Intrusion Detection With Suricata

SIEM
Intrusion Detection with

Suricata
With Ali Ali

Module 24 Recap
 Importance of Reports and Visualizations

 Accessing the Wazuh Dashboard
 Dashboard Components Overview
 Data Visualization in Wazuh
 Types of Visualizations
 Creating Custom Dashboards
 Adding Visualizations to Dashboards
 Visualization Techniques
 Selecting Visualization Types
 Using the Visualize Page
 Metric Aggregation in Visualizations
Intrusion Detection with Suricata
QUIZ
Intrusion detection with Suricata
 Introduction to Intrusion Detection Systems (IDS)

 Overview of Suricata
 Installing Suricata
 Basic Configuration
 Rule Management
 Writing Custom Rules
 Rule Optimization
 Testing Suricata Rules
 Updating Rules with Suricata-Update
 Integration of Suricata with Wazuh
 Configuring Wazuh to Receive Suricata Alerts
 Monitoring Network Traffic
 Alert Management in Wazuh
 Real-time Alerting
 Dashboard and Visualization
 The Importance of Log Correlation
 Collecting Logs from Different Sources
 Correlation Rules in Wazuh
 Case Study: Detecting Multi-Stage Attacks
 Advanced Correlation Techniques
 Reporting and Compliance
 LAB
SIEM
Introduction to Intrusion Detection Systems (IDS)
 Definition of IDS: An IDS is a device or software application that monitors network

and/or system activities for malicious activities or policy violations
It operates by looking for signatures of known threats, much like antivirus software, or by
detecting anomalies in traffic patterns
 Types of IDS:
1. Network-based Intrusion Detection Systems (NIDS): These are placed at strategic

points within the network to monitor traffic to and from all devices on the network
They can detect malicious packets that are designed to be overlooked by a firewall’s
simplistic filtering rules
2. Host-based Intrusion Detection Systems (HIDS): These run on individual hosts or

devices on the network
A HIDS monitors the inbound and outbound packets from the device only and will alert the
user or administrator of suspicious activity
SIEM
 Importance in Cybersecurity:
1. Detection of Known Threats: IDS systems can recognize the signatures of known threats
and trigger alerts
2. Anomaly Detection: By monitoring network traffic, IDS can identify unusual patterns that
may indicate a security incident
3. Policy Enforcement: IDS can help enforce security policies by detecting violations and
taking appropriate actions
4. Documentation and Reporting: IDS provide logs and records of detected threats, which
are crucial for forensic analysis and compliance reporting
5. Prevention of Future Attacks: By analyzing the attacks that have been detected,
organizations can adjust their security measures to prevent similar incidents in the future
SIEM
Examples:
1. Signature Detection: If an IDS detects traffic that matches the signature of a known
network worm, it can alert the administrators to take action
2. Anomaly-Based Detection: An IDS might notice that a particular system is making an

unusually high number of requests to a database server, which could indicate a data
exfiltration attempt
3. Policy Violation: An employee using a file-sharing service that is not approved by the
company’s policy could be flagged by the IDS
SIEM
Overview of Suricata
 Suricata is an open-source network threat detection engine that functions as both an
Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS)
Developed by the Open Information Security Foundation (OISF), Suricata is designed to be a
comprehensive solution for monitoring network traffic, identifying, and preventing threats
Key Features of Suricata:

1. Multi-Threading: Suricata is capable of multi-threading, allowing it to process multiple
events simultaneously across multiple CPU cores
2. Extensive Rule Set and Signature Language: It uses a vast array of community-created
and user-defined rules to detect threats
3. Automatic Protocol Detection: The system can automatically detect protocols like HTTP
on any port and apply the correct detection and logging logic
4. Lua Scripting Support: For more complex threats, Suricata supports Lua scripting,
enabling advanced analysis beyond the capabilities of the ruleset syntax
5. Network Security Monitoring (NSM): Suricata can log HTTP requests, TLS certificates,
and extract files from flows for detailed analysis
6. Industry Standard Outputs: It provides JSON event and alert outputs for easy
integration with tools like Logstash, Splunk, and Elasticsearch
SIEM
Overview of Suricata
 Installing and Configuring Suricata IDS Rules:
1. Installation: Suricata can be installed from official repositories on various operating

