Introduction
I’ve been working for the past few days on a new Suricata feature. It is available in Suricata 1.4rc1.
Suricata can now listen to a unix socket and accept commands from the user. The exchange protocol is JSON-based and the format of the message has been done to be generic and it is described in this commit message. An example script called suricatasc is provided in the source and installed automatically when updating Suricata.
Unix socket command
By setting enabled to yes under unix-command in Suricata YAML configuration file, the creation of the socket is now activated:
unix-command:
enabled: yes
#filename: custom.socket # use this to specify an alternate file
This provides for now a set of really exciting commands like:
- shutdown: this shutdown suricata
- iface-list: list interfaces where Suricata is sniffing packets
- iface-stat: list statistic for an interface
For example, a typical session with suricatasc will looks like:
# suricatasc
>>> iface-list
Success: {'count': 2, 'ifaces': ['eth0', 'eth1']}
>>> iface-stat eth0
Success: {'pkts': 378, 'drop': 0, 'invalid-checksums': 0}
Useful but not really sexy for now. But the main part is the dedicated running mode.
Unix socket running mode
This mode is one of main motivation behind this code. The idea is to be able to ask to Suricata to treat different pcap files without having to restart Suricata between the files.
This provides you a huge gain in time as you don’t need to wait for the signature engine to initialize.
To use this mode, start suricata with your preferred YAML file and provide the option –unix-socket as argument:
suricata -c /etc/suricata-full-sigs.yaml --unix-socket
Then, you can use the provided script suricatasc to connect to the command socket and ask for pcap treatment:
root@tiger:~# suricatasc
>>> pcap-file /home/benches/file1.pcap /tmp/file1
Success: Successfully added file to list
>>> pcap-file /home/benches/file2.pcap /tmp/file2
Success: Successfully added file to list
Yes, you can add multiple files without waiting the result: they will be sequentially processed and the generated log/alert files will be put into the directory specified as second arguments of the pcap-file command. You need to provide absolute path to the files and directory as suricata don’t know from where the script has been run.
To know how much files are waiting to get processed, you can do:
>>> pcap-file-number
Success: 3
To get the list of queued files, do:
>>> pcap-file-list
Success: {'count': 2, 'files': ['/home/benches/file1.pcap', '/home/benches/file2.pcap']}
suritasc script is just intended to be a basic tool to send commands. The protocol has been choozen to be simple so people can easily build their own scripts.
Some words about the protocol
The client connect to the socket and sends its protocol version:
{ "version": "$VERSION_ID" }
The server sends an answer:
{ "return": "OK|NOK" }
If server returns OK, the client is now allowed to send command.
The format of command is the following:
{
"command": "$COMMAND_NAME",
"arguments": { $KEY1: $VAL1, ..., $KEYN: $VALN }
}
For example, to ask suricata to treat a pcap, the command is something like:
{
"command": "pcap-file",
"arguments": { "filename": "smtp-clean.pcap", "output-dir": "/tmp/out" }
}
The server will try to execute the “command” specified with the
(optional) provided “arguments”.
The answer by server is the following:
{
"return": "OK|NOK",
"message": JSON_OBJECT or information string
}
Building it
This new features use jansson the encoding/decoding JSON and it needs thus to be installed on your system before you can do the build. On Debian (testing or sid) or Ubuntu, you can install libjansson-dev
Now, you can proceed with your normal build. For example:
./autogen.sh
./configure
make
make install
You can check if the support will be build in the message at end of configure:
Suricata Configuration:
AF_PACKET support: yes
...
Unix socket enabled: yes
libnss support: no
libnspr support: no
libjansson support: yes
If this is your first install, you may want to run make install-full to get a working configuration of Suricata with Emerging Threats rules being downloaded and setup.
Now, you can just do:
suricata --unix-socket
Conclusion
This new features can be really interesting for people that are using Suricata to parse a large numbers of pcap. But the unix command may be really interesting when more commands will be available. Regarding this don’t hesitate to give me some feedbacks or ideas.