Creating a Custom Framework

To customize Suricata, edit the /etc/suricata/suricata.yaml file. Once you are editing the file, it is possible to use a fairly simple syntax:

alert icmp any any -> \
      any any (msg:"PING detected"; \
      sid:2; rev:1;)

The preceding syntax defines an alert for ICMP traffic, similar to iptables. This line tells Suricata to look for any ICMP traffic from any interface. Once Suricata discovers this traffic, it will issue an alert to the log files saying PING detected.

When learning about the traffic gaps, it's important to first understand the nature of your organization. Focus on the goal of your business. If you are working for a retail business, you will need to make sure your e-commerce servers and databases are properly protected.

Assume you are working for a company that has a web server that processes credit card information. Suppose you wish to create some rules in Suricata that detect unencrypted credit card transactions. You would want to do this to make sure that your developers are properly encrypting information. You would also want to see if a long-lurking hacker has somehow obtained access to your e-commerce server and is sending unencrypted data to a server outside of your network. To create such a rule, you could insert the following into the /etc/suricata/suricata.yaml file. Use any text editor and enter a rule such as:

alert tcp any any <> \
      any any (pcre:"/5\d{3}(\s|-)?\
      \d{4}(\s|-)?\d{4}(\s|-)?\d{4}/"; \
            msg:"MasterCard number \
               detected in clear text";content:\
               "mastercard";nocase;sid:9000001;rev:1;)

The preceding rule has Suricata look for MasterCard information. You can also enter information for American Express cards:

alert tcp any any <> \
      any any (pcre:"/3\d{3}\
      (\s|-)?\d{6}(\s|-)?\d{5}/";\
      msg:"American Express card number \
      detected in clear text";content: \
      "amex";nocase;sid: 9000003;rev:1;)

You might have noticed that the preceding rules are Snort rulesets. You've already begun to create an intrusion detection system based on a flexible, custom framework. But, you don't have to stop here.

Using Suricata

Once Suricata is up and running, you can log in and view traffic alerts. Figure 4 shows Suricata in traditional IDS mode.

Figure 4: Suricata in traditional IDS mode.

In Figure 4, Suricata is showing the results of its activities, which include identifying issues with web and DNS traffic. The useful part of this report is that it lets you identify traffic types and where they originated. Yes, attackers are capable of spoofing IP addresses, but it is still useful to try and find the origin of the traffic.

Figure 5 shows another view that is particularly useful. The panel in Figure 5 shows security events over time. Viewing events makes it possible to use Suricata to identify when an attacker has been stealthily mapping your network or a particular network resource.

Figure 5: Events over time in Suricata.

The view in Figure 5 is particularly useful in helping reduce dwell time, because it tracks scanning attacks and other activities over time. If stealth is the key to long-term, persistent hacking, long-term, diligent recording of network activity is one of the ways to stop persistent attacks.

Finally, Figure 6 provides a report of the types of web services available on the network. I have found reports such as the report in Figure 6 useful for identifying older web servers, which are often targets for attack. Attackers often use off-the-shelf software, such as IIS and Apache Server, to exfiltrate information. The ability to detect web servers makes it easy to identify this type of traffic.

Figure 6: Detecting web servers with Suricata.

Conclusion

Suricata is a useful alternative to Snort and other intrusion detection and prevention systems. If you're looking for a highly scalable intrusion detection alternative that is easily customizable and automatically recognizes many protocols and file types, you might want to consider Suricata for your own network.