Back to Home

Suricata as IPS

IPS · IDS · DPI · iptables · firewall · suricata · snort

Suricata as IPS

    Foreword


    It is sad to see that articles on the prevention or prevention of intrusions on the Habré are so unpopular.
    Young fighter course: we are protected by a router. Continuation: IPS - 5 pluses.
    SNORT as a service IPS - 25 pluses.
    OSSEC: Big Brother is watching you - 13 pluses.
    However, articles on the analysis of the consequences of penetration are very popular. I'll try to throw another popularization of information security.

    Description of Suricata



    Intrusion Prevention System - a software or hardware network and computer security system that detects intrusions or security breaches and automatically protects them.
    IPS systems can be seen as an extension of Intrusion Detection Systems (IDS), since the task of tracking attacks remains the same. However, they differ in that IPS must monitor activity in real time and quickly implement actions to prevent attacks. Possible measures are blocking traffic flows in the network, resetting connections, issuing signals to the operator. IPS can also defragment packets, reorder TCP packets to protect against packets with altered SEQ and ACK numbers.
    wiki

    suricata- open source IPS / IDS system. Founded by developers who worked on the IPS version of Snort. The main difference between Suricata and Snort is the ability to use a GPU in IDS mode, a more advanced IPS system, multitasking, as a result of high performance that allows you to handle traffic up to 10Gbit on conventional equipment, and much more, including full support for the Snort rule format. It is better to read about everything on the official website . Let's talk about IPS today.

    Suricata uses two IPS modes: NFQ and AF_PACKET

    NFQ IPS mode works as follows:
    1) The packet goes to iptables
    2) The iptables rule directs it to the NFQUEUE queue, for example iptables -I INPUT -p tcp -j NFQUEUE
    3) From the NFQUEUE queue, packets can be processed at the user level, which is what Suricata does
    4) Suricata runs the packets according to the configured rules (rules) and depending on them it can render one of three verdicts: NF_ACCEPT , NF_DROP and the most interesting - NF_REPEAT .
    5) Packets that fall into NF_REPEAT can be marked in the system and sent back to the beginning of the current iptables table, which gives great potential for influencing the fate of packets using iptables rules.

    Starting with version 1.4, Suricata can work as an IPS using the zero copy mode of the AF_PACKET systembut with some limitations. The system should work as a gateway with two network interfaces. If a packet falls under the DROP rule, then it is simply not forwarded to the second interface. The advantages of zero copy are the speed of processing packets, which will undoubtedly appeal to providers who, in case of inaction, run the risk of fines from Roskomnadzor.

    Installing Suricata on Ubuntu is described on the official Wiki

    Let's consider an example with NFQ on a WEB server


    Configure the initial iptables rule:
    # в очередь направляются пакеты, которые идут на 80-й порт и НЕ попадают под маску 0x1/0x1 для исключения бесконечного цикла
    iptables -t mangle -I PREROUTING -p tcp -m tcp --dport 80 -m mark ! --mark 0x1/0x1 -j NFQUEUE --queue-num 0
    

    We use mangle, because this table is one of the first in the package path.
    The --queue-bypass option appeared in the 2.6.38 kernel and allows you to skip all packets in the queue when there is no listening application NFQUEUE. Those. if Suricata is not running, then all packages that fall under the rules will go on as if nothing had happened.
    The option --queue-num sets the queue number.
    -m mark! --mark 0x1 / 0x1 ignores all packets that have already been processed by Suricata.

