Suricata as an IPS


Suricata is a real-time threat detection engine that helps protect your network against threats by actively monitoring network traffic and detecting malicious behavior based on written rules. It can operate in a network security monitoring (NSM) mode and can also be configured as an intrusion detection system (IDS) or intrusion prevention system (IPS).

An IDS is only able to identify malicious behavior, as opposed to an IPS which can both identify and block malicious behavior – eliminating network threats.

Intrusion Prevention System

An IDS instance must be strategically placed at a network security boundary, so all network activity originating from inside and outside the network is visible to Suricata. However, when it comes to setting up an IPS, apart from ensuring that Suricata is running in inline IPS mode, it is also crucial to make sure that the IPS is the entry point to the network for other hosts – otherwise, Suricata will not be able to handle all packets.

NFQUEUE

NFQUEUE is an iptables and ip6tables target which delegates the decision on packets to a userspace software. Depending on the task, you can use NFQUEUE for traffic filtering or traffic shaping. NFQUEUE targets are widely used by both open source and commercial IPS, Suricata in our case.

If Suricata is running on a gateway and is meant to protect the computers behind that gateway, the easiest rule for sending traffic to Suricata is:

sudo iptables -I FORWARD -j NFQUEUE

If Suricata has to protect the computer it is running on, these are the two most simple iptables rules:

sudo iptables -I INPUT -j NFQUEUE
sudo iptables -I OUTPUT -j NFQUEUE

It is possible to set a queue number. If you do not, the queue number will be 0 by default.

Suricata Setup

In suricata.yaml configuration file:

nfq:
  mode: accept/repeat/route
  repeat_mark: 1             # repeat mode option
  repeat_mask: 1             # repeat mode option
  route_queue: 2             # route mode option

Suricata can be set up in different modes. If the mode is set to accept, the packet will, by default, not be inspected by the rest of the iptables rules after being processed by Suricata.

If the mode is set to repeat, the packets will be marked by Suricata and re-injected to the first rule of iptables. To mitigate the packet from going round in circles, the rule using NFQ will be skipped because of the mark. Example:

iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE

If the mode is set to route, you can make sure the packet will be sent to another tool after being processed by Suricata. Every engine/tool is linked to a queue-number. You can add this number to the NFQ rule and to the route_queue option.

IPS Rules

The rule action is what draws the line between an IDS and an IPS. Suricata has four types of action. The property of action determines what will happen when a signature matches. Rules will be loaded in the order of which they appear in files. But they will be processed in a different order. Signatures have different priorities. The most important signatures will be scanned first. There is a possibility to change the order of priority. The default order is: pass, drop, reject, alert.

Pass - if a signature matches and contains pass, Suricata stops scanning the packet and skips to the end of all rules for the current packet.

Drop - this only concerns the IPS/inline mode. If the program finds a signature that matches, containing drop, it stops immediately. The packet will not be sent any further. The receiver does not receive a message of what is going on, resulting in a time-out (certainly with TCP). Suricata generates an alert for this packet.

Reject - this is an active rejection of the packet. Both the receiver and the sender receive a reject packet. There are two types of reject packets that will be automatically selected. If the offending packet concerns TCP, it will be a Reset-packet. For all other protocols, it will be an ICMP-error packet. Suricata also generates an alert. When in Inline/IPS mode, the offending packet will also be dropped (like with the ‘drop’ action).

Alert - if a signature matches and contains alert, the packet will be treated like any other non-threatening packet, except an alert will be generated by Suricata. Only the system administrator can notice this alert.

Conclusion

Suricata can be used as an intrusion detection system or an intrusion prevention system. IDS is only able to identify malicious behavior, while an IPS can both identify and handle malicious packets.

Setting up Suricata in IPS/inline mode requires additional configuration:

  1. Iptables has to forward packets to NFQUEUE and mark them (optionally).
  2. Suricata has to listen to NFQUEUE in the correct mode.

Suricata rules have to match malicious packets and rule actions have to treat packets properly.

Mykyta Zaitsev