One of the most difficult parts of learning how to effectively use Suricata is understanding the anatomy of a Suricata rule. While this is a nuanced topic that can take considerable time to execute perfectly, having a basic understanding of what Suricata rules are and how to write one can help inform more detailed resources on the topic. Let’s look at the basics of Suricata rules and protocols.
A rule in Suricata is essentially an instruction that defines what kind of network traffic to look for and what action to take if it's found. It's like a blueprint for Suricata to identify potential threats. Here's what the general Suricata rule format looks like:
- Protocol: (e.g., TCP, UDP, ICMP)
- Source and Destination IP addresses/subnets
- Source and Destination Ports
- Direction of traffic (incoming, outgoing, or both)
- Payload content: Matching specific strings or patterns within the data portion of the packet.
- TCP flags: Analysing specific flags set in the TCP header for certain behaviors.
Writing your own Suricata rules can be tricky. For beginners, we recommend reading “The Security Analyst’s Guide to Suricata” by Stamus Networks to get a better understanding of the process of writing custom Suricata rules.
When practicing, you could also use a Suricata rule generator. Some Suricata rule generators have been developed and released on GitHub, but we recommend using the Suricata Language Server.
The Suricata Language Server™ (SLS) adds rule (also known as signature) syntax checking, rule-writing hints, auto-completion, and performance guidance to your preferred editor. An open-source project developed and supported by Stamus Networks, SLS helps Suricata users write better, more effective, and more advanced rules.
You can learn more about SLS by reading this blog post.
Suricata can handle a wide range of protocols to effectively monitor and analyze network traffic for suspicious activity, including but not limited to:
Basic Protocols:
Application Layer Protocols (Layer 7):
Other Supported Protocols:
This is not an exhaustive list, but it highlights the most common protocols Suricata can work with. For a more complete list of which protocols are used in Suricata, please visit the Suricata user docs or the Suricata GitHub.
No, like many other network security monitoring tools, Suricata itself does not have a graphical user interface (GUI). It's primarily a command-line tool with configuration files for customization. However, those desiring a web-based management experience with a dedicated user interface to see Suricata dashboards and create custom Suricata rules should consider downloading SELKS by Stamus Networks.
SELKS is a turn-key Suricata-based IDS/NSM and threat-hunting system. It is available as either a live and installable Debian-based ISO or via Docker compose on any Linux operating system.
SELKS is comprised of the following major components:
In addition, SELKS also includes Arkime, EveBox, and CyberChef.
SELKS is an incredibly powerful and effective way to begin learning Suricata, and for many small-to-medium sized organizations, hobbyists, and educational settings SELKS functions as a production-grade NSM and IDS solution.
To download SELKS or learn more, please visit www.stamus-networks.com/selks
To begin learning more about Suricata, we recommend downloading the open-source book published by Stamus Networks titled “The Security Analyst’s Guide to Suricata” — the first practical guide to threat detection and hunting using Suricata, the world’s most popular open-source network security engine.
Written for security operations center (SOC) analysts and threat hunters who use Suricata to gain insights into what is taking place on their networks, the book provides vital information on entry points and an in-depth analysis of the most important Suricata features.
To be notified of new blog posts and other news, make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.