Suricata Rules

What is Suricata in Cyber Security?

Suricata is a free, open-source IDS/IPS cybersecurity tool that acts as both an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS). It is used by organizations all around the world to detect cyber threats and monitor networks for suspicious activity.

Suricata’s strength lies in its versatility. When tuned correctly, it is a high-performance tool that can handle large volumes of network traffic and generate vast amounts of network traffic data. It is also extremely flexible, offering deep analysis of various protocols and the ability to customize rule sets to fit your organization’s specific needs. Because it’s an open-source IDS/IPS, Suricata benefits from a large, active community that constantly develops and refines its capabilities.

Suricata works by analyzing network traffic and checking it against a database of existing rules or signatures. When traffic matches a signature, an alert is issued signaling the user to initiate a response action. Suricata rules lists can be custom-made or imported from third-party sources.

Put simply, Suricata is a powerful and adaptable tool that provides a robust layer of defense for any organization’s network security strategy.

 

How does Suricata work?

Simply put, Suricata works by monitoring traffic and issuing alerts whenever that traffic matches the signature of a known threat. Here is a more detailed breakdown:

 

1. Network Traffic Acquisition: Suricata operates in a sniffing or promiscuous mode on a designated network interface. This allows it to capture all network traffic flowing through that interface, regardless of its intended recipient.
2. Packet Parsing and Analysis: Suricata employs packet capture libraries to collect network traffic in the form of raw data packets. It then utilizes packet parsing libraries to dissect these packets into headers, payloads, and protocol-specific data structures.
3. Signature Matching: Suricata is programmed with a rule set or signature database. These signatures define patterns that match specific network activity associated with known threats. Suricata employs pattern-matching techniques to compare the extracted data from the packets against the signatures in the rule set.
4. Deep Packet Inspection (Optional): Suricata can be configured for deep packet inspection (DPI). During DPI, Suricata examines the payload portion of the packet beyond the headers. This enables the detection of threats that might hide malicious content within the data while also providing a robust set of network security monitoring (NSM) data.
5. Action and Logging: Upon detecting a match or anomaly, Suricata triggers pre-defined actions based on its configuration. These actions can include logging the event for further investigation, generating alerts for security personnel, or even blocking the traffic flow if Suricata is deployed in Intrusion Prevention System (IPS) mode.

 

The effectiveness of Suricata depends on two main factors:

 

• Maintained Rule Sets: The signature database requires regular updates to incorporate the latest threats. Fortunately, Suricata benefits from a community that actively contributes to maintaining and expanding the available signatures.
• Configuration and Customization: Suricata offers a high degree of configurability. Security teams can tailor its operation to focus on specific network traffic types or ports. They can even develop custom rules to address unique threats specific to their network environment.

 

What is a rule in Suricata?

A rule in Suricata is essentially an instruction that defines what kind of network traffic to look for and what action to take if it's found. It's like a blueprint for Suricata to identify potential threats. Here's what the general Suricata rule format looks like:

 

• Action: This specifies what Suricata should do when it encounters traffic matching the rule's criteria. Common actions include logging the event, generating alerts, or even blocking the traffic (if Suricata is in Intrusion Prevention System mode).
  
  
• Header: This section defines the characteristics of the network traffic Suricata should focus on. It can specify elements like:
  • Protocol: (e.g., TCP, UDP, ICMP)
  • Source and Destination IP addresses/subnets
  • Source and Destination Ports
  • Direction of traffic (incoming, outgoing, or both)
    
    
• Options (Optional): This section provides additional filters or conditions for Suricata to consider when evaluating traffic. It can include things like:
  • Payload content: Matching specific strings or patterns within the data portion of the packet.
  • TCP flags: Analysing specific flags set in the TCP header for certain behaviors.

 

How do you write rules in Suricata?

Writing your own Suricata rules can be tricky. For beginners, we recommend reading “The Security Analyst’s Guide to Suricata” by Stamus Networks to get a better understanding of the process of writing custom Suricata rules.

