Suricata Explained - platiumsecnet/psnNIDS GitHub Wiki

Suricata Explained

1. What is Suricata?

Suricata is an open source-based intrusion detection system and is the result of more than four years of development led by the Open Information Security Foundation (OISF) and a number of developers organized to help build the next generation open-source IDS engine. The goal of OISF is to bring in new security ideas and technology innovations to the intrusion detection industry. The non-profit organization accepts contributions from both government and private sector, and initial funding comes from government sources as the firm’s main mission is to protect government records from foreign and domestic adversaries. With financial help from the U.S. Department of Homeland Security, a multi-threaded alternative to Snort was created to help secure networks against advanced security intrusions. Suricata’s multi-threaded architecture is unique as it can support high performance multi-core and multi-processor systems. The major benefits of a multi-threaded design is that it offers increased speed and efficiency in network traffic analysis and can also help divide up the IDS/IPS workload based on where the processing needs are. In addition to hardware acceleration (with hardware and network card limitations), the engine is built to utilize the increased processing power offered by the latest multi-core CPU chip sets.

Suricata overall has been developed for ease of implementation, accompanied by a step-by-step getting started documentation and user manual. The engine is also written in C and designed to scale. Although Suricata is still a new and less widespread product compared to Snort, the technology is gaining momentum among all enterprises and IT users. Increased performance, native IPv6 support, multiple model statistical anomaly detection, GPU acceleration, IP reputation, scoring thresholds, very high speed regex, and scalability are some of the major selling points for Suricata.

Suricata is also a rule-based ID/PS engine that utilizes externally developed rule sets to monitor network traffic and provide alerts to the system administrator when suspicious events occur. Suricata also uses a “sniffer” engine to analyze traffic entering and leaving a network system. However, the multi-threading capabilities allow the sniffer to match more traffic rules quickly and apply more computing horsepower to the security process.

Designed to be compatible with existing network security components, Suricata features Unified2 output functionality and pluggable library options to accept calls from other applications. In addition, Suricata is also designed to work with the Snort rulesets. Furthermore, Suricata also integrates revolutionary techniques. The engine embeds a HTTP normalizer and parser (HTP library) that provides very advanced processing of HTTP streams, enabling the understanding of traffic on the 7th level of the OSI model.

2. Suricata Benifits

  1. An Open Source Engine: The power of the community works well within IT security defenses, as a community is more effective than a single organization at capturing characteristics of emerging threats.
  2. Multi-threaded: A multi-threaded architecture allows the engine to take advantage of the multiple core and multiprocessor architectures of today’s systems.
  3. Supports IP Reputation: By incorporating reputation and signatures into its engine, Suricata can flag traffic from known bad sources.
  4. Automated Protocol Detection: Preprocessors automatically identify the protocol used in a network stream and apply the appropriate rules, regardless of numerical port. The automated protocol detection also prevents user mistakes and errors which are actually more common.

3. Features

  1. Built in Hardware Acceleration - Did you know you can use graphic cards to inspect network traffic?
  2. File Extraction - Someone downloading malware? You can capture it right from Suricata and study it.
  3. LuaJIT - It's a lot of letters yes, but it's also a scripting engine that can be used with information from the packets inspected by Suricata. This makes complex matching even easier and you can even gain efficiency by combining multiple rules into one script.
  4. Logging more than packets - Suricata can grab and log things like TLS/SSL certs, HTTP requests, DNS requests
  5. High performance - multi-threaded, scalable code base
  6. Multipurpose Engine - NIDS, NIPS, NSM, offline analysis, etc.
  7. Cross-platform support - Linux, Windows, macOS, OpenBSD, etc.
  8. Modern TCP/IP support including a scalable flow engine, full IPv4/IPv6, TCP streams, and IP packet defragmentation
  9. Protocol parsers - packet decoding, application layer decoding
  10. HTTP engine - HTTP parser, request logger, keyword match, etc.
  11. Autodetect services for portless configuration
  12. Lua scripting (LuaJIT)
  13. Application-layer logging and analysis, including TLS/SSL certs, HTTP requests, DNS requests, and more
  14. Built-in hardware acceleration (GPU for network sniffing)
  15. File extraction

4. Suitable environments

Refs

  1. https://cybersecurity.att.com/blogs/security-essentials/open-source-intrusion-detection-tools-a-quick-overview