Learning Suricata takes time and patience, and one of the more daunting tasks for beginners is learning how to write Suricata rules and signatures. In this blog post, we will provide a cursory overview of this process, though we recommend viewing additional resources for a more technical explanation. First, let’s review how Suricata works.
How does Suricata work?
Simply put, Suricata works by monitoring traffic and issuing alerts whenever that traffic matches the Suricata signatures of a known threat. Here is a more detailed breakdown:
- 1. Network Traffic Acquisition: Suricata operates in a sniffing or promiscuous mode on a designated network interface. This allows it to capture all network traffic flowing through that interface, regardless of its intended recipient.
- 2. Packet Parsing and Analysis: Suricata employs packet capture libraries to collect network traffic in the form of raw data packets. It then utilizes packet parsing libraries to dissect these packets into headers, payloads, and protocol-specific data structures.
- 3. Signature Matching: Suricata is programmed with a rule set or signature database. These Suricata signatures define patterns that match specific network activity associated with known threats. Suricata employs pattern-matching techniques to compare the extracted data from the packets against the signatures in the rule set.
- 4. Deep Packet Inspection (Optional): Suricata can be configured for deep packet inspection (DPI). During DPI, Suricata examines the payload portion of the packet beyond the headers. This enables the detection of threats that might hide malicious content within the data while also providing a robust set of network security monitoring (NSM) data.
- 5. Action and Logging: Upon detecting a match or anomaly, Suricata triggers pre-defined actions based on its configuration. These actions can include logging the event for further investigation, generating alerts for security personnel, or even blocking the traffic flow if Suricata is deployed in Intrusion Prevention System (IPS) mode.
The effectiveness of Suricata depends on two main factors:
- Maintained Rule Sets: The signature database requires regular updates to incorporate the latest threats. Fortunately, Suricata benefits from a community that actively contributes to maintaining and expanding the available signatures.
- Configuration and Customization: Suricata offers a high degree of configurability. Security teams can tailor its operation to focus on specific network traffic types or ports. They can even develop custom rules to address unique threats specific to their network environment.
What protocols are used in Suricata?
Suricata can handle a wide range of protocols to effectively monitor and analyze network traffic for suspicious activity, including but not limited to:
Basic Protocols:
- TCP (Transmission Control Protocol)
- UDP (User Datagram Protocol)
- ICMP (Internet Control Message Protocol)
- IP (Internet Protocol)
Application Layer Protocols (Layer 7):
- HTTP (Hypertext Transfer Protocol)
- HTTP/2:
- FTP (File Transfer Protocol):
- TLS/SSL (Transport Layer Security/Secure Sockets Layer):
- SMB (Server Message Block):
- DNS (Domain Name System):
Other Supported Protocols:
- Dcerpc (Distributed Computing Environment Remote Procedure Call):
- DHCP (Dynamic Host Configuration Protocol):
- SSH (Secure Shell):
- Many More
This is not an exhaustive list, but it highlights the most common protocols Suricata can work with. For a more complete list of which protocols are used in Suricata, please visit the Suricata user docs or the Suricata GitHub.
How do you write rules in Suricata?
Suricata rules are essentially an instruction that defines what kind of network traffic to look for and what action to take if it's found. It's like a blueprint for Suricata to identify potential threats. Here's what the general Suricata rule format looks like:
- Action: This specifies what Suricata should do when it encounters traffic matching the rule's criteria. Common actions include logging the event, generating alerts, or even blocking the traffic (if Suricata is in Intrusion Prevention System mode).
- Header: This section defines the characteristics of the network traffic Suricata should focus on. It can specify elements like:
- Protocol: (e.g., TCP, UDP, ICMP)
- Source and Destination IP addresses/subnets
- Source and Destination Ports
- Direction of traffic (incoming, outgoing, or both)
- Options (Optional): This section provides additional filters or conditions for Suricata to consider when evaluating traffic. It can include things like:
- Payload content: Matching specific strings or patterns within the data portion of the packet.
- TCP flags: Analysing specific flags set in the TCP header for certain behaviors.
Writing your own Suricata rules can be tricky. For beginners, we recommend reading “The Security Analyst’s Guide to Suricata” by Stamus Networks to get a better understanding of the process of writing custom Suricata rules.
When practicing, you could also use a Suricata rule generator. Some Suricata rule generators have been developed and released on GitHub, but we recommend using the Suricata Language Server.
The Suricata Language Server™ (SLS) adds rule (also known as signature) syntax checking, rule-writing hints, auto-completion, and performance guidance to your preferred editor. An open-source project developed and supported by Stamus Networks, SLS helps Suricata users write better, more effective, and more advanced rules.
You can learn more about SLS by reading this blog post.
Can Suricata block traffic?
Yes, you can block traffic when using Suricata IPS mode, meaning Suricata can be configured upon setup to actively block unwanted traffic. When in IPS mode, Suricata can perform actions such as:
- Dropping packets: This completely blocks the malicious traffic, preventing it from reaching its intended destination on your network.
- Resetting connections: Suricata can terminate established connections that it deems suspicious.
- Rate limiting: It can limit the number of connections or packets from a specific source to prevent denial-of-service attacks.
For Suricata to effectively block traffic in IPS mode, it typically needs to be deployed "inline" on your network. This means network traffic would flow through Suricata, allowing it to analyze and potentially block malicious packets before they reach your internal systems. Suricata's ability to handle high-volume traffic efficiently is a big advantage. Its native multi-threading architecture allows it to process traffic faster compared to some other open-source tools like Zeek. This makes Suricata a good choice for networks with heavy traffic loads.
Learn More About Suricata
To begin learning more about Suricata, we recommend downloading the open-source book published by Stamus Networks titled “The Security Analyst’s Guide to Suricata” — the first practical guide to threat detection and hunting using Suricata, the world’s most popular open-source network security engine.
Written for security operations center (SOC) analysts and threat hunters who use Suricata to gain insights into what is taking place on their networks, the book provides vital information on entry points and an in-depth analysis of the most important Suricata features.
To be notified of new blog posts and other news, make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.