LabEx
Log InJoin For Free

Detect Anomalies in Suricata

WiresharkWiresharkBeginner
Practice Now

Introduction

In this lab, you will learn to detect network anomalies using Suricata, a powerful open-source threat detection engine. You'll explore key features including rule configuration, traffic monitoring, and alert analysis to identify potential security threats.

The hands-on exercises will guide you through Suricata setup, basic rule creation, and real-time traffic inspection. You'll gain practical experience in detecting suspicious activities like ICMP ping requests and customizing rules for specific threat scenarios.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL wireshark(("Wireshark")) -.-> wireshark/WiresharkGroup(["Wireshark"]) wireshark/WiresharkGroup -.-> wireshark/packet_capture("Packet Capture") wireshark/WiresharkGroup -.-> wireshark/display_filters("Display Filters") wireshark/WiresharkGroup -.-> wireshark/export_packets("Exporting Packets") wireshark/WiresharkGroup -.-> wireshark/packet_analysis("Packet Analysis") subgraph Lab Skills wireshark/packet_capture -.-> lab-549934{{"Detect Anomalies in Suricata"}} wireshark/display_filters -.-> lab-549934{{"Detect Anomalies in Suricata"}} wireshark/export_packets -.-> lab-549934{{"Detect Anomalies in Suricata"}} wireshark/packet_analysis -.-> lab-549934{{"Detect Anomalies in Suricata"}} end

Install Suricata

In this step, you will install Suricata, an open-source network threat detection engine. Suricata acts like a security camera for your network, constantly analyzing traffic to identify potential threats. It can perform three key functions: real-time intrusion detection (IDS) to monitor for attacks, inline intrusion prevention (IPS) to block malicious traffic, and network security monitoring to log all activity.

Let's begin the installation process step by step:

  1. First, we need to update the package list. This ensures your system knows about the latest available software versions before we install anything:

    sudo apt update

    The sudo command gives you administrator privileges, while apt update refreshes your system's list of available packages.

  2. Now we'll install Suricata along with all its necessary components (dependencies). The -y flag automatically confirms the installation:

    sudo apt install -y suricata

    This command downloads and installs the Suricata software package from Ubuntu's official repositories.

  3. After installation, let's verify everything worked correctly by checking the installed version:

    suricata -V

    You should see output similar to:

    This is Suricata version 6.0.3 RELEASE

    The -V flag tells Suricata to display its version information. Seeing this output confirms the installation was successful.

  4. Suricata's behavior is controlled by a configuration file. Let's check if this important file exists in its default location:

    ls /etc/suricata/suricata.yaml

    The /etc/suricata/ directory is where Linux typically stores configuration files for system-wide applications.

  5. Finally, Suricata needs rules to know what to look for in network traffic. These rules are like a set of instructions telling Suricata what constitutes suspicious activity. The default rules are stored in:

    ls /var/lib/suricata/rules

    The /var/lib/suricata/rules directory contains the rule files that come with the Suricata installation. We'll work with these rules later in the lab.

Configure Basic Rules

In this step, you will configure basic detection rules for Suricata. Rules are the core component that tell Suricata what to look for in network traffic. Think of them like a set of instructions that define suspicious patterns or known threats.

  1. First, navigate to the Suricata rules directory where all rule files are stored:

    cd /var/lib/suricata/rules

    This is where Suricata keeps its default and custom rule files. The directory location is specified in Suricata's configuration.

  2. List the existing rule files to see what's already available:

    ls

    You should see several .rules files like suricata.rules. These files contain different categories of rules that Suricata uses for detection.

  3. Let's examine a basic rule structure. Open the main rules file using nano editor:

    sudo nano suricata.rules

    The nano editor is a simple text editor we'll use to modify rules. You'll see many existing rules with similar structures.

