E
Eric Hansen
Guest
In part 1, we covered what Suricata is, why we are using it, and how to install it to our system. It wasn’t hard, and the following won’t be much worse, either. Now we are going to do some basic configuration of the program and get it working!
Specify Hosts on Network
Suricata analyzes packets differently based on the OS, mostly due to how the OS deals with fragmented packets. So how do we specify what OSes are on the network? By editing the config files, of course! I prefer to use nano but you can use whichever text editor you like.
You’re going to want to edit /etc/suricata/suricata.yaml and look for the line that starts with host-os-policy:, it’ll have a block of code like so:
What this block does is tell Suricata what IP address(es) belong to which OS. So in this example by default the OS will be Windows (0.0.0.0/0 matches everything on every subnet) if no IP can be matched elsewhere. Every IP in the 10.0.0.0/8 block, 192.168.1.100 and 8762... (IPv6) is Linux and the loalhost is a Solaris machine. Pretty simple, right? Once you set that up to match your network, we still need to make some changes to this.
Which Machine Is Home?
Just like in Snort, Suricata has a HOME_NET and EXTERNAL_NET, and it resides in the same file as above, but in the vars block, and looks like this:
For those who aren’t familiar with this, HOME_NET specifies which machine(s) are on the home network (LAN). This can either just be a single IP or a list of IPs, and should only match the local network’s IP. Personally I like to make things easier on the program so I’ll only specify my LAN’s IP range of 192.168.1.0/16. EXTERNAL_NET specifies which IPs aren’t on the local network, which by default is everything we assume is unknown to our LAN. Shorthand for that is to specify “!$HOME_NET” (“not home network”).
Handle the Servers
After that you’ll see a bunch of *_SERVERS lines that basically lets Suricata know which network handles the server group. If you want to get fancy you can specify different networks similar to HOME_NET and EXTERNAL_NET (i.e.: WEB_NET: “[10.0.1.0/8]”) then specify it for the server group (i.e.: HTTP_SERVERS: “$WEB_NET”), but we’ll keep it simple and assume every server we which to care about is on our LAN ($HOME_NET). If you don’t use a server (i.e.: don’t run a telnet server), you can comment it out by putting a “# “ (including the space) in front of it.
Ports, Ports Everywhere!
Doing great so far, aren’t we? Well now lets specify which ports we know for services to be running on. This is still in the vars group but is now port-groups, which looks like this:
What is this, exactly? Easy, this specifies which ports run what (this is to help with rules which we’ll get into later). Lets say you have a web server that listens on port 80 and you create a rule for it. Later on, you decide that port 8080 will also be used. Instead of having to edit numerous rules to replace “80” with “80,8080”, you can simply edit this one line (HTTP_PORTS) to look like HTTP_PORTS: “80,8080” and then just use $HTTP_PORTS in your rule. You can specify your own ports here too if you like, or even remove ones you don’t use (most people don’t use Oracle for their home networks, afterall ).
Suricata My Network For A Dollar
Now we get to the fun part, testing it out! You might have to change the HOME_NET to exclude an IP or something to get this to work, but we’ll do a simple ping test (an easier way of doing this in part 3).
For right now though we’ll create our own basic rule that will notify us once alerts are received. To do so, open up your favorite editor again and put this in:
Save it to /etc/suricata/rules/test.rules and close. Now we need to open up suricata.yaml again and look for this block:
Yours won’t have the “#” in front of the dashes, I did that to cut down on loading times (advisable but not mandatory). At the end of that list add “ - test.rules” to that (including the space), save and exit. This will tell Suricata to load our new rule we created above.
Now that we got that done we’ll start up Suricata on eth0 (where it will monitor the packet flow on eth0, change if your adapter is different) and test some incoming pings. What I did to make this easier is in the suricata.yaml file, change “HOME_NET” to the IP of the machine Suricata is installed on only. This way I could send pings from any computer on the network and it’d work. To run, just enter the following command as root:
Don’t do anything until you see a line similar to this:
That means that Suricata is roaring to go now. From a different machine than the one Suricata is running on send a ping command to it now:
Assuming you’re sending a ping to the IP that is assigned to the adapter Suricata is sniffing on (in this case eth0), you should receive something like this in /var/log/suricata/fast.log:
That’s it! Suricata is up and running, and even more so you can make magic happen! In the next part we’ll cover the rules aspect, as that’s a topic all in itself anyways.
Specify Hosts on Network
Suricata analyzes packets differently based on the OS, mostly due to how the OS deals with fragmented packets. So how do we specify what OSes are on the network? By editing the config files, of course! I prefer to use nano but you can use whichever text editor you like.
