One of the most difficult parts of learning how to effectively use Suricata is understanding the anatomy of a Suricata rule. While this is a nuanced topic that can take considerable time to execute perfectly, having a basic understanding of what Suricata rules are and how to write one can help inform more detailed resources on the topic. Let’s look at the basics of Suricata rules and protocols.
What is a rule in Suricata?
A rule in Suricata is essentially an instruction that defines what kind of network traffic to look for and what action to take if it's found. It's like a blueprint for Suricata to identify potential threats. Here's what the general Suricata rule format looks like:
- Action: This specifies what Suricata should do when it encounters traffic matching the rule's criteria. Common actions include logging the event, generating alerts, or even blocking the traffic (if Suricata is in Intrusion Prevention System mode).
- Header: This section defines the characteristics of the network traffic Suricata should focus on. It can specify elements like:
- Protocol: (e.g., TCP, UDP, ICMP)
- Source and Destination IP addresses/subnets
- Source and Destination Ports
- Direction of traffic (incoming, outgoing, or both)
- Options (Optional): This section provides additional filters or conditions for Suricata to consider when evaluating traffic. It can include things like:
- Payload content: Matching specific strings or patterns within the data portion of the packet.
- TCP flags: Analysing specific flags set in the TCP header for certain behaviors.
How do you write rules in Suricata?
Writing your own Suricata rules can be tricky. For beginners, we recommend reading “The Security Analyst’s Guide to Suricata” by Stamus Networks to get a better understanding of the process of writing custom Suricata rules.
When practicing, you could also use a Suricata rule generator. Some Suricata rule generators have been developed and released on GitHub, but we recommend using the Suricata Language Server.
The Suricata Language Server™ (SLS) adds rule (also known as signature) syntax checking, rule-writing hints, auto-completion, and performance guidance to your preferred editor. An open-source project developed and supported by Stamus Networks, SLS helps Suricata users write better, more effective, and more advanced rules.
You can learn more about SLS by reading this blog post.
What protocols are used in Suricata?
Suricata can handle a wide range of protocols to effectively monitor and analyze network traffic for suspicious activity, including but not limited to:
Basic Protocols:
- TCP (Transmission Control Protocol)
- UDP (User Datagram Protocol)
- ICMP (Internet Control Message Protocol)
- IP (Internet Protocol)
Application Layer Protocols (Layer 7):
- HTTP (Hypertext Transfer Protocol)
- HTTP/2:
- FTP (File Transfer Protocol):
- TLS/SSL (Transport Layer Security/Secure Sockets Layer):
- SMB (Server Message Block):
- DNS (Domain Name System):
Other Supported Protocols:
- Dcerpc (Distributed Computing Environment Remote Procedure Call):
- DHCP (Dynamic Host Configuration Protocol):
- SSH (Secure Shell):
- Many More
This is not an exhaustive list, but it highlights the most common protocols Suricata can work with. For a more complete list of which protocols are used in Suricata, please visit the Suricata user docs or the Suricata GitHub.
Is there a GUI for Suricata?
No, like many other network security monitoring tools, Suricata itself does not have a graphical user interface (GUI). It's primarily a command-line tool with configuration files for customization. However, those desiring a web-based management experience with a dedicated user interface to see Suricata dashboards and create custom Suricata rules should consider downloading SELKS by Stamus Networks.
SELKS is a turn-key Suricata-based IDS/NSM and threat-hunting system. It is available as either a live and installable Debian-based ISO or via Docker compose on any Linux operating system.
SELKS is comprised of the following major components:
- Suricata - Ready to use Suricata
- Elasticsearch - Search engine
- Logstash - Log injection
- Kibana - Custom dashboards and event exploration
- Stamus Community Edition (CE) - Suricata ruleset management and Suricata threat hunting interface
In addition, SELKS also includes Arkime, EveBox, and CyberChef.
SELKS is an incredibly powerful and effective way to begin learning Suricata, and for many small-to-medium sized organizations, hobbyists, and educational settings SELKS functions as a production-grade NSM and IDS solution.
To download SELKS or learn more, please visit www.stamus-networks.com/selks
Learn More About Suricata
To begin learning more about Suricata, we recommend downloading the open-source book published by Stamus Networks titled “The Security Analyst’s Guide to Suricata” — the first practical guide to threat detection and hunting using Suricata, the world’s most popular open-source network security engine.
Written for security operations center (SOC) analysts and threat hunters who use Suricata to gain insights into what is taking place on their networks, the book provides vital information on entry points and an in-depth analysis of the most important Suricata features.
To be notified of new blog posts and other news, make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.