
Now that we’ve talked about what Suricata is, how to configure it and a few best practices, let’s dive into a practical, real-world use case. Using the data produced by the tool for network traffic baselining.
Suricata is a great tool to have in your intrusion detection arsenal. I’ve used it many times as a lightweight IDS to enrich the detections coming from my SIEM platform. The data produced from Suricata can help create a geographic breakdown of the traffic entering and leaving your network. If you use a SIEM tool (such as ELK) you can take the parsed Suricata logs, ingest them and use a map widget to easily understand your traffic distribution. As a security professional, knowing what ‘normal’ looks like is crucial for you to spot bad, abnormal activity. This principle applies to every dataset in your environment. Whether you’re working with network data, endpoint data, tool/system data, knowing what normal looks like will help you spot potential bad actors in your network.
Whether you plan to use Suricata logs/alerts independently or ship the data to a SIEM tool for additional analysis, there are numerous use-cases and benefits from having this tool in place.
Coming next: Using Zeek
The next article will walk through a popular open-source network monitoring tool called Zeek. Zeek has numerous uses but is commonly used for network monitoring and analysis of various protocols. We’ll walk through what Zeek is, how to use it and overview some popular use-cases for the tool.
Want to learn more? Take my Advanced Intrusion Detection courses in Infosec Skills.