<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2180921&amp;fmt=gif">

Does Suricata Have a Web Interface?

by Dallon Robinette | Jan 29, 2024 | Back to Basics

Suricata is a powerful open-source network security tool. One of its disadvantages, however, is its lack of a built-in web interface. While this decision was intentional to allow Suricata users to configure their Suricata deployment however they like, it does create a barrier to entry for some less technical users. Thankfully, solutions are available.

In this blog post, we will explore how SELKS by Stamus Networks offers a user-friendly web-based management system with Suricata at its core. We will also address some common questions surrounding Suricata’s deployment: is it network-based or host-based? And what’s the difference between its roles as an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS)?

Does Suricata Have a Web Interface?

No, Suricata itself does not have a built-in web interface. It's primarily a command-line tool with configuration files for customization. However, those desiring a web-based management experience to see Suricata dashboards should consider downloading SELKS by Stamus Networks.

SELKS is a turn-key Suricata-based IDS/NSM and threat-hunting system. It is available as either a live and installable Debian-based ISO or via Docker compose on any Linux operating system.

SELKS is comprised of the following major components:

  • Suricata - Ready to use Suricata
  • Elasticsearch - Search engine
  • Logstash - Log injection
  • Kibana - Custom dashboards and event exploration
  • Stamus Community Edition (CE) - Suricata ruleset management and Suricata threat hunting interface

In addition, SELKS also includes Arkime, EveBox, and CyberChef.

SELKS is an incredibly powerful and effective way to begin learning Suricata, and for many small-to-medium sized organizations, hobbyists, and educational settings SELKS functions as a production-grade NSM and IDS solution.

To download SELKS or learn more, please visit www.stamus-networks.com/selks

You can also download SELKS on GitHub at https://github.com/StamusNetworks/SELKS

What is Scirius?

Scirius, now known as Stamus CE, is a web interface designed specifically for managing Suricata rulesets and threat hunting developed by Stamus Networks. It's offered as an open-source application under the GNU GPLv3 license [1, 4].

Here's a breakdown of what Scirius (Stamus CE) can do:

  • Manage multiple Suricata rulesets and threat intelligence sources.
  • Upload and manage custom Suricata rules and Indicators of Compromise (IoC) data files.
  • Facilitate threat hunting through predefined filters and enhanced contextual views.
  • Apply thresholding and suppression to reduce overwhelming alerts from noisy sources.
  • View Suricata performance statistics and information about Suricata rule activity.
  • Integrate with other security tools for further analysis, like Kibana, EveBox, and Cyberchef.

Scirius (Stamus CE) acts as a central hub for managing Suricata's threat detection capabilities, allowing you to customize rules, hunt for threats, and gain insights into Suricata's performance.

It is included as the central GUI and Suricata manager in SELKS.

Is Suricata network-based or host-based?

Suricata can be configured as a host-based IDS, but it is primarily a network-based intrusion detection system. This means that it is designed to monitor traffic across the entire network environment, rather than focusing on individual devices. SELKS by Stamus Networks uses Suricata in a network-based configuration.

There are three main reasons Suricata excels as a network-based IDS:

  • Network Traffic Visibility: Suricata sits at a strategic point on your network, typically deployed on a network tap or mirrored port. This allows it to capture and analyze all traffic flowing through that point, providing a comprehensive view of network activity.
  • Threat Detection Capabilities: By analyzing network traffic patterns and comparing them against threat signatures, Suricata can identify malicious activity like malware downloads, intrusions, and network attacks.
  • Scalability and Efficiency: Suricata is designed to handle large volumes of network traffic efficiently. This makes it suitable for protecting even the most high-volume networks.

It is important to note that Suricata can technically be configured for a limited host-based IDS role in some scenarios. However, this is not its typical or recommended use for several reasons:

  • Limited Visibility: When deployed on a single host, Suricata can only monitor traffic to and from that specific device, offering a much narrower view of potential threats compared to network-wide monitoring.
  • Resource Consumption: Running Suricata on individual devices can consume significant system resources, potentially impacting device performance. This might not be ideal for resource-constrained systems.
  • Security Focus: Network-based IDS offers a more strategic approach to security. By monitoring the entire network, you can identify threats targeting any device on your network, not just the host running Suricata.

There are other host-based IDS options available that are specifically designed for this purpose and might be a better fit for individual device protection.

Is Suricata an IDS or IPS?

Depending on the Suricata installation, it can function as either an IDS or an IPS.

In its IDS mode, Suricata continuously monitors your network traffic for suspicious activity. It compares this traffic to a vast database of known threats and pre-defined rules. Users can also include new rule sets and create custom rules. If it detects a potential attack, like malware or a hacking attempt, Suricata issues an alert, allowing you to investigate and take action.

IDS monitoring is more passive than IPS. Suricata monitors the network traffic but does not intervene. This offers a valuable first line of defense, but some organizations might feel overwhelmed by the number of alerts and the presence of false positives, requiring human intervention to sort through alerts to find actual serious and imminent threats.

You can also configure Suricata as IPS. In IPS mode, it doesn't just detect threats, but it actively blocks them. By analyzing traffic patterns and comparing them to its rule set, Suricata can identify and stop malicious attempts before they infiltrate your system. This is a more active strategy than IDS, but false positives could lead to legitimate traffic being blocked due to poorly configured rules. Configuring Suricata as IPS while avoiding unintended consequences requires a deep understanding and expertise in network security.

Learn More About Suricata

To begin learning more about Suricata, we recommend downloading the open-source book published by Stamus Networks titled “The Security Analyst’s Guide to Suricata” — the first practical guide to threat detection and hunting using Suricata, the world’s most popular open-source network security engine.

Written for security operations center (SOC) analysts and threat hunters who use Suricata to gain insights into what is taking place on their networks, the book provides vital information on entry points and an in-depth analysis of the most important Suricata features.

To be notified of new blog posts and other news, make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.

Dallon Robinette

Schedule a Demo of Stamus Security Platform

REQUEST A DEMO

Related posts

How do you Fix Alert Fatigue?

Intrusion detection systems (IDS) have proven themselves to be incredibly effective tools when it...

What are the Consequences of Alert Fatigue?

If your organization is considering network detection and response (NDR) and evaluating potential...

What are the Symptoms of Alert Fatigue?

For many cybersecurity practitioners, the concept of alert fatigue is not foreign. However, knowing...