Tools & Techniques - Suricata 4.0 (High-performance Network IDS, IPS & NSM engine)

On July 27th, 2017 the OIS (Open Information Security Foundation) & the Suricata project team issued a major update release to the Suricata IDS/IPS engine. 
The summary of improvements includes:
  • Improved Detection - based on feedback from the rule writing teams at Emerging Threats & Positive Technologies the project added improved inspection for HTTP, SSH & other protocols
  • Improved TLS detection & logging, & the addition of NFS support. 
  • Improved EVE JSON logging functionality including inner/outer ip logging for encapsulated traffic & extended HTTP request/response logging
  • RUST support 
  • Major TCP stream engine update 

Full details of the release can be found here  

 I've been a big fan & user of Suricata for just over a year now & I've previously written about deploying Suricata on Centos (or RHEL) here. The project still maintains some of the best documentation for an open project I've come across & you can find everything you need to install Suricata here
Additional resources that might be useful for anyone considering deploying or upgrading existing Suricata installations might include Suricata 4.0 RPMs (here) & the Stamus Networks write up on Suricata 4.0 improvements (here). 

 I've just got my first Suricata 4.0 install into the lab & I've summarised the steps I took below. It goes without saying that you need to consider your own setup & services when planning to upgrade.

Suricata 3.x -> 4.0 upgrade narrative

  • Backup config, rules & any scripts 
  • Remove Suricata 3.x
  • Download Suricata 4.0 (http://downloads.suricata-ids.org/)
  • Build & install Suricata 
  • Review / amend suricata.yaml (to preserve host & logging values, tuning, etc) 
  • Configure Rule management (i.e. oinkmaster) - Your existing rule management solution should persist throughout the upgrade although you'll probably want to check with your rule providers. If you use the ET community rules the new URL is: https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz
  • Check / validate scheduled tasks (execution, restarts after rule updates etc)
  • Test Suricata Operation (i.e. $ curl -L www.testmyids.com)
  • Verify logging / outputs (log forwarding, ingestion, field extraction etc) 

Suricon 2017 & discounted Suricata training

Suricon, the annual Suricata users conference, is set to take place in Prague in November. You can still get tickets here. There is also a range of training options, including development & rule sigdev here

 









































Popular posts from this blog









PCI-DSS: Your CDE may be getting bigger




















Image







        In December, the PCI Security Standards Council released guidance around scoping and network segmentation for card data environment (CDE) assets. In their own words:      “Many organizations struggle to understand where PCI DSS controls are required and which systems need to be protected. This document provides guidance to help organizations identify the systems that, at a minimum, need to be included in scope for PCI DSS. Additionally, the document provides guidance on how segmentation can be used to help reduce the number of systems that require PCI DSS controls.”      The guidance goes on to visualise a scoping process, considering each category of system in turn:         I believe it’s worth highlighting the ‘broadness’ of the “Connected to OR Security Impacting Systems” . These are cases where the:     System component is on a different network (or subnet or VLAN), but can connect to or access the CDE (e.g., via internal network connectivity).  System component can connect








Read more










Splunk Security Cheat Sheet




















Image







 Apart from being a source of all too frequent and embarrassing typos, Splunk  is a big data platform which allows you to interrogate data and present results is a variety of contexts and visualisations. I've been using it for a little over 12 months, self teaching or Googleing as I go, predominantly to sift through the terabytes of logs from various applications and appliances that get generated in my 9-5 every day.      You can use Splunk to build dashboards which are typically better than the ones that come with the product ( full size )    I've started to pull together all the searches, notes and bits of code into a sort of security cheat sheet which I thought would be a good thing to share as well as providing some real world examples of how you might use Splunk in a security context.    Cheat Sheet    I'm actively working back through my notes and adding to this all the time so it might be a good thing to reference via the URL or re-visit from time to time. I'll t








Read more










Tools & Techniques - Cloud Firewalls (DigitalOcean)




















Image







  My home lab is (probably) typical of most security professionals: a beefy workstation running VMWare workstation, a beefy-ish workstation running ESXi and a bunch of laptops, switches and other devices.  I utilise a couple of VPS providers for hosting and exposing VMs to the cloud. My VPS provider of choice has been  DigitalOcean  for the last couple of years (going by my billing history) and to date, they've been excellent.   They recently introduced and advertised a new service feature called 'Cloud Firewalls'  and I had chance to have a play with them today. Essentially, they've incorporated a network level firewall service to their VPS offering which can be used as an alternative or in addition to host-based firewalls like iptables, firewalld, etc.    Initial Impressions - Pros, Cons and Limitations    Pros    No Cost (free!!) - Cloud Firewalls are available at no additional cost.  Availability - Cloud Firewalls are available in ever region DigitalOcean operate.  








Read more