Hey there, cyber warriors and digital defenders! 🕶️ Are you ready to transform your network into a fortress of unbreachable awesomeness? Buckle up and slap on those shades because we're diving headfirst into the electrifying world of Suricata! This bad boy is like the ultimate watchdog of network security, turning you into a packet-sniffing, threat-hunting cyber ninja in no time!

What's the Scoop on Suricata? 🦸‍♂️

Before we geek out over Suricata's superpowers, let's get a handle on what makes it the rockstar of network security. Imagine having a vigilant sentinel that tirelessly monitors every byte zooming across your network, 24/7. That's Suricata for you! It's like having a bouncer at the busiest club in town, but instead of checking IDs, it's scanning packets for any signs of trouble.

Born to tackle the toughest network security challenges, Suricata is open source (free as a bird! 🕊️), ridiculously flexible, and backed by a community larger than a Comic-Con crowd.

Why Suricata Rocks Your Socks Off 🧦

In this wild, wild web, where digital bandits are always cooking up new chaos, Suricata is your trusty sidekick. It can:

  • Spot sneaky intrusions quicker than you can say "firewall"
  • Guard against malware sliding into your DMs (or network)
  • Alert you to suspicious activities like unusual traffic patterns
  • Block the bad stuff if you're feeling extra vigilant (IPS mode activated! 🛡️)

Plus, it gels perfectly with other security tools, making it the social butterfly of the cybersecurity world.

Ready to unleash the beast? Let's get this Suricata party started and turn you into a network ninja!

Suricata Shopping Spree 🛒

Before diving into Suricata installation, we need to handle a couple of pre-game rituals. Some network cards come with features like “Large Receive Offload” (LRO) and “Generic Receive Offload” (GRO), which need to be disabled to keep Suricata running smoothly. 

Install ethtool to manage these settings:

sudo apt-get install -y ethtool

Disable LRO and GRO:

ethtool -K <interface> gro off 

ethtool -K <interface> lro off

Now, let's move on to the main event: installing Suricata!

Installing Suricata on Ubuntu Server

Update and Upgrade Your System:

sudo apt update

sudo apt upgrade -y   #optional

Add the Suricata PPA and Install:

sudo apt-get install software-properties-common

sudo add-apt-repository ppa:oisf/suricata-stable

sudo apt-get update

sudo apt-get install suricata

Verify the Installation:

suricata --build-info

Tweaking Suricata's Brain (Configuration)

Edit the Configuration File:

sudo nano /etc/suricata/suricata.yaml

Set up your Home Network:
Set the Network Interface:
Find the af-packet section and configure your network interface:

af-packet:
  - interface: eth0

Enable EVE Logging:
Make sure EVE logging is enabled for JSON output:

outputs:
  - eve-log:
      enabled: yes
      filetype: regular
      filename: /var/log/suricata/eve.json

Crafting Custom Suricata Rules

The default rules directory of suricata custom rules is

/var/lib/suricata/rules

Create a file called local.rules here.

sudo nano /var/lib/suricata/rules/local.rules

Include Custom Rules in the Configuration:
Edit suricata.yaml to include the custom rules:

sudo nano /etc/suricata/suricata.yaml

rule-files:
  - local.rules

Adding Custom Rules

Rule 1. ICMP Flood Detection Rule

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Flood Detected"; itype:8; threshold:type both, track by_src, count 20, seconds 1; classtype:attempted-dos; sid:1000001; rev:1;)

Components:
  • alert icmp $EXTERNAL_NET any -> $HOME_NET any:
    • alert: This indicates that an alert should be generated when the rule conditions are met.
    • icmp: Specifies that the rule applies to ICMP packets.
    • $EXTERNAL_NET any -> $HOME_NET any: Matches ICMP traffic coming from any external network to any internal network.
  • (msg:"ICMP Flood Detected";:
    • msg:"ICMP Flood Detected": The message that will be logged when this rule triggers. It helps in identifying what the alert is about.
  • itype:8;:
    • itype:8: ICMP Type 8 corresponds to an Echo Request (ping) packet. This ensures that the rule only applies to ICMP Echo Request packets, which are used for pinging.
  • threshold:type both, track by_src, count 20, seconds 1;:
    • threshold:type both: This specifies that the rule uses a threshold to determine when an alert should be generated.
    • track by_src: Track the number of matching packets per source IP address.
    • count 20, seconds 1: If 20 or more ICMP Echo Requests are detected from a single source IP within 1 second, trigger the alert. This helps in detecting a ICMP flood attack.
  • classtype:attempted-dos;:
    • classtype:attempted-dos: Categorizes the alert as an attempted denial-of-service attack. This classification helps in understanding the nature of the threat.
  • sid:1000001;:
    • sid:1000001: A unique signature ID for this rule. This ID is used to identify the rule in logs and configuration files.
  • rev:1;:
    • rev:1: The revision number of the rule. This helps in tracking changes to the rule over time.

