Suricata IDS. What is it and how to enable it
Transcription
Suricata IDS. What is it and how to enable it
AlienVault Unified Security Management™ Solution Complete. Simple. Affordable Suricata IDS. What is it and how to enable it Copyright© 2014 AlienVault. All rights reserved. AlienVault™, AlienVault Unified Security Management™, AlienVault USM™, AlienVault Open Threat Exchange™, AlienVault OTX™, Open Threat Exchange™, AlienVault OTX Reputation Monitor™, AlienVault OTX Reputation Monitor Alert™, AlienVault OSSIM™ and OSSIM™ are trademarks or service marks of AlienVault. AlienVault Unified Security Management™ Solution Suricata IDS. What is it and how to enable it CONTENTS 1. INTRODUCTION ..................................................................................................... 4 2. WHAT IS SURICATA AND HOW DOES IT DIFFER? ............................................ 4 3. KEY FEATURE SUMMARY ................................................................................... 4 4. HOW TO ENABLE SURICATA .............................................................................. 5 DC-00134 Edition 00 Copyright© 2014 AlienVault. All rights reserved. Page 3 of 7 AlienVault Unified Security Management™ Solution Suricata IDS. What is it and how to enable it 1. INTRODUCTION Suricata is an alternative IDS which is fully compatible with existing Snort rules. Suricata is interchangeable with Snort and can be used in place of Snort with minimal work. This document includes specifications comparison for Snort versus Suricata. Some of the key benefits of Suricata are the following: Increased performance (Suricata is Multi threaded versus Snort's Single thread processing). Better visibility of traffic (Suricata has visibility at the Application layer (OSI layer 7), increasing detection malicious content). Faster normalization and parsing for HTTP Streams. Automated protocol detection (Reduce false positives, Detect protocols running on non standard ports). 2. WHAT IS SURICATA AND HOW DOES IT DIFFER? After 4 years of development Suricata was opened up to the public as an IDS developed by the Open Information Security Foundation (OISF) to address next generation IDS requirements. Initially funded as a government project to protect national security interests, Suricata is now funded by both private and government resources. With advances in technology OISF identified key areas of improvement necessary to scale IDS performance across the enterprise while leveraging existing hardware capabilities. Largest performance hit with the current standard IDS (Snort) was the limitation of single threaded processing. Adding multi-thread support as well as additional performance optimizations to network and gpu offloading has enabled Suricata to define itself as a fast and extremely scalable IDS solution. The recognition of Suricata as the next generation IDS was affirmed by the advance of Emerging Threats (Standard and Pro) providing Suricata optimized feeds for reputation. Additionally, the increased visibility through the Application layer of the OSI model (Layer 7) has allowed for better detection of malicious data traversing networks. 3. KEY FEATURE SUMMARY Unique normalization and parsing up to the App layer of the OSI Model (Layer 7) HTTP normalizer and parser for HTTP streams (Better malware detection) Backwards compatible with Snort rules: DC-00134 Edition 00 Copyright© 2014 AlienVault. All rights reserved. Page 4 of 7 AlienVault Unified Security Management™ Solution Suricata IDS. What is it and how to enable it Emerging threats and emerging threats pro feeds are designed to take advantage of Suricata specific features. GPU and Network card acceleration for performance gains Open plug-able library that supports calls from other applications. Automated Protocol Direction;; Processors identify protocols and apply appropriate rules automatically, regardless of port definition. Additional benefits include reduced false positives from user error. 4. HOW TO ENABLE SURICATA Suricata is the default IDS engine and it is activated by default. If you have deactivated it, you can activate again following these steps: 1. Choose “Configuration > Deployment > Components > AlienVault Center”. 2. Click on the name of your sensor. Figure 1. AlienVault Center 3. DC-00134 Click a node, then on Sensor Configuration link and finally on Collection. Edition 00 Copyright© 2014 AlienVault. All rights reserved. Page 5 of 7 AlienVault Unified Security Management™ Solution Suricata IDS. What is it and how to enable it Figure 2. Sensor Configuration 4. There are 2 columns. The left column includes the enabled plugins and the right column includes the available plugins. To pass an item from one side to the other, drag and drop the item or use the links [+] or [-] which are next to each item. 5. Click on APPLY CHANGES button to update changes. It is not possible to use Suricata and Snort at the same time. Now go to the sensor CLI, and make sure that: 1. Snort is not running by writing the following command in a console terminal: ps axf | grep snort 2. DC-00134 Suricata is running. Edition 00 Copyright© 2014 AlienVault. All rights reserved. Page 6 of 7 AlienVault Unified Security Management™ Solution Suricata IDS. What is it and how to enable it ps axf | grep suricata 3. If Suricata is not running, you can start it by writing: /etc/init.d/suricata restart DC-00134 Edition 00 Copyright© 2014 AlienVault. All rights reserved. Page 7 of 7