When practicing, you could also use a Suricata rule generator. Some Suricata rule generators have been developed and released on GitHub, but we recommend using the Suricata Language Server.

The Suricata Language Server™ (SLS) adds rule (also known as signature) syntax checking, rule-writing hints, auto-completion, and performance guidance to your preferred editor. An open-source project developed and supported by Stamus Networks, SLS helps Suricata users write better, more effective, and more advanced rules.

You can learn more about SLS by reading this blog post.

 

What protocols are used in Suricata?

Suricata can handle a wide range of protocols to effectively monitor and analyze network traffic for suspicious activity, including but not limited to:

 

Basic Protocols:

• TCP (Transmission Control Protocol)
• UDP (User Datagram Protocol)
• ICMP (Internet Control Message Protocol)
• IP (Internet Protocol)

 

Application Layer Protocols (Layer 7):

• HTTP (Hypertext Transfer Protocol)
• HTTP/2:
• FTP (File Transfer Protocol):
• TLS/SSL (Transport Layer Security/Secure Sockets Layer):
• SMB (Server Message Block):
• DNS (Domain Name System):

 

Other Supported Protocols:

• Dcerpc (Distributed Computing Environment Remote Procedure Call):
• DHCP (Dynamic Host Configuration Protocol):
• SSH (Secure Shell):
• Many More

 

This is not an exhaustive list, but it highlights the most common protocols Suricata can work with. For a more complete list of which protocols are used in Suricata, please visit the Suricata user docs or the Suricata GitHub.

 

Is Suricata active or passive?

Suricata can operate in both active and passive modes, depending on its configuration. Here are more details on the differences in the two modes:

 

Passive Mode (IDS Mode):

 

In passive mode, Suricata acts as an Intrusion Detection System (IDS). It monitors network traffic in promiscuous mode flowing through a specific, designated network interface but doesn't directly interfere with the traffic itself. This allows it to capture all traffic flowing through that interface, regardless of its intended recipient. It then analyzes the captured packets for suspicious activity based on pre-defined Suricata rules and signatures.

Passive mode offers several advantages:

 

• Less Network Impact: Since it doesn't modify or block traffic, it has minimal impact on network performance.
• Wider Visibility: It can capture all traffic on the monitored interface, providing a broader view of network activity.
• Compliance Considerations: In some regulations or security policies, actively interfering with network traffic might be restricted. Passive mode can be a good option in such scenarios.

 

Active Mode (IPS Mode):

In active mode, Suricata becomes an Intrusion Prevention System (IPS). Here, it not only detects suspicious activity but can also take actions to prevent it. Similar to passive mode, Suricata captures traffic in promiscuous mode and matches that traffic to Suricata rules. However, in IPS mode, it can be configured to take actions like:

 

• Blocking malicious traffic: Suricata can drop packets identified as threats, preventing them from reaching their intended destination.
• Rate limiting: It can limit the rate of traffic from specific sources to prevent denial-of-service attacks.
• Resetting connections: Suricata can reset connections associated with suspicious activity.

 

Active mode offers a more proactive approach to security, directly stopping potential attacks before they cause harm and reacting to threats faster than relying solely on alerts generated in passive mode. One distinct challenge to using Suricata in IPS mode is the risk of legitimate traffic being mistaken for a threat and being blocked.

 

The ideal mode for Suricata depends on your network environment and security needs:

 

• For comprehensive traffic monitoring with minimal network impact, passive mode (IDS) is a good choice.
• For a more proactive approach with the ability to directly block threats, active mode (IPS) might be preferable.

 

Some network configurations might even leverage both modes simultaneously on different interfaces for a layered security approach.

 

Is Suricata host-based or network-based?

Suricata can be configured as a host-based IDS, but it is primarily a network-based intrusion detection system. This means that it is designed to monitor traffic across the entire network environment, rather than focusing on individual devices.

