As we celebrate the first week after launching our new book “The Security Analyst’s Guide to Suricata” – with a strong positive response at Suricon 2022 in Athens this past week and hundreds of electronic copies downloaded so far – we have received a number of inquiries asking why exactly we decided to write a book about Suricata in the first place.
The answer is actually pretty simple. We train hundreds of Suricata users in workshops and webinars every year on behalf of both the Open Information Security Foundation (OISF) and NATO. In facilitating these training sessions, we realized that a large number of security professionals were familiar with Suricata, but did not know the extent of its capabilities. In our experience, even veteran Suricata users were not equipped to optimize their Suricata usage. Many users we met didn’t understand many of the features that we know to be incredibly valuable.
Stamus Networks is a proud and loyal Suricata user; in fact, it is the foundation of our commercial next-gen network detection and response (NDR) solution — Stamus Security Platform — as well as our free, turn-key, and open-source Suricata offering, SELKS. Our company and our team are firmly rooted in the Suricata community since its inception 12 years ago.
To us, writing a book about Suricata to help the security practitioner get the most out of Suricata seemed like an excellent way to give back to the community that has been so kind to us. And developing that book as an open-source project was a natural decision so that it can evolve and change as Suricata does.
In the spirit of open-source, we wanted to share our knowledge to help cybersecurity professionals to better defend their individual organizations and create a more secure cyberspace for all.
For example, many users are unaware that the Suricata engine can produce protocol transaction logs and flow records – either independent of IDS alerts or fully-correlated with the IDS alerts . These can be incredibly powerful for security analysts during an incident investigation or a threat hunt.
Modern attackers are using advanced techniques to bypass legacy detection systems. Security professionals should be using every advantage they can get to defend their organizations.
In this book we have included information that we feel is vital for beginners who have just started their Suricata journey and for Suricata veterans who wish to do more with the engine than they ever thought possible. Here are just a few examples of the insights we believe readers will take away from “The Security Analyst’s Guide to Suricata”:
- Suricata can provide deep insights into Windows host activities without agents or access to the logs
- That modern Suricata does much more than signature-based threat detection and can also simultaneously produce protocol and file transaction logs and flow records, and extract PCAPs and files – either independent of IDS alerts or fully-correlated with the IDS alerts
- Suricata can provide significant visibility into network activity even with mostly-TLS encrypted traffic
- Suricata signatures can be be written more effectively to provide predictable performance
This book, which we hope will be an evolving collection of practical guidance on maximizing the potential of Suricata, is a tool that we believe every security analyst using Suricata should have access to.
While we do not seek to replace the Suricata manual, we are hopeful that this book will become known for the value it brings to SOC analysts and threat hunters in their daily use of Suricata.
We wrote the initial collection based on our own experiences, but we are excited to see contributions in the future from other Suricata experts around the world. To view the “Source Code” and make comments or contributions, visit the book’s Github repository.
To download a PDF or eReader version of “The Security Analyst’s Guide to Suricata”, visit this page from Stamus Networks.
Interested in leveling up your Suricata? Learn more about simplifying Suricata with Stamus Security Platform.