You’re going to want to edit /etc/suricata/suricata.yaml and look for the line that starts with host-os-policy:, it’ll have a block of code like so:
Code:
# Host specific policies for defragmentation and TCP stream
# reassembly. The host OS lookup is done using a radix tree, just
# like a routing table so the most specific entry matches.
host-os-policy:
# Make the default policy windows.
windows: [0.0.0.0/0]
bsd: []
bsd-right: []
old-linux: []
linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
old-solaris: []
solaris: ["::1"]
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []
What this block does is tell Suricata what IP address(es) belong to which OS. So in this example by default the OS will be Windows (0.0.0.0/0 matches everything on every subnet) if no IP can be matched elsewhere. Every IP in the 10.0.0.0/8 block, 192.168.1.100 and 8762... (IPv6) is Linux and the loalhost is a Solaris machine. Pretty simple, right? Once you set that up to match your network, we still need to make some changes to this.
Which Machine Is Home?
Just like in Snort, Suricata has a HOME_NET and EXTERNAL_NET, and it resides in the same file as above, but in the vars block, and looks like this:
Code:
address-groups:
HOME_NET: "[192.168.1.0/16]"
EXTERNAL_NET: "!$HOME_NET"
For those who aren’t familiar with this, HOME_NET specifies which machine(s) are on the home network (LAN). This can either just be a single IP or a list of IPs, and should only match the local network’s IP. Personally I like to make things easier on the program so I’ll only specify my LAN’s IP range of 192.168.1.0/16. EXTERNAL_NET specifies which IPs aren’t on the local network, which by default is everything we assume is unknown to our LAN. Shorthand for that is to specify “!$HOME_NET” (“not home network”).
Handle the Servers
After that you’ll see a bunch of *_SERVERS lines that basically lets Suricata know which network handles the server group. If you want to get fancy you can specify different networks similar to HOME_NET and EXTERNAL_NET (i.e.: WEB_NET: “[10.0.1.0/8]”) then specify it for the server group (i.e.: HTTP_SERVERS: “$WEB_NET”), but we’ll keep it simple and assume every server we which to care about is on our LAN ($HOME_NET). If you don’t use a server (i.e.: don’t run a telnet server), you can comment it out by putting a “# “ (including the space) in front of it.
Ports, Ports Everywhere!
Doing great so far, aren’t we? Well now lets specify which ports we know for services to be running on. This is still in the vars group but is now port-groups, which looks like this:
Code:
# Holds the port group vars that would be passed in a Signature.
# These would be retrieved during the Signature port parsing stage.
port-groups:
HTTP_PORTS: "80"
SHELLCODE_PORTS: "!80"
ORACLE_PORTS: 1521
SSH_PORTS: 22
DNP3_PORTS: 20000
What is this, exactly? Easy, this specifies which ports run what (this is to help with rules which we’ll get into later). Lets say you have a web server that listens on port 80 and you create a rule for it. Later on, you decide that port 8080 will also be used. Instead of having to edit numerous rules to replace “80” with “80,8080”, you can simply edit this one line (HTTP_PORTS) to look like HTTP_PORTS: “80,8080” and then just use $HTTP_PORTS in your rule. You can specify your own ports here too if you like, or even remove ones you don’t use (most people don’t use Oracle for their home networks, afterall ).
Suricata My Network For A Dollar
Now we get to the fun part, testing it out! You might have to change the HOME_NET to exclude an IP or something to get this to work, but we’ll do a simple ping test (an easier way of doing this in part 3).
For right now though we’ll create our own basic rule that will notify us once alerts are received. To do so, open up your favorite editor again and put this in:
Code:
alert ip any any -> any any (msg:"ICMP detected"; sid:2; rev:1;)
Code:
default-rule-path: /etc/suricata/rules
rule-files:
# - botcc.rules
# - ciarmy.rules
# - compromised.rules
# - drop.rules
# - dshield.rules
# - emerging-activex.rules
# - emerging-attack_response.rules
# - emerging-chat.rules
…
Now that we got that done we’ll start up Suricata on eth0 (where it will monitor the packet flow on eth0, change if your adapter is different) and test some incoming pings. What I did to make this easier is in the suricata.yaml file, change “HOME_NET” to the IP of the machine Suricata is installed on only. This way I could send pings from any computer on the network and it’d work. To run, just enter the following command as root:
Code:
suricata -c /etc/suricata/suricata.yaml -i eth0
Code:
24/7/2013 -- 21:37:20 - <Info> - all 2 packet processing threads, 3 management threads initialized, engine started.
Code:
ping -c 1 suricata.machine
Code:
07/24/2013-21:38:17.547119 [**] [1:2:1] ICMP detected [**] [Classification: (null)] [Priority: 3] {ICMP} 10.0.3.1:8 -> 10.0.3.10:0
07/24/2013-21:38:17.547173 [**] [1:2:1] ICMP detected [**] [Classification: (null)] [Priority: 3] {ICMP} 10.0.3.10:0 -> 10.0.3.1:0
07/24/2013-21:38:18.546050 [**] [1:2:1] ICMP detected [**] [Classification: (null)] [Priority: 3] {ICMP} 10.0.3.1:8 -> 10.0.3.10:0
07/24/2013-21:38:18.546085 [**] [1:2:1] ICMP detected [**] [Classification: (null)] [Priority: 3] {ICMP} 10.0.3.10:0 -> 10.0.3.1:0