  4. Add a simple rule to detect ICMP ping requests (add this at the end of the file):

    alert icmp any any -> any any (msg:"ICMP Ping Detected"; itype:8; sid:1000001; rev:1;)

    Let's break down what this rule does:

    • alert: Tells Suricata to generate an alert when matched
    • icmp: Applies to ICMP protocol traffic
    • any any -> any any: Matches any source IP/port to any destination IP/port
    • msg: The alert message that will appear in logs
    • itype:8: Specifically matches ICMP type 8 (ping requests)
    • sid: Unique rule identifier (1000001+ for custom rules)
    • rev: Rule revision number

  5. Save the file (Ctrl+O, Enter, Ctrl+X in nano). This stores your new rule permanently.

  6. Verify the rule syntax is correct before applying it:

    sudo suricata -T -c /etc/suricata/suricata.yaml -v

    The -T flag tests the configuration. You should see output ending with:

    Configuration provided was successfully loaded. Exiting.

    This confirms your rule is properly formatted.

  7. Restart Suricata to load the new rules and begin monitoring:

    sudo pkill suricata
sudo suricata -c /etc/suricata/suricata.yaml -i eth0

    The first command stops any running Suricata instance, while the second starts it fresh with your new rules, monitoring the eth0 interface.

Monitor Live Traffic

In this step, we'll observe how Suricata monitors real-time network traffic and generates alerts based on the rules we configured earlier. This is the core functionality of any IDS (Intrusion Detection System) - watching network packets and flagging suspicious activity.

  1. First, we need to start Suricata in live capture mode. The following commands will first stop any running Suricata instance (if exists) and then start a new one monitoring the eth0 interface:

    sudo pkill suricata
sudo suricata -c /etc/suricata/suricata.yaml -i eth0

    The -c flag specifies our configuration file, while -i tells Suricata which network interface to monitor.

  2. Now let's generate some test traffic that should trigger our ICMP rule from the previous step. Open a new terminal and run:

    ping -c 3 8.8.8.8

    This sends 3 ICMP ping packets to Google's DNS server (8.8.8.8). Since we created a rule to detect ICMP traffic, Suricata should log this activity.

  3. Suricata writes alerts to /var/log/suricata/fast.log. To watch these alerts in real-time, use:

    sudo tail -f /var/log/suricata/fast.log

    The tail -f command continuously displays new lines added to the file. You should see output similar to:

    01/01/2023-12:34:56.123456  [**] [1:1000001:1] ICMP Ping Detected [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.1.1 -> 8.8.8.8

    This shows the timestamp, rule ID (1:1000001:1), alert message, and source/destination IP addresses.

  4. For more detailed logging in JSON format, we can examine the eve.json file. The following command filters and pretty-prints only alert events:

    sudo tail -f /var/log/suricata/eve.json | jq '. | select(.event_type == "alert")'

    The jq tool helps parse and format the JSON output, making it easier to read.

  5. To view statistics about the traffic Suricata is processing, including how many alerts were generated:

    sudo suricatasc -c stats

    Look for counters like detect.alert in the output - this shows how many times our rules triggered alerts.

  6. When you're finished observing the traffic, press Ctrl+C in any terminal windows where you're monitoring logs to stop the continuous output.

Review Generated Alerts

In this step, you will analyze the alerts generated by Suricata from the previous monitoring session. This helps understand what traffic patterns triggered your rules. When working with intrusion detection systems, reviewing alerts is crucial to identify potential security threats and fine-tune your detection rules.

  1. First, check the basic alert log:

    sudo cat /var/log/suricata/fast.log

    This command displays timestamped alerts in a simple, human-readable format. The fast.log is Suricata's default alert output file. Look for entries containing "ICMP Ping Detected" - these indicate ping requests that matched your detection rule.

  2. For more detailed analysis, examine the structured JSON log:

    sudo cat /var/log/suricata/eve.json | jq '. | select(.event_type == "alert")'

    The eve.json file contains comprehensive machine-readable logs in JSON format. We use jq to filter only alert events. This provides detailed information including:

    • Source and destination IP addresses
    • Precise timestamps
    • Complete rule details
    • Packet payload information (when configured)

  3. To count how many times each alert was triggered:

    sudo grep -o "ICMP Ping Detected" /var/log/suricata/fast.log | wc -l

    This pipeline first extracts all occurrences of "ICMP Ping Detected" using grep -o, then counts them with wc -l. This helps quantify how frequently this event occurs.

