Shulou(Shulou.com)06/01 Report--

Catalogue

Introduction to Suricata

Introduction to IDS/IPS

Main features of Suricata

Suricata basic architecture

Suricata packet grabbing performance

Suricata rule

Suricata Custom Detection

Suricata http log Custom output

Suricata single process listens to two network ports at the same time

problem

Summary

Referenc

Introduction to Suricata

Suricata is a high-performance engine for IDS, IPS and network security monitoring. It is open source and developed by the Open Information Security Foundation (OISF), a community-run non-profit foundation.

The operating system above centos7/redhat7 version is recommended for installation environment, and more than 4.x is recommended for Suricata version, which facilitates the use of multithreading, Hypersca,pfring and other functions. Version 6 of the operating system compilation environment takes time to get an upgrade fix and is not recommended.

Introduction to IDS/IPS

The detection system (Intrusion detection system, referred to as "IDS") is a kind of real-time monitoring of network traffic. According to the preset policy, it issues an alarm when suspicious transmission is found.

Prevention system (Intrusion prevention system, referred to as "IPS") is a computer network security device that can monitor the network data transmission behavior of the network or network devices. it is generally located between the firewall and the network devices, and can instantly interrupt, adjust or isolate some abnormal or harmful network data transmission behavior. It provides interruption defense function relative to IDS main energy.

Suricata main features support read traffic from nfqueue support analysis offline pcap file and pcap file storage traffic data support ipv6 support pcap,af_packet,pfring, hardware card capture multithreading support embedded lua script To implement custom detection and output script support ip credit rating support file restore compatible snort rules support common packet decoding: IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE, Ethernet, PPP, PPPoE, Raw, SLL, VLAN, QINQ, MPLS, ERSPAN, VXLAN support common application layer protocol decoding: HTTP, SSL, TLS, SMB, DCERPC, SMTP, FTP, SSH, DNS, Modbus, ENIP/CIP, DNP3, NFS, NTP, DHCP, TFTP, TFTP, KRB5, KRB5 RDPSuricata basic architecture operation mode

There are three modes of operation, namely single,workers,autofp. It is officially recommended that the best operating mode is workers mode.

Single mode: there is only one package processing thread, which is generally used in development mode.

Workers mode: multiple packet processing threads, each containing complete processing logic.

Autofp mode: there are multiple packet capture threads and multiple package processing threads. It is generally suitable for nfqueue scenarios, where traffic is consumed from multiple queue.

Four thread modules

Package acquisition: packet capture

Decoding: decoding packets and application layer protocols

Inspection: packet detection through rules or custom scripts

Output: output test results and general protocol related logs, etc.

Suricata performance tuning performance comparison hardware capture > pfring zc > pfring > af-packet > pcap tuning

1. Disable the multi-queue function of the network card

Reason: traffic mirroring is generally used to mirror traffic to the server Nic. If there are multiple queues, the data connected to the same tcp may be distributed to different queues, which may lead to disorder due to time delay. For example, if the syn/ack is received first and then the syn,suricata is received, the traffic will be discarded as invalid. If the detection is done, it needs to be buffered and sorted, which is more expensive.

Rss# ethtool-l em4Channel parameters for em4:Pre-set maximums:RX: 0TX: 0Other: 1Combined: 8Current hardware settings:RX: 0TX: 0Other: 1Combined: 8 of the plug-in em4 network card sets rss to "ethtool-L em4 combined 1"

2. Disable the network card tso,gso,lro,gro and other features according to official recommendations.

Reason:

Tso/gso: the Nic offloads ordinary packet reassembly into a large "super packet", which reduces the number of packets passed on the stack and improves performance. This will cause capturing applications to capture packets that are much larger than the MTU of their interfaces and may interfere with the maximum packet capture length (snaplen) of big data, causing the capturing program to discard these super packets.

Lro/gro: causes various smaller packages to be merged into large "super packages", thereby breaking suricata's tracking of tcp connections.

Features of plug-in card em4 network card # ethtool-k em4 turns off lro,gro# ethtool-K em4 tso off gso off lro off gro off

3, capture the package using pfring zc mode

Reason: pfring+zero copy improves performance, but zero copy needs network card driver support. Currently, we use pfring mode to grab packages, which only needs kernel support.

4. Adjust the memory-related configuration in the configuration file and increase the flow.memcap,stream.memcap,stream.reassembly.memcap

5, use workers operation mode

6. Adjust the max-pending-packets in the configuration file to 8192

7 luajit (to replace the original lua), Hyperscan high-performance regular library, and PF_RING high-performance package capture library need to be supported in 7GrainSuricata compilation.

Suricata rule

1. Compatible with snort rules. For more information, please see the official documentation.

2, filter and process the data packet through rules and built-in keywords.

3Gore Suricata 4.x version comes with its own rule management tool.

Suricata Custom Detection

Support custom detection of packets through lua scripts, such as protocol identification and abnormal traffic identification

Suricata http log Custom output

Support to obtain http protocol request and response related information through lua script script, so that you can output all the data in http protocol, such as header,request body,response body and so on.

Suricata single process listens to two network ports at the same time

This can be achieved by modifying the suricata.yml configuration file. Take the pfring capture method as an example, the following configuration file captures the traffic of two network ports at the same time:

Pfring:-interface: em2 threads: auto cluster-id: 81 cluster-type: cluster_flow-interface: em4 threads: auto cluster-id: 82 cluster-type: cluster_flow problem

1. If some vlan data is found in the traffic, suricata cannot normally output logs of application protocols such as http and dns.

Resolve:

Turn off the following configuration

Vlan: use-for-tracking: false

2 decryption of https traffic

Decryption of https encrypted traffic is not supported, only ssl/tls protocol can be decoded. At present, the mainstream tls protocol (TLSv1 TLSv1.1 TLSv1.2 TLSv1.3) can be parsed. An example of the resolved log is as follows:

{"timestamp": "2019-12-12T16:04:39.031174+0800", "flow_id": 169694142547600, "in_iface": "eth2", "event_type": "tls", "vlan": 20, "src_ip": "1.1.1.1", "src_port": 63198, "dest_ip": "52.114.128.43", "dest_port": 443, "proto": "TCP", "tls": {"subject": "CN=*.events.data.microsoft.com" "issuerdn": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4", "serial": "16:00:0A:BD:A3:28:8A:26:AC:EB:F1:78:5E:00:00:00:0A:BD:A3", "fingerprint": "33:b3:b7:e9:da:25:f5:a0:04:e9:63:87:b6:fb:54:77:db:ed:27:eb", "sni": "self.events.data.microsoft.com" "version": "TLS 1.2", "notbefore": "2019-10-10T21:55:38", "notafter": "2021-10-10T21:55:38", "ja3": {"hash": "2a26b1a62e40d25d4de3babc9d532f30" "string": "771 Magazine 52244-52243-52245-49200-49196-49192-49188-49172,16315910757-56654135196-135139129129202-49198491941992-491571553192-49199949191,49187491611991896968492014919199199199199199199199199199199199199199199199199199199199199199199199199199199199199199199199999999999415649-4718686 -65-49170-49160-22-19-49165-49155-10-255, 0-11-10-13-13172-16-21. Summary of 0-1-2 "}}

Currently, we use Suricata to analyze the mirrored traffic from the switch, and the output of Suricata is two: the alert abnormal event detected by Suricata and the log of all application protocols decoded. To facilitate subsequent storage and analysis, as well as alarm processing.

Referenc

Https://yq.aliyun.com/articles/576349

Https://suricata-ids.org/features/all-features/

Https://suricata.readthedocs.io/en/suricata-4.1.3/rules/index.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.