Network Intrusion Detection Plugin with Suricata
Suricata NIDS Plugin
Suricata was developed for the United States Department of Homeland Security (DHS) by the Open Information Security Foundation (OSIF). It was chosen due to simplicity of configuration and high performance. Suricata is deployed using VNS3’s plugin system.
Please be familiar with the VNS3 Plug-In Configuration Guide.
VNS3 NIDS Plugin Overview
The VNS3 NIDS plugin is preconfigured to utilise the built in rule management feature Suricata-Update. This will download and manage the ET Open Ruleset provided by Emerging Threats on a free of charge basis.
Working with the NIDS Plugin
Accessing the NIDS Container
Accessing your container from the Internet or your internal network will require additional rules in your cloud security groups, as well as VNS3 firewall rules to access the running container.
To access your Suricata plugin via SSH listening on port 22 you will need to do the following:
- Add a port to your VNS3 security group from your source IP or internal network (e.g “44”) - this will be used to port forward to the SSH server running on your container.
- Add these rules to your VNS3 firewall:
#Let the Container Subnet Access the Internet via the VNS3 Controller’s Outer or Public IP
MACRO_CUST -o eth0 -s <NIDS Container Network IP> - j MASQUERADE
#Port forward incoming traffic on port 44 to the NIDS Container port 22
PREROUTING_CUST -i eth0 -p tcp -s 0.0.0.0/0 --dport 44 -j DNAT --to <NIDS Container Network IP>:22
You can now access your running Suricata container via the Internet, using this command:
ssh container_admin@<Public IP of VNS3> -p 44
To access via your local network substitute
Configuring Suricata
The plugin is partially configured which will allow you to start using it immediately. However Suricata has a comprehensive feature set, familiarisation with the suricata.yaml file is highly recommended.
Detailed information can be found here: https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html
Lines 15 - 47 determine the IP address ranges that will be considered internal or external traffic.
It is preconfigured to use the following:
# more specific is better for alert accuracy and performance
address-groups:
HOME_NET: "[198.51.100.0/28,192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
EXTERNAL_NET: "!$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
SMTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
AIM_SERVERS: "$EXTERNAL_NET"
DC_SERVERS: "$HOME_NET"
DNP3_SERVER: "$HOME_NET"
DNP3_CLIENT: "$HOME_NET"
MODBUS_CLIENT: "$HOME_NET"
MODBUS_SERVER: "$HOME_NET"
ENIP_CLIENT: "$HOME_NET"
ENIP_SERVER: "$HOME_NET"
port-groups:
HTTP_PORTS: "80"
SHELLCODE_PORTS: "!80"
ORACLE_PORTS: 1521
SSH_PORTS: 22
DNP3_PORTS: 20000
MODBUS_PORTS: 502
FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
FTP_PORTS: 21
VXLAN_PORTS: 4789
Lines 73 - 529 should be reviewed as they determine what output and which format they will be in. The default can be used but may produce unecessary amounts of data for your usecase.
It is preconfigured to use the following:
/var/log/suricata/suricata.log - Logs general information about Suricata.
/var/log/suricata/stats.log - Logs IP packets that have been processed.
/var/log/suricata/fast.log - Logs all alerts actvity in text format.
/var/log/suricata/eve.json - Logs all alerts and stats activity in JSON format.
Lines 529 - 1806 are considered advanced settings for performance tuning. Advanced users may find these useful but the default can be used.
Lines 1809 - 1819 are related to the rulesets being employed. Suricata now has an embedded rule managment option which is preconfigured.
Rule Management
Suricata Rule Management
Suricata comes with it’s own rule management utility “suricata-update”, with this utility you can update and maintain your rulesets. By default Suricata uses the Emerging Threats Open Ruleset. Detailed information can be found here: https://suricata-update.readthedocs.io/en/latest/quickstart.html
The Emerging Threats Open ruleset was installed at the time this plugin was created, by default Suricata saves them here /var/lib/suricata/rules.
You should update to the latest ruleset by running:
sudo suricata-update
Suricata will download, merge, clean and install the latest version of the ET Open ruleset.
Suricata-Update can also manage other rulesets, to list the available sources, run:
sudo suricata-update update-sources
sudo suricata-update list-sources
To enable an additional ruleset run
sudo suricata-update enable-source <name>
sudo suricata-update
For example, to enable the OISF’s traffic id ruleset ‘oisf/trafficid’ you would run:
sudo suricata-update enable-source oisf/trafficid
Rule Selection
Suricata-Update merges all rules into a single file which can be found here /var/lib/suricata/rules.
Two seperate files are used to control which rules are active or inactive:
enable.conf is used to enable inactive rules /etc/suricata/enable.conf
disable.conf is used to disable active rules/etc/suricata/disable.conf
You can enable/disable rules based on sid, rule group and strng match.
2019401 # enable/disable this sid
group:emerging-icmp.rules # enable/disable this rulefile
re:trojan # enable/disable all rules with this string
“Outputs”
Suricata has four main output files:
/var/log/suricata/suricata.log - Logs general information about Suricata.
/var/log/suricata/stats.log - Logs IP packets that have been processed.
/var/log/suricata/fast.log - Logs all alerts actvity in text format.
/var/log/suricata/eve.json - Logs all alerts and stats activity in JSON format.
Testing Suricata
To test Suricata IDS you can use the ET Open ruleset signature 2100498 which has been written for this purpose.
"alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)"
This will will be triggered if it has "uid=0|28|root|29|" within it’s payload.
There are two ways to see the output, fast.log and eve.json using jq. We will start with fast.log.
First tail fast.log in a separate terminal window.
sudo tail -f /var/log/suricata/fast.log
Then trigger the rule using curl.
curl curl http://testmynids.org/uid/index.html
If successful this output will be in the fast.log output.
[1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 217.160.0.187:80 -> 10.0.0.23:41618
To test using eve.json and jq run:
tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")'
Re-trigger the rule using curl.
curl curl http://testmynids.org/uid/index.html
The output will be a formatted JSON object.
Detailed steps can be found here: https://suricata.readthedocs.io/en/latest/quickstart.html
Getting traffic to your web servers via the VNS3 NIDS Plugin
NIDS Container Flow
User or interior traffic arrives at the VNS3 Controller. Firewall rules can filter and send a subset of traffic to the Suricata plugin for analysis
Forwarding Web Traffic to the NIDS Container
Forwarding traffic to the container uses the same technique as was shown for accessing the container via Remote Shell.
VNS3 Firewall
Enter rules to send a copy of either incoming traffic (arriving on eth0 or tun0) or outgoing traffic (leaving eth0 or tun0).
#EXAMPLE: Copy all incoming tun0 (Overlay Network) traffic to the NIDS plugin.
PREROUTING -i eth0 -p tcp --dport 80 -j TEE --gateway 198.51.100.x
#EXAMPLE: Copy all outgoing tun0 (Overlay Network) traffic to the TCP Tools plugin.
POSTROUTING -o eth0 -p tcp --dport 80 -j TEE --gateway 198.51.100.x
#EXAMPLE: Allow plugin network traffic out
POSTROUTING -o eth0 -s 198.51.100.0/28 -j MASQUERADE-ONCE
For Developers / DevOps
The Docker image source is distributed as a Dockerfile along with accompanying config files.
To get the source:
git clone https://github.com/cohesive/vns3-container-suricata.git
The plugin can also be installed via the API using the following URL: Suricata Image Download
Please see our developers guide for more information: VNS3 Plug-In Configuration Guide.
Contact support@cohesive.net for assistance or more information regarding the DevOps approach to deploying plugins.