Protecting your network with the Suricata intrusion detection system
IP Reputation
Suricata also includes support for an IP address reputation system. Basically, Suricata can take three sets of lists: known good hosts, known bad hosts, and shared hosting machines. The idea is that this allows you to create rules for things like known command and control hosts for malware; in other words, IP addresses that you will never have a legitimate reason to connect to. You will find numerous lists of such malicious IPs – Google terms like "botnet ip address list" will result in a lot of results [11]. The known good list is, of course, known good addresses. I might list my testing network IPs, for instance, so I don't get spammed by alerts when I test exploits. The shared hosting list is meant for lists of IP addresses that host multiple websites; a major proxy provider like CloudFlare, for instance, might have thousands or more websites behind a single address.
Encrypted Traffic and Performance
It is pretty obvious at this point that you can easily drown in data if you deploy Suricata and start collecting everything. One of the first big architectural decisions to make with Suricata is whether to centralize or decentralize the IDS/IPS systems. For example, do you run a single system and force all your traffic through it? Do you run two servers and load balance connections? Do you run one server for inbound traffic and one server for outbound traffic? Each decision has benefits and drawbacks. Centralized servers mean fewer logfiles to merge, and load balancing traffic across multiple servers means that connection limits might not be as effective; conversely, splitting inbound and outbound traffic across different servers means that an inbound denial-of-service attack won't affect the monitoring of outbound traffic.
Where you encrypt and decrypt traffic is also important. If you use end-to-end TLS/SSL encryption, you won't be able to sniff it. For client systems, it isn't easy to intercept and monitor TLS/SSL traffic; however, if you are running servers, you can terminate the traffic at a TLS/SSL server and then send cleartext to the servers, making it easy to monitor traffic to your servers. For high-volume networks, you might also want to partition network traffic. Using iptables, for example, you can divert all outbound traffic to port 80 to a network with an IPS/IDS dedicated to handling HTTP traffic.
Snorby GUI
As with any network monitoring system that collects large amounts of data, you'll want to stick a GUI on it to make sense of everything. Oftentimes, graphing the data can immediately reveal trends much more easily than staring at a sheet of numbers. For Suricata (and Snort), users have the Snorby [12] front end. Snorby requires a number of dependencies, including Ruby 1.9, Ruby on Rails, libxml2-devel
, libxslt-devel
, mariadb-devel
, and ImageMagick. Once you download Snorby, you need to run bundle install
and then play whack-a-mole with any resulting errors (depending on your platform you might encounter quite a few).
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.
-
Gnome OS Transitioning Toward a General-Purpose Distro
If you're looking for the perfectly vanilla take on the Gnome desktop, Gnome OS might be for you.