systems
For example, on Ubuntu 20.04, you can use the apt command to install Suricata
2. Configuration: The main configuration file for Suricata is suricata.yaml, where you can
specify settings such as rule paths, logging directories, and network interfaces to monitor
3. Rule Management: Suricata’s rules are defined in files with a .rules extension. You can
write custom rules or download sets like the ET Open Ruleset
Rules define the patterns to match network traffic against known threats
4. Testing Configuration: After setting up Suricata and its rules, it’s important to test the
configuration using the suricata -T command to ensure that there are no errors and that all
rules are loaded correctly
5. Running in IDS/IPS Mode: By default, Suricata runs in IDS mode, generating alerts for
suspicious traffic
However, it can also be configured to run in IPS mode, actively dropping or rejecting
malicious traffic based on the rules’ actions
SIEM
LAB: BFA
SIEM
LAB: BFA, Installing & Configuring Suricata on Ubuntu
Step 1: Update packages index
sudo apt update && sudo apt upgrade
SIEM
Step 2: Install required packages
sudo apt install gnupg2 software-properties-common curl wget git unzip -y
SIEM
sudo add-apt-repository ppa:oisf/suricata-stable
SIEM
Step 3: Install Suricata on Ubuntu

sudo apt install suricata
SIEM
Step 4: fetch Suricata rulesets
sudo suricata-update
SIEM
Step 5: Configure Suricata
sudo nano /etc/suricata/suricata.yaml
Change HOME_NET
SIEM
Change Rules Path to /var/lib/suricata/rules whit custom rule file (suricata-local.rules)
Change the intercace: from default (eth0) to the machine’s interface (ens33):
Default:
SIEM
Real Interface
SIEM
Step 6: Suricata Startup Automation
I create a systemd service unit to have Suricata start automatically when your Ubuntu system
boots up. To make a new service file, I do the following:
sudo nano /etc/systemd/system/suricata.service

SIEM
Step 7: Test Suricata Configuration
sudo suricata -T -c /etc/suricata/suricata.yaml -v

SIEM
LAB: BFA, Running Suricata on Ubuntu
 Suricata
sudo systemctl enable suricata.service
sudo systemctl start suricata.service
SIEM
LAB: BFA, Deploying Wazuh agent on ubuntu
Configure Wazuh Agent to Read Suricata Logs by adding the following configuration to the
/var/ossec/etc/ossec.conf file of the Wazuh agent:
Restart the agent: systemctl restart wazuh-agent

SIEM
LAB: BFA, Brute Force Attack on DVWA web application
SIEM
• Check the suricata log file: /var/log/suricata/fast.log
• add custom rule file suricata-local.rules and writ rule inside it:
SIEM
• Add this rule:
alert http $HOME_NET any -> $HOME_NET any (msg:"Potential Brute Force Attack
Detected"; sid:1000001; rev:1;)
• Restart the service:

systemctl restart suricata.service
SIEM
LAB: BFA, Built-in Decoders & Rules
• There is built-in decoder called Snort Decode all logs from Suricata and built in rule (20101) for
these events:
• 04/27/2024-15:06:56.820005 [**] [1:1000001:1] Potential Brute Force Attack Detected [**]
[Classification: (null)] [Priority: 3] {TCP} 192.168.80.146:80 -> 192.168.80.154:55772
SIEM
LAB: BFA, Built-in Decoders & Rules
SIEM
LAB: BFA, Custom Decoders & Rules
04/27/2024 16:53:01.203711 [**] [1:1000001:1] Potential Brute Force Attack Detected [**]
• Suricata custom decoder:

SIEM
04/27/2024 16:53:01.203711 [**] [1:1000001:1] Potential Brute Force Attack Detected [**]
• Suricata custom rules:

SIEM
It’s NOT BUSINESS, It’s Very PERSONAL
Questions
Ali Ali

Intrusion Detection With Suricata

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Intrusion Detection With Suricata

Uploaded by

Copyright:

Available Formats

SIEM

Intrusion Detection with

With Ali Ali

 Importance of Reports and Visualizations

 Introduction to Intrusion Detection Systems (IDS)

 Definition of IDS: An IDS is a device or software application that monitors network

1. Network-based Intrusion Detection Systems (NIDS): These are placed at strategic

2. Host-based Intrusion Detection Systems (HIDS): These run on individual hosts or

2. Anomaly-Based Detection: An IDS might notice that a particular system is making an

Key Features of Suricata:

1. Installation: Suricata can be installed from official repositories on various operating

Step 3: Install Suricata on Ubuntu

sudo nano /etc/systemd/system/suricata.service

sudo suricata -T -c /etc/suricata/suricata.yaml -v

Restart the agent: systemctl restart wazuh-agent

• Check the suricata log file: /var/log/suricata/fast.log

• Add this rule:

• Restart the service:

• Suricata custom decoder:

• Suricata custom rules:

You might also like