Professional Documents
Culture Documents
Intrusion Detection With Suricata
Intrusion Detection With Suricata
QUIZ
Intrusion detection with Suricata
It operates by looking for signatures of known threats, much like antivirus software, or by
detecting anomalies in traffic patterns
Types of IDS:
They can detect malicious packets that are designed to be overlooked by a firewall’s
simplistic filtering rules
A HIDS monitors the inbound and outbound packets from the device only and will alert the
user or administrator of suspicious activity
SIEM
Intrusion Detection with Suricata
Introduction to Intrusion Detection Systems (IDS)
Importance in Cybersecurity:
1. Detection of Known Threats: IDS systems can recognize the signatures of known threats
and trigger alerts
2. Anomaly Detection: By monitoring network traffic, IDS can identify unusual patterns that
may indicate a security incident
3. Policy Enforcement: IDS can help enforce security policies by detecting violations and
taking appropriate actions
4. Documentation and Reporting: IDS provide logs and records of detected threats, which
are crucial for forensic analysis and compliance reporting
5. Prevention of Future Attacks: By analyzing the attacks that have been detected,
organizations can adjust their security measures to prevent similar incidents in the future
SIEM
Intrusion Detection with Suricata
Introduction to Intrusion Detection Systems (IDS)
Examples:
1. Signature Detection: If an IDS detects traffic that matches the signature of a known
network worm, it can alert the administrators to take action
3. Policy Violation: An employee using a file-sharing service that is not approved by the
company’s policy could be flagged by the IDS
SIEM
Intrusion Detection with Suricata
Overview of Suricata
Suricata is an open-source network threat detection engine that functions as both an
Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS)
Developed by the Open Information Security Foundation (OISF), Suricata is designed to be a
comprehensive solution for monitoring network traffic, identifying, and preventing threats
2. Extensive Rule Set and Signature Language: It uses a vast array of community-created
and user-defined rules to detect threats
3. Automatic Protocol Detection: The system can automatically detect protocols like HTTP
on any port and apply the correct detection and logging logic
4. Lua Scripting Support: For more complex threats, Suricata supports Lua scripting,
enabling advanced analysis beyond the capabilities of the ruleset syntax
5. Network Security Monitoring (NSM): Suricata can log HTTP requests, TLS certificates,
and extract files from flows for detailed analysis
6. Industry Standard Outputs: It provides JSON event and alert outputs for easy
integration with tools like Logstash, Splunk, and Elasticsearch
SIEM
Intrusion Detection with Suricata
Overview of Suricata
Installing and Configuring Suricata IDS Rules:
2. Configuration: The main configuration file for Suricata is suricata.yaml, where you can
specify settings such as rule paths, logging directories, and network interfaces to monitor
3. Rule Management: Suricata’s rules are defined in files with a .rules extension. You can
write custom rules or download sets like the ET Open Ruleset
Rules define the patterns to match network traffic against known threats
4. Testing Configuration: After setting up Suricata and its rules, it’s important to test the
configuration using the suricata -T command to ensure that there are no errors and that all
rules are loaded correctly
5. Running in IDS/IPS Mode: By default, Suricata runs in IDS mode, generating alerts for
suspicious traffic
However, it can also be configured to run in IPS mode, actively dropping or rejecting
malicious traffic based on the rules’ actions
SIEM
Intrusion Detection with Suricata
LAB: BFA
SIEM
Intrusion Detection with Suricata
LAB: BFA, Installing & Configuring Suricata on Ubuntu
Step 1: Update packages index
sudo apt update && sudo apt upgrade
SIEM
Intrusion Detection with Suricata
LAB: BFA, Installing & Configuring Suricata on Ubuntu
Step 2: Install required packages
sudo apt install gnupg2 software-properties-common curl wget git unzip -y
SIEM
Intrusion Detection with Suricata
LAB: BFA, Installing & Configuring Suricata on Ubuntu
sudo add-apt-repository ppa:oisf/suricata-stable
SIEM
Intrusion Detection with Suricata
LAB: BFA, Installing & Configuring Suricata on Ubuntu
Change HOME_NET
SIEM
Intrusion Detection with Suricata
LAB: BFA, Installing & Configuring Suricata on Ubuntu
Change Rules Path to /var/lib/suricata/rules whit custom rule file (suricata-local.rules)
Change the intercace: from default (eth0) to the machine’s interface (ens33):
Default:
SIEM
Intrusion Detection with Suricata
LAB: BFA, Installing & Configuring Suricata on Ubuntu
Real Interface
SIEM
Intrusion Detection with Suricata
LAB: BFA, Installing & Configuring Suricata on Ubuntu
Step 6: Suricata Startup Automation
I create a systemd service unit to have Suricata start automatically when your Ubuntu system
boots up. To make a new service file, I do the following:
• add custom rule file suricata-local.rules and writ rule inside it:
SIEM
Intrusion Detection with Suricata
LAB: BFA, Brute Force Attack on DVWA web application
alert http $HOME_NET any -> $HOME_NET any (msg:"Potential Brute Force Attack
Detected"; sid:1000001; rev:1;)
• There is built-in decoder called Snort Decode all logs from Suricata and built in rule (20101) for
these events:
• 04/27/2024-15:06:56.820005 [**] [1:1000001:1] Potential Brute Force Attack Detected [**]
[Classification: (null)] [Priority: 3] {TCP} 192.168.80.146:80 -> 192.168.80.154:55772
SIEM
Intrusion Detection with Suricata
LAB: BFA, Built-in Decoders & Rules
SIEM
Intrusion Detection with Suricata
LAB: BFA, Custom Decoders & Rules
04/27/2024 16:53:01.203711 [**] [1:1000001:1] Potential Brute Force Attack Detected [**]
[Classification: (null)] [Priority: 3] {TCP} 192.168.80.154:45438 -> 192.168.80.146:80
04/27/2024 16:53:01.203711 [**] [1:1000001:1] Potential Brute Force Attack Detected [**]
[Classification: (null)] [Priority: 3] {TCP} 192.168.80.154:45438 -> 192.168.80.146:80
Ali Ali