    Configure Suricata in IPS mode (relative to the standard configuration that comes with the packet):
    nfq:
      mode: repeat
    # настройка маски для обработанных пакетов
      repeat-mark: 1
      repeat-mask: 1
    ... ... ...
    default-rule-path: /etc/suricata
    rule-files:
     - test.rules
    # остальные правила можно закомментировать
    


    Suricata rule that responds to TEST text in a package (/etc/suricata/test.rules):
    pass tcp any any -> any any (content: "TEST"; msg: "TEST was marked!"; nfq_set_mark:0x2/0xffffffff; sid:2455;)

    sid must be unique

    . Together with the Suricata setting and the rule, the marking and mask of the “bad” packet will be: 0x02 / 0xfe (0xff XOR 0x01 = 0xfe)

    Run Suricata:
    suricata -q 0 -c /etc/suricata/suricata.yaml
    


    Further packet parsing by iptables rules:
    # детектируем пакет, на который сработало правило
    iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -m mark --mark 0x2/0xfe -j LOG --log-prefix "TEST packet detected"
    

    After execution on the remote client:
    curl http://221.141.200.189/TEST
    

    An entry of the form will appear in / var / log / syslog:
    Sep  9 14:23:06 server kernel: [ 2897.581561] TEST packet detectedIN=eth0 OUT= MAC=c5:d5:08:8f:2d:be:ce:df:3e:af:8c:06:08:00 SRC=97.17.34.191 DST=221.141.200.189 LEN=133 TOS=0x00 PREC=0x00 TTL=64 ID=57685 DF PROTO=TCP SPT=33949 DPT=80 WINDOW=115 RES=0x00 ACK PSH URGP=0 MARK=0x3


    Do not forget that Suricata only labels packages. For a rule to work on the whole connection as a whole, it is necessary to mark it:
    # Копируем маркировку пакетов в маркировку соединений
    iptables -t mangle -A PREROUTING -m mark --mark 0x2/0xfe -j CONNMARK --save-mark
    # детектируем соединение, на которое сработало правило
    iptables -t mangle -A PREROUTING -m connmark --mark 0x2/0xfe -j LOG --log-prefix "TEST connection detected"
    # И наоборот, копируем маркировку с соединения на все пакеты
    iptables -t mangle  -A PREROUTING -m connmark --mark 0x2/0xfe -j CONNMARK --restore-mark
    


    If you pay attention to a wonderful addition to iptables like RAW DNAT / SNAT, then using Suricata you can route different types of traffic to different destination addresses. Here, too, there are several nuances like loss of connection integrity, but this can be easily solved using proxy software that can restore connections on the fly.

    In addition, Suricata can modify packages on the fly. For instance:
    pass tcp any any -> any any (content: "TEST"; replace:"SETS"; msg: "TEST was marked!"; nfq_set_mark:0x2/0xffffffff; sid:2455;)
    

    It replaces the TEST text in the package with SETS, but on one condition - the replacement data must be exactly the same size as the original. In this case, the command:
    curl -v http://221.141.200.189/TEST
    

    save to the WEB server log:
    97.17.34.191 - - [09/Sep/2013:14:51:04 +0400] "GET /SETS HTTP/1.1" 200 151 "-" "curl/7.26.0"
    


    Let's consider an example with AF_PACKET on the gateway


    Everything is simpler here. The suricata.yaml configuration should look something like this:
    af-packet:
      - interface: eth0
        threads: 1
        defrag: yes
        cluster-type: cluster_flow
        cluster-id: 98
        copy-mode: ips
        copy-iface: eth1
        buffer-size: 64535
        use-mmap: yes
      - interface: eth1
        threads: 1
        cluster-id: 97
        defrag: yes
        cluster-type: cluster_flow
        copy-mode: ips
        copy-iface: eth0
        buffer-size: 64535
        use-mmap: yes
    

    The number of processor threads should be no more than one for kernels older than 3.6, otherwise an increase in the number of threads will cause an infinite loop.
    The MTU on both network interfaces must be identical.

    Launch Suricata:
    suricata -c /etc/suricata/suricata.yaml --af-packet


    Conclusion


    Suricata is a flexible packet processing tool that allows you to change routes depending on the contents of the package, detect attacks and prevent bad packets from getting into the system (for example, DROP or replace packets until they reach the WEB server). Perhaps right now, government providers are using Suricata as a DPI.

    To write the article, we used information from the blog of one of the developers of Suricata and the official Wiki .

    Read Next