Suricata Configuration and Custom Rule Creation
In this guide, we delve into the practical aspects of installing, configuring, and using Suricata, a robust open-source network Intrusion Detection System (IDS). This tutorial is designed for cybersecurity professionals who are already familiar with the basics of Suricata and are looking to enhance their understanding of its advanced features.
To begin, we install Suricata on an Ubuntu virtual machine. The installation process is straightforward, thanks to the binary packages provided on the Suricata website. After adding the official OISF repository to our system, we update our repositories and install Suricata directly.
Once Suricata is installed, we can manage it using systemd. We can enable the service to run Suricata on system startup, or disable it if we don’t want it consuming resources in the background. For this article, I choose to enable the service.
Next, we explore the Suricata configuration files and rules stored in the /etc/suricata directory. The main configuration file, suricata.yaml, is in YAML format, making it easy to read and modify. We adjust several settings in this file, including specifying our home network subnet and configuring the AF_PACKET option to specify the network interface we want to monitor.
We also enable the Community Flow ID feature, which adds a community ID field to the EVE records. This feature is useful for event correlation when using tools like Zeek or when importing logs in JSON format.
After configuring Suricata, we update the Suricata rule sets using the ‘suricata-update’ command. This command fetches the latest rules from emergingthreats.net and loads them into Suricata. We can also add custom rule sources using the ‘suricata-update enable-source’ command.
To test our configuration, we use the ‘suricata -T’ command, which runs Suricata in test mode and verifies that our configuration file is correctly set up. Once we confirm that Suricata runs without any issues, we start the service using systemd.
We then create a custom rule to detect ICMP pings from any external network into our home network. This rule is stored in a local.rules file, which we add to the Suricata configuration file. After adding the custom rule, we test the configuration again to ensure everything is working correctly.
To verify that our custom rule is working, we perform a ping from another device on our network and check the Suricata logs. The logs confirm that the ping is detected and logged as expected.
Finally, we explore the JSON logs generated by Suricata. These logs are stored in the eve.json file and can be viewed using the ‘jq’ command-line JSON processor. The JSON logs provide detailed information about each detected event, making them invaluable for event correlation and analysis.
Conclusion
Suricata is a powerful tool for network intrusion detection. Its flexibility and advanced features make it a valuable asset for any cybersecurity professional. By understanding how to configure Suricata and create custom rules, you can tailor the tool to meet your specific security needs.