Install/Setup
- https://suricata.readthedocs.io/en/suricata-6.0.0/quickstart.html
- This quickstart guide uses an ubuntu repo. Can also be installed from source. Documentation also contains a curl command for easy testing.
Host Bridged Network
- This quickstart guide uses an ubuntu repo. Can also be installed from source. Documentation also contains a curl command for easy testing.
- https://medium.com/nycdev/how-to-ssh-from-a-host-to-a-guest-vm-on-your-local-machine-6cb4c91acc2e
Client-Router-Server
- https://sandilands.info/sgordon/building-internal-network-virtualbox
- Netplan is the manager for recent versions of LTS Ubuntu
- VirtualBox can use NatNetwork with promiscuous mode to share packet traffic between virtual machines - Much simpler to set-up method, but also more VM dependent.
Testing Environment
For installation testing purposes, a simple setup of 2 virtualbox machines running linux server works well. One machine will act as a client, while the other machine can have Suricata installed. Once setup is complete, test the environment by using the command curl http://testmyids.com/
. A sucessful setup should trigger an alert that will be visible using sudo tail -f /var/log/suricata/fast.log
.
Be sure to create a nat network and enable promiscious mode for the virtual machines. This will enable traffic to be shared on the nic that is monitored by Suricata.
Suricata Rules
Format
Rules for Suricata are defined using a basic signature of action/header/options
- Action
- Determines what occurs when the signature matches
- alert (generates an alert)
- pass (stops inspection)
- reject (send unreachable error to sender)
- Header
- Protocol (tcp, udp, icmp, http, ssh)
- Source and destination of traffic
- ($HOME_NET, $EXTENRAL_NET) IP or Ports
- Direction ->, <>
- Options
- Enclosed by parenthesis, seperated by semicolons
drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN Likely Bot Nick in IRC (USA +..)”; flow:established,to_server; flowbits:isset,is_proto_irc; content:”NICK “; pcre:”/NICK .USA.[0-9]{3,}/i”; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;)
More Information: https://suricata.readthedocs.io/en/suricata-6.0.0/rules/intro.html
Custom
- Create a file to store rules
sudo nano local.rules
- Update the Suricata configuration file to include rule file
sudo nano /etc/suricata/suricata.yaml
~ default-rule-path: /usr/local/etc/suricata/rules
rule-files: - suricata.rules - /path/to/local.rulesMore information: https://suricata.readthedocs.io/en/suricata-6.0.0/rule-management/adding-your-own-rules.html
Management Tool
This is the method reccomended for adding rules for Suricata.
- Check available rulesets
- fetch index with
sudo suricata-update update-sources
- List available sources with
sudo suricata-update list-sources
- enable example
sudo suricata-update enable-source oisf/trafficid
sudo suricata-update