Suricata IDS. What is it and how to enable it

Transcription

Suricata IDS. What is it and how to enable it
AlienVault Unified Security Management™ Solution
Complete. Simple. Affordable
Suricata IDS. What is it and how to enable it
Copyright© 2014 AlienVault. All rights reserved.
AlienVault™, AlienVault Unified Security Management™, AlienVault USM™, AlienVault Open Threat Exchange™, AlienVault OTX™, Open Threat Exchange™, AlienVault OTX Reputation
Monitor™, AlienVault OTX Reputation Monitor Alert™, AlienVault OSSIM™ and OSSIM™ are trademarks or service marks of AlienVault.
AlienVault Unified Security Management™ Solution
Suricata IDS. What is it and how to enable it
CONTENTS
1.
INTRODUCTION ..................................................................................................... 4
2.
WHAT IS SURICATA AND HOW DOES IT DIFFER? ............................................ 4
3.
KEY FEATURE SUMMARY ................................................................................... 4
4.
HOW TO ENABLE SURICATA .............................................................................. 5
DC-00134
Edition 00
Copyright© 2014 AlienVault. All rights reserved.
Page 3 of 7
AlienVault Unified Security Management™ Solution
Suricata IDS. What is it and how to enable it
1.
INTRODUCTION
Suricata is an alternative IDS which is fully compatible with existing Snort rules. Suricata is
interchangeable with Snort and can be used in place of Snort with minimal work.
This document includes specifications comparison for Snort versus Suricata.
Some of the key benefits of Suricata are the following:
Increased performance (Suricata is Multi threaded versus Snort's Single thread processing).
Better visibility of traffic (Suricata has visibility at the Application layer (OSI layer 7), increasing detection malicious content).
Faster normalization and parsing for HTTP Streams.
Automated protocol detection (Reduce false positives, Detect protocols running on non standard ports).
2.
WHAT IS SURICATA AND HOW DOES IT DIFFER?
After 4 years of development Suricata was opened up to the public as an IDS developed by the
Open Information Security Foundation (OISF) to address next generation IDS requirements.
Initially funded as a government project to protect national security interests, Suricata is now
funded by both private and government resources.
With advances in technology OISF identified key areas of improvement necessary to scale IDS
performance across the enterprise while leveraging existing hardware capabilities. Largest
performance hit with the current standard IDS (Snort) was the limitation of single threaded
processing. Adding multi-thread support as well as additional performance optimizations to
network and gpu offloading has enabled Suricata to define itself as a fast and extremely
scalable IDS solution.
The recognition of Suricata as the next generation IDS was affirmed by the advance of
Emerging Threats (Standard and Pro) providing Suricata optimized feeds for reputation.
Additionally, the increased visibility through the Application layer of the OSI model (Layer 7)
has allowed for better detection of malicious data traversing networks.
3.
KEY FEATURE SUMMARY
Unique normalization and parsing up to the App layer of the OSI Model (Layer 7)
HTTP normalizer and parser for HTTP streams (Better malware detection)
Backwards compatible with Snort rules:
DC-00134
Edition 00
Copyright© 2014 AlienVault. All rights reserved.
Page 4 of 7
AlienVault Unified Security Management™ Solution
Suricata IDS. What is it and how to enable it
Emerging threats and emerging threats pro feeds are designed to take advantage of Suricata specific features.
GPU and Network card acceleration for performance gains
Open plug-able library that supports calls from other applications.
Automated Protocol Direction;; Processors identify protocols and apply appropriate rules automatically, regardless of port definition. Additional benefits include reduced false positives from user error.
4.
HOW TO ENABLE SURICATA
Suricata is the default IDS engine and it is activated by default. If you have deactivated it, you
can activate again following these steps:
1.
Choose “Configuration > Deployment > Components > AlienVault Center”.
2.
Click on the name of your sensor.
Figure 1. AlienVault Center
3.
DC-00134
Click a node, then on Sensor Configuration link and finally on Collection.
Edition 00
Copyright© 2014 AlienVault. All rights reserved.
Page 5 of 7
AlienVault Unified Security Management™ Solution
Suricata IDS. What is it and how to enable it
Figure 2. Sensor Configuration
4.
There are 2 columns. The left column includes the enabled plugins and the right column includes the available plugins. To pass an item from one side to the other, drag and drop the item or use the links [+] or [-] which are next to each item.
5.
Click on APPLY CHANGES button to update changes.
It is not possible to use Suricata and Snort at the same time. Now go to the sensor CLI, and make sure that:
1.
Snort is not running by writing the following command in a console terminal:
ps axf | grep snort
2.
DC-00134
Suricata is running.
Edition 00
Copyright© 2014 AlienVault. All rights reserved.
Page 6 of 7
AlienVault Unified Security Management™ Solution
Suricata IDS. What is it and how to enable it
ps axf | grep suricata
3.
If Suricata is not running, you can start it by writing:
/etc/init.d/suricata restart
DC-00134
Edition 00
Copyright© 2014 AlienVault. All rights reserved.
Page 7 of 7