There are three main reasons Suricata excels as a network-based IDS:

 

• Network Traffic Visibility: Suricata sits at a strategic point on your network, typically deployed on a network tap or mirrored port. This allows it to capture and analyze all traffic flowing through that point, providing a comprehensive view of network activity.
• Threat Detection Capabilities: By analyzing network traffic patterns and comparing them against threat signatures, Suricata can identify malicious activity like malware downloads, intrusions, and network attacks.
• Scalability and Efficiency: Suricata is designed to handle large volumes of network traffic efficiently. This makes it suitable for protecting even the most high-volume networks.

 

It is important to note that Suricata can technically be configured for a limited host-based IDS role in some scenarios. However, this is not its typical or recommended use for several reasons:

 

• Limited Visibility: When deployed on a single host, Suricata can only monitor traffic to and from that specific device, offering a much narrower view of potential threats compared to network-wide monitoring.
• Resource Consumption: Running Suricata on individual devices can consume significant system resources, potentially impacting device performance. This might not be ideal for resource-constrained systems.
• Security Focus: Network-based IDS offers a more strategic approach to security. By monitoring the entire network, you can identify threats targeting any device on your network, not just the host running Suricata.

 

There are other host-based IDS options available that are specifically designed for this purpose and might be a better fit for individual device protection.

 

Is Suricata free?

Because of its open-source nature, Suricata is free to use. It is important to note that despite being free, other costs could result from a Suricata installation:

 

• Hardware: Suricata can be resource-intensive, especially when dealing with high volumes of network traffic. You might need to invest in additional hardware with sufficient processing power and memory to run Suricata effectively. This could involve upgrading existing servers or purchasing new ones entirely.
• Setup and Configuration: While Suricata offers a user-friendly interface, proper configuration requires a good understanding of network security concepts and IDS/IPS functionalities. If your IT team lacks this expertise, you might need to hire consultants to help with the initial setup and configuration.
• Maintenance and Updates: Open-source thrives on community contributions, but keeping Suricata up-to-date with the latest rule sets and bug fixes might require some effort from your security team. If you don't have the internal resources, you might consider paid subscription services that offer automated updates and rule management for Suricata.
• Training: Using Suricata effectively often requires training for your IT security personnel. They'll need to understand how to interpret Suricata's alerts, investigate potential threats, and fine-tune the rule sets for optimal performance. Training can be done internally or through external providers.
• Integration with other security tools: Suricata can be a powerful tool, but it might not be the only one in your security arsenal. Integrating Suricata with other security tools like firewalls, SIEM (Security Information and Event Management) systems, and threat intelligence feeds can enhance its effectiveness. Depending on the chosen tools, there might be additional licensing or integration costs involved.

 

Overall, while Suricata itself is free, there can be some indirect costs associated with its implementation and ongoing use. The extent of these costs will depend on your specific needs, existing infrastructure, and internal IT expertise.

 

Learn More About Suricata

Suricata stands out as a powerful and cost-effective foundation for any organization's network security strategy. While some technical expertise is required for setup and maintenance, Suricata's potential return on investment makes it a serious contender for organizations seeking to actively monitor and protect their networks.

For those interested in learning more about Suricata, there are various resources available. One free option is "The Security Analyst’s Guide to Suricata" published by Stamus Networks. This book offers a practical approach to threat detection and hunting using Suricata, focusing on key Suricata features and providing valuable network security insights for security operations center (SOC) analysts and threat hunters.

Another great way to learn more about Suricata is to practice using it. For an hands-on introduction to Suricata-based network security, download SELKS by Stamus Networks.

SELKS is a turn-key Suricata-based IDS/NSM and threat hunting system. It is available as either a live and installable Debian-based ISO or via Docker compose on any Linux operating system. SELKS is an incredibly powerful and effective way to begin learning Suricata, and for many small-to-medium sized organizations, hobbyists, and educational settings SELKS functions as a production-grade NSM and IDS solution.