  4. For a summary of alert types:

    sudo jq -r '.alert.signature' /var/log/suricata/eve.json | sort | uniq -c

    This command extracts all alert signatures (rule names), sorts them alphabetically, then counts unique occurrences. It gives you an overview of which rules are triggering most frequently.

  5. To view alerts with source IP information:

    sudo jq -r 'select(.event_type == "alert") | [.timestamp, .src_ip, .alert.signature] | @tsv' /var/log/suricata/eve.json

    This advanced jq query creates a tab-separated output showing the timestamp, source IP, and alert signature for each event. The @tsv format makes it easy to import into spreadsheets.

  6. To check the most recent 5 alerts:

    sudo tail -n 5 /var/log/suricata/fast.log

    The tail command shows the last few lines of a file. This is useful for quick checks of recent activity without scrolling through the entire log.

Add a Custom Rule

In this step, you'll learn how to create and test your own Suricata rule to detect specific patterns in network traffic. We'll focus on detecting HTTP requests to a test domain (example.com) as a practical example. Custom rules allow you to extend Suricata's detection capabilities beyond its default rule set.

  1. First, navigate to the rules directory where Suricata stores its detection rules:

    cd /var/lib/suricata/rules

    This is where all Suricata rule files are typically stored. We'll add our custom rules here to keep them organized with the existing rules.

  2. Create a new rule file specifically for your custom rules:

    sudo nano custom.rules

    Using sudo is necessary because the rules directory requires administrative privileges to modify. We're naming the file custom.rules to clearly distinguish it from Suricata's default rule files.

  3. Add the following rule to detect HTTP requests to example.com:

    alert http any any -> any any (msg:"HTTP Request to example.com"; flow:to_server; http.host; content:"example.com"; nocase; sid:1000002; rev:1;)

    Let's break down what this rule does:

    • alert http: Triggers an alert for HTTP traffic
    • any any -> any any: Applies to traffic from any source port to any destination port
    • msg: Provides a human-readable alert message
    • flow:to_server: Only matches traffic going to servers
    • http.host: Examines the HTTP Host header
    • content:"example.com": Looks for this specific domain
    • nocase: Makes the match case-insensitive
    • sid:1000002: Gives the rule a unique ID (above 1,000,000 for custom rules)
    • rev:1: Indicates this is the first version of the rule

  4. Save the file in nano editor by pressing Ctrl+O (write out), then Enter to confirm, and Ctrl+X to exit.

  5. Now we need to tell Suricata to load our new rule file. Edit the main configuration:

    sudo nano /etc/suricata/suricata.yaml

    Find the rule-files: section (usually around line 50-60) and add:

    - custom.rules

    This addition ensures Suricata will load our custom rules when it starts.

  6. Before applying the changes, verify the rule syntax is correct:

    sudo suricata -T -c /etc/suricata/suricata.yaml -v

    The -T flag tells Suricata to test the configuration without actually running. This helps catch any syntax errors in your rules before they're used.

  7. Restart Suricata to load the new rule:

    sudo pkill suricata
sudo suricata -c /etc/suricata/suricata.yaml -i eth0

    The first command stops any running Suricata instance, while the second starts it fresh with our updated configuration.

  8. To test if our rule works, generate some HTTP traffic to example.com:

    curl http://example.com

    This command makes a simple HTTP request that should trigger our new rule.

  9. Finally, check if Suricata detected the traffic by viewing the latest alerts:

    sudo tail -n 5 /var/log/suricata/fast.log

    You should see an alert matching our custom rule's message about HTTP requests to example.com. If not, double-check each step and verify the rule syntax.

Summary

In this lab, you have learned how to install and configure Suricata, an open-source network threat detection engine. The process included updating packages, installing dependencies, and verifying the installation by checking the configuration file and rules directory.

You also explored creating custom detection rules by adding an ICMP ping request rule, understanding its structure and components. Finally, you verified the rule syntax to ensure Suricata can effectively monitor network traffic and generate alerts for anomalies.

Related Wireshark Courses
Quick Start with Wireshark

Quick Start with Wireshark

Cybersecurity
Beginner