Testing Rule:

Use any other machine to send ping flood requests.

Check the logs using

sudo tail -f /var/log/suricata/eve.json

Rule 2. Port Scan Detection Rule

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Port Scan Detected"; flags:S; threshold:type both, track by_src, count 20, seconds 10; classtype:network-scan; sid:1000003; rev:1;)

Components:

  • alert tcp $EXTERNAL_NET any -> $HOME_NET any:
    • alert: Indicates that an alert should be generated when the rule conditions are met.
    • tcp: Specifies that the rule applies to TCP packets.
    • $EXTERNAL_NET any -> $HOME_NET any: Matches TCP traffic coming from any external network to any internal network.
  • (msg:"Port Scan Detected";:
    • msg:"Port Scan Detected": The message that will be logged when this rule triggers. It indicates that a port scan has been detected.
  • flags:S;:
    • flags:S: This specifies that the rule is looking for TCP packets with the SYN flag set. SYN packets are used to initiate a TCP connection, and a large number of SYN packets can indicate a port scan.
  • threshold:type both, track by_src, count 20, seconds 10;:
    • threshold:type both: Uses a threshold to determine when to trigger the alert.
    • track by_src: Track the number of matching packets per source IP address.
    • count 20, seconds 10: If 20 or more SYN packets are detected from a single source IP within 10 seconds, trigger the alert. This helps in detecting a port scan, where an attacker scans multiple ports in a short period.
  • classtype:network-scan;:
    • classtype:network-scan: Categorizes the alert as a network scan. This classification helps in understanding the nature of the threat.
  • sid:1000003;:
    • sid:1000003: A unique signature ID for this rule.
  • rev:1;:
    • rev:1: The revision number of the rule.

Testing Rule: 

Use nmap to scan ports

nmap -sT -p 1-100 192.168.159.149   ------> Your target IP


Check the logs using

sudo tail -f /var/log/suricata/eve.json


These are just a few examples of Suricata rules. You can also integrate Snort rules into Suricata, enhancing your network security with a broader range of threat detection capabilities. For instance, alongside custom rules for detecting ping floods and port scans, Snort rules can be imported to extend coverage and adapt to various attack scenarios. This flexibility allows you to tailor Suricata’s protections to meet your specific security needs effectively.

To add snort rules just add the path to your snort rule like this

sudo nano /etc/suricata/suricata.yaml

rule-files:
  - local.rules
  - /path/to/snort/rules

Performance Tuning Suricata 🏋️‍♂️

To ensure Suricata performs at its peak, consider these tips:
  • Rule Selection: Enable only necessary rules to avoid performance bottlenecks.
  • Hardware Optimization: Suricata benefits from ample CPU power and memory; allocate resources accordingly.
  • Multi-threading: Configure Suricata to utilize multiple threads for packet processing.
  • Network Segmentation: Divide your network into smaller segments, each with its Suricata instance for targeted monitoring.

Integrating Suricata with Other Tools

Suricata plays well with a variety of security tools to enhance your defense strategy:
  • Splunk: Use Splunk to analyze and visualize Suricata's logs for deeper insights.
  • ELK Stack (Elasticsearch, Logstash, Kibana): Leverage ELK Stack to create detailed dashboards and reports from Suricata logs.
  • OSSEC: Integrate OSSEC with Suricata to monitor host-based activities in tandem with network-based intrusion detection.

Bringing It All Together 🛡️

Congratulations! You've successfully enhanced your network security with Suricata, transforming it into a resilient digital fortress. With advanced threat detection capabilities at your disposal, you're now well-prepared to face any cyber threat that comes your way. Remember to keep your rules updated, stay alert, and continue your journey of learning and improvement. This is just the beginning of your network security adventure, and with Suricata, you're already on the cutting edge!

Stay vigilant, stay informed, and Happy Hacking! 🛡️🚀