Suricata IDS. What is it and how to enable it

Transcription

1 Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved.

2 AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat Exchange, AlienVault OTX Reputation Monitor, AlienVault OTX Reputation Monitor Alert, AlienVault OSSIM and OSSIM are trademarks or service marks of AlienVault.

3 CONTENTS 1. INTRODUCTION WHAT IS SURICATA AND HOW DOES IT DIFFER? KEY FEATURE SUMMARY HOW TO ENABLE SURICATA... 5 DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 3 of 7

4 1. INTRODUCTION Suricata is an alternative IDS which is fully compatible with existing Snort rules. Suricata is interchangeable with Snort and can be used in place of Snort with minimal work. This document includes specifications comparison for Snort versus Suricata. Some of the key benefits of Suricata are the following: Increased performance (Suricata is Multi threaded versus Snort's Single thread processing). Better visibility of traffic (Suricata has visibility at the Application layer (OSI layer 7), increasing detection malicious content). Faster normalization and parsing for HTTP Streams. Automated protocol detection (Reduce false positives, Detect protocols running on non standard ports). 2. WHAT IS SURICATA AND HOW DOES IT DIFFER? After 4 years of development Suricata was opened up to the public as an IDS developed by the Open Information Security Foundation (OISF) to address next generation IDS requirements. Initially funded as a government project to protect national security interests, Suricata is now funded by both private and government resources. With advances in technology OISF identified key areas of improvement necessary to scale IDS performance across the enterprise while leveraging existing hardware capabilities. Largest performance hit with the current standard IDS (Snort) was the limitation of single threaded processing. Adding multi-thread support as well as additional performance optimizations to network and gpu offloading has enabled Suricata to define itself as a fast and extremely scalable IDS solution. The recognition of Suricata as the next generation IDS was affirmed by the advance of Emerging Threats (Standard and Pro) providing Suricata optimized feeds for reputation. Additionally, the increased visibility through the Application layer of the OSI model (Layer 7) has allowed for better detection of malicious data traversing networks. 3. KEY FEATURE SUMMARY Unique normalization and parsing up to the App layer of the OSI Model (Layer 7) HTTP normalizer and parser for HTTP streams (Better malware detection) Backwards compatible with Snort rules: DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 4 of 7

5 Emerging threats and emerging threats pro feeds are designed to take advantage of Suricata specific features. GPU and Network card acceleration for performance gains Open plug-able library that supports calls from other applications. Automated Protocol Direction;; Processors identify protocols and apply appropriate rules automatically, regardless of port definition. Additional benefits include reduced false positives from user error. 4. HOW TO ENABLE SURICATA Suricata is the default IDS engine and it is activated by default. If you have deactivated it, you can activate again following these steps: 1. Choose Configuration > Deployment > Components > AlienVault Center. 2. Click on the name of your sensor. Figure 1. AlienVault Center 3. Click a node, then on Sensor Configuration link and finally on Collection. DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 5 of 7

6 Figure 2. Sensor Configuration 4. There are 2 columns. The left column includes the enabled plugins and the right column includes the available plugins. To pass an item from one side to the other, drag and drop the item or use the links [+] or [-] which are next to each item. 5. Click on APPLY CHANGES button to update changes. It is not possible to use Suricata and Snort at the same time. Now go to the sensor CLI, and make sure that: 1. Snort is not running by writing the following command in a console terminal: ps axf grep snort 2. Suricata is running. DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 6 of 7

7 ps axf grep suricata 3. If Suricata is not running, you can start it by writing: /etc/init.d/suricata restart DC Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 7 of 7