Intrusion Detection System (IDS) with Suricata

Intrusion Detection System (IDS) with Suricata

What and Why an IDS

An intrusion detection system is a technology used to monitor and analyze network and data traffic over a network and upon detection of unwanted traffic, an alert is activated which alarms security professionals on a potential breach so they can remedy to it.

The first officially recognized IDS having features based on the patterns of an intruder. As time passed by, this technology had been refined and upgraded to meet growing security issues.

Suricata

Suricata is one of the most popular and recent open-source intrusion detection systems which is mainly but not only signature-based. Signature-based means that it analyzes the traffic pattern based on already known malicious traits and if they match, an alert is sounded.

One big drawback of signature-based IDS is that if there is just a slight change in the behaviour of a malicious activity, detection will be impossible, and this clearly shows that knowledge is static when working with these kinds of IDS

To remedy to this, anomaly-based IDS have come to fruition in order to overcome the limitations of signature-based. As said in the first paragraph, suricata is not limited to signature-based detection although it is well its baseline is found. With the increasing creativity and innovation of engineers and scientists, suricata is able to act as an anomaly-based detector by integration of artificial intelligence. This feature is a game changer and a leverage that makes suricata one of the best IDS in existence.

Setting up suricata in Linux

Assuming you already have knowledge on how linux basic commands functions, to install suricata, these are the steps to be followed:

  • Setup the latest release and install

      sudo apt-get install software-properties-common
      sudo add-apt-repository ppa:oisf/suricata-stable
      sudo apt-get update
      sudo apt-get install suricata
    
  • Configure the suricata.yaml to suit your network

    To configure suricata, you have to go to its yaml file directory and open the file:

  • Make appropriate changes like setting your IP address, network mask:

  • Add the right network interface

Activate rules or create custom rules

Adding rules to suricata

There generally exist two ways to add rules in suricata; which are the:

Using the suricata.rules file or creating a custom rule file like seen on the image above

Suricata.rule file

Using the suricata.rules file, you need to enter the following command to see the sources of available rules

sudo suricata-update list-sources

A list of different sources ofr rules which can be activated in the suricata.rule file

After selecting the rule to add, for instance the malsilo/win-malware, it can be added to the rule file and verified as follows:

sudo suricata-update enable-source malsilo-malware
sudo suricata-update list-enabled-sources

Custom.rule file

In order to to create and add your own custom file for rules in suricata, you need to have some knowledge on the format of a rule in suricata:

# action protocol source_ip source_port -> dest_ip dest_port (rule_options)
alert tcp any any -> any 80 (msg:"HTTP traffic detected"; sid:1000001;)

Like seen above, the basic format of a rule is made of:

  • action: Specifies the action to take when the rule is triggered.

  • protocol: Defines the protocol to monitor (e.g., tcp, udp, icmp, http).

  • Source IP and Port: The source IP address and the port associated in the data traffic

  • ->: Indicates the direction of the traffic flow; From source to destination.

  • Destination IP and Port : Destination IP address and its associated port

  • Rule Options (inside parentheses):
    A list of conditions or options that specify how the rule works. Common options include:

    • msg:"HTTP traffic detected": Describes the rule, included in alerts.

    • sid:1000001: Unique identifier for the rule (used to manage rules).

    • content:"POST": Searches for specific content in the payload (e.g., HTTP POST request).

    • rev:1: Revision number of the rule.

In order to execute a suricata command to inita=iate traffic analysis for potential alert, you can use the following command

sudo suricata -c /etc/suricata/suricata.yaml -i enps33 --set rule-files=/etc/suricata/rules/custom.rules
OR 
sudo suricata -c /etc/suricata/suricata.yaml -i enps33 --set rule-files=/etc/suricata/rules/suricata.rules

Note that, when entering the command above, you need to specify which rule fule to use for detection.

After launching the command , you need to be able to see whether suricata had detected any unwanted traffic. Open another tab of the terminal and enter:

sudo tail -f /var/log/suricata/fast.log
OR
sudo tail -f /var/log/suricata/alerts.json

Conclusion

From the above article depicting how to setup and use IDS suricata, you can realize that learning how to use this tool is a leverage in strengthening your understandings of networks, servers, protocols and many other concepts in networking and security; as well as sharpening your skills in linux configuration and management.