Protecting your network with the Suricata intrusion detection system
Guard on Duty
Snort isn't the only free intrusion detection tool in the barnyard. We'll show you a powerful and promising alternative known as Suricata.
When most Linux users think of an open source IDS/IPS (intrusion detection|prevention system), they think of Snort. But Linux users have another option for intrusion detection and prevention: Suricata . Suricata is developed by the Open Information Security Foundation (OISF), which is tasked "to build a next generation IDS/IPS engine." The funding for the OISF comes from several US government agencies and private firms, but since Suricata is licensed under the common "GPLv2 and later" license, it is true open source and also freely available.
Why choose Suricata instead of Snort? Suricata uses Snort-compatible rulesets, which is good for compatibility, but if you're already using Snort rulesets, why not just use Snort? For one thing, Suricata is multithreaded, meaning it can easily take advantage of multiple cores, so you can more easily examine large volumes of traffic without having to make sacrifices like reducing the number of rules. Suricata can also do protocol inspection, so you don't have to rely on port numbers to identify traffic – you can easily examine HTTP traffic no matter what port it is on. Suricata also allows you to look inside of the protocol streams and extract the files, so they can then be examined. You can also block files based on their MD5 signature (more on this later). Suricata also allows you to examine TSL/SSL certificates and match them based on their fingerprints (a SHA1 hash of the certificate typically), so even if you can't intercept the TLS/SSL connection, you can still exert some control over it. However the main advantage of Suricata over Snort is that it isn't Snort. Don't get me wrong, Snort is awesome and I really like it, but Snort is also showing its age and some of the design decisions are less than optimal in the modern world (e.g., 10Gb Ethernet is cheap now) – things that Suricata addresses. Note: The latest version of Snort addresses some of these problems – see the article on Snort elsewhere in this issue.
The three primary options for installing Suricata  are from a package, from a source tarball, and from Git. I would only recommend using the Git version if you are a developer or need access to some bleeding-edge feature that hasn't yet made it into a release tarball. The package installation is less than optimal; at the time of this writing, Debian has a really old version of Suricata (1.2, current is 2.0.2), so unless you can get at least version 2.0.x, I would recommend installing from the release tarball. But first you're going to need some build dependencies:
file-devel. If you want to use the IPS mode to block attacks, you're also going to need
libnetfilter_queue-devel (on RHEL and CentOS you can find these in EPEL). Then, grab the tarball and execute the usual configure, make, and make install:
Buy this article as PDF
Kernel king admits his tone has alienated volunteers, but says the demands of the process require directness.
New flaw in an old encryption scheme leaves the experts scrambling to disable SSL 3
Lennart Poettering wants to change the way Linux developers talk to each other.
Enterprise giant frees itself from ink and home PCs (and visa versa).
Mozilla’s product think tank sinks silently into history.
TODO group will focus on open source tools in large-scale environments.
New tool will look like GParted but support a wider range of storage technologies.
New public key pinning feature will help prevent man-in-the-middle attacks.
Carnegie Mellon researchers say 3 million pages could fall down the phishing hole in the next year.
The US government rolls new best-practice rules for protecting SSH.