Protecting your network with the Suricata intrusion detection system
IP Reputation
Suricata also includes support for an IP address reputation system. Basically, Suricata can take three sets of lists: known good hosts, known bad hosts, and shared hosting machines. The idea is that this allows you to create rules for things like known command and control hosts for malware; in other words, IP addresses that you will never have a legitimate reason to connect to. You will find numerous lists of such malicious IPs – Google terms like "botnet ip address list" will result in a lot of results [11]. The known good list is, of course, known good addresses. I might list my testing network IPs, for instance, so I don't get spammed by alerts when I test exploits. The shared hosting list is meant for lists of IP addresses that host multiple websites; a major proxy provider like CloudFlare, for instance, might have thousands or more websites behind a single address.
Encrypted Traffic and Performance
It is pretty obvious at this point that you can easily drown in data if you deploy Suricata and start collecting everything. One of the first big architectural decisions to make with Suricata is whether to centralize or decentralize the IDS/IPS systems. For example, do you run a single system and force all your traffic through it? Do you run two servers and load balance connections? Do you run one server for inbound traffic and one server for outbound traffic? Each decision has benefits and drawbacks. Centralized servers mean fewer logfiles to merge, and load balancing traffic across multiple servers means that connection limits might not be as effective; conversely, splitting inbound and outbound traffic across different servers means that an inbound denial-of-service attack won't affect the monitoring of outbound traffic.
Where you encrypt and decrypt traffic is also important. If you use end-to-end TLS/SSL encryption, you won't be able to sniff it. For client systems, it isn't easy to intercept and monitor TLS/SSL traffic; however, if you are running servers, you can terminate the traffic at a TLS/SSL server and then send cleartext to the servers, making it easy to monitor traffic to your servers. For high-volume networks, you might also want to partition network traffic. Using iptables, for example, you can divert all outbound traffic to port 80 to a network with an IPS/IDS dedicated to handling HTTP traffic.
Snorby GUI
As with any network monitoring system that collects large amounts of data, you'll want to stick a GUI on it to make sense of everything. Oftentimes, graphing the data can immediately reveal trends much more easily than staring at a sheet of numbers. For Suricata (and Snort), users have the Snorby [12] front end. Snorby requires a number of dependencies, including Ruby 1.9, Ruby on Rails, libxml2-devel
, libxslt-devel
, mariadb-devel
, and ImageMagick. Once you download Snorby, you need to run bundle install
and then play whack-a-mole with any resulting errors (depending on your platform you might encounter quite a few).
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.