Suricata is an IDS/IPS engine. To build a complete solution, you will need to use other tools. The following schema is a representation of a possible software setup in the case Suricata is used as IDS or IPS on the network. It only uses opensource components: Suricata is used to sniff and analyse the traffic. To detect malicious traffic, it uses signatures (or rules). You can download a set of specialised rules from EmergingThreats. ...
Some new features have recently reach Suricata’s git tree and will be available in the next development release. I’ve worked on some of them that I will describe here. Multi interfaces support and new running modes Configuration update IDS live mode in suricata (pcap, pf_ring, af_packet) now supports the capture on multiple interfaces. The syntax of the YAML configuration file has evolved and it is now possible to set per-interface variables. For example, it is possible to define pfring configuration with the following syntax: ...
GEO IP Idea is to add a keyword that would be used to interact with GEOIP database (free at least) and be able to use it to detect things like control canal. For example, an IRC server in an non common country is certainly a control canal. Live ruleset swap A must have! This is vital for critical environnement. This is very costly in memory and this should be an option to avoid exploding low memory boxes. ...
DNS fast flux/anomaly detection The idea is to detect malware and other things by collecting the DNS request and their answer and detecting anomaly. For example, if an host is making a lot of request to a domain. First part of the job on Suricata is to log all requests and their answer. Then analysis can occurs in the database. File extraction This is a work under progress linked with a third party contract. It permit to store exchanged files on disk for some application level protocol. It is possible to say: “store the file, if the content type is different from the extension”. File extraction works currently on HTTP. It focus on POST request to detect uploaded file. ...
Performance improvement As shown by Victor’s latest work on performance counters, there is a lot of work that can be done to improve performance. They are currently good but there is place for improvement. Proposal to provide off-loading or clustering is done. This is heavily discussed but as pointed out by Victor, it will be more interesting to do this in the next phase. Phase 3 should focus in improvement of current code. This will permit to use the upcoming Suricata killing features like global flow variable. ...
Phase 2 development is almost over now. Among the completed major features: Multithread protocol discovery smb logging HTTP logging flowvars One of the advantage of Suricata over Snort is protocol discovery combined to HTTP parsing by libhtp. It provides a huge improvement over Snort as a lot of bad flow are using HTTP on non standard ports.
Work has started in september 2007. The work depends on some externel library like multithread of input handling library. The main external depedency is libhtp which is initally developped by Ivan Ristic. The development is managed in a single git repository. Victor is the only one with commit right. The review are done by Victor and cross review are made by developpers. Work unit for developers are tasks which are written by Victor and describe a specific task to do. This task are mainly done by OISF funded developers. Some simpler task are let to the comunity and everyone can help with this. ...
I gave a talk about Suricata entitled Suricata, rethinking IDS/IPS at Libre Software Meeting (RMLL in french). The slides can be downloaded from the RMLL website. Thanks a lot to Christophe Brocas and Mathieu Blanc for the organisation of the security track of LSM.
Discovering the performance boost When doing some coding on both 1.0 and 1.1 branch of suricata, I’ve remarked that there was a huge performance improvement of the 1.1 branch over the 1.0 branch. The parsing of a given real-life pcap file was taking 200 seconds with 1.0 but only 30 seconds with 1.1. This performance boost was huge and I decide to double check and to study how such a performance boost was possible and how it was obtained: ...
I’ve gived today a presentation about Suricata at the Solutions Linux event. It was part of the security track presided by Herve Schauer. The slides are in french and are available here: 2011_sollinux_suricata
My collaboration with OISF has been announced today. This is an honor for me to join this excellent team on this wonderful project. I’ve taken a lot of pleasure in the past months contributing to the project and I’m sure the start of an official collaboration will lead to good things. The challenge is high and I will do my best to merit the trust. A big thanks to all people who congrat me for this nomination.
Suricata 1.1beta2 has brought OpenBSD to the list of supported operating system. I’m a total newbie to OpenBSD so excuse me for the lack of respect of OpenBSD standards and usages in this documentation. Here’s the different step, I’ve used to finalize the port starting from a fresh install of OpenBSD. If you want to use source taken from git, you will need to install building tools: pkg_add git libtool automake and autoconf need to be installed to. For a OpenBSD 4.8, one can run: ...
The IDS/IPS suricata has a native support for Netfilter queue. This brings IPS functionnalities to users running Suricata on Linux. Suricata 1.1beta2 introduces a lot of new features related to the NFQ mode. New stream inline mode One of the main improvement of Suricata IPS mode is related with the new stream engine dedicated to inline. Victor Julien has a great blog post about it. Multiqueue support Suricata can now be started on multiple queue by using a comma separated list of queue identifier on the command line. The following syntax: ...
Following my preceding post on suricata multithread performance I’ve decided to continue to work on the subject. By using perf-tool, I found out that when the number of detect threads was increasing, more and more time was used in a spin lock. One of the possible explanation is that the default running mode for pcap file (RunModeFilePcapAuto) is not optimal. The only decode thread take some time to treat the packets and he is not fast enough to send data to the multiple detect threads. This is triggering a lot of wait and a CPU usage increase. Following a discussion with Victor Julien, I decide to give a try to an alternate run mode for working on pcap file, RunModeFilePcapAutoFp. ...
Suricata IDS/IPS architecture is heavily using multithreading. On almost every runmode (PCAP, PCAP file, NFQ, …) it is possible to setup the number of thread that are used for detection. This is the most CPU intensive task as it does the detection of alert by checking the packet on the signatures. The configuration of the number of threads is done by setting a ratio which decide of the number of threads to be run by available CPUs (detect_thread_ratio variable). ...
Introduction During Nefilter Workshop 2008, we had an interesting discussion about the fact that NFQUEUE is a terminal decision. This has some strong implication and in particular when working with an IPS like suricata (or snort-inline at the time of the discussion): the IPS must received all packets routed by the gateway and can only issue a terminal DROP or ACCEPT verdict. It thus take precedence over all subsequent rules in the ruleset: any ACCEPT rules before the IPS rules will remove packets from IPS analysis and in the other way, any decision after the IPS rules will be ignored. ...
Suricata is a next generation IDS/IPS engine developed by the Open Information Security Foundation. This article describes the installation, setup and usage of Suricata with CUDA support on a Ubuntu 10.04 64bit. For 32 bit users, simply remove 64 occurances where you find them. Preparation You need to download both Developper driver and Cuda driver from nvidia website. I really mean both because Ubuntu nvidia drivers are not working with CUDA. I’ve first downloaded and installed CUDA toolkit for Ubuntu 9.04. It was straightforward: ...