Suricata Log Demonstration
- Shone Pious
- May 23, 2024
- 3 min read
Updated: May 25, 2024
In this blog:
Installing Suricata:
I will be installing Suricata in Kali Linux, based on Debian 6.3.7.
There are different methods of installing Suricata; one of which includes downloading from source. This involves getting the source code from Suricata and building it. We will be focusing on binary package installations, which is far easier.
Run Sudo apt update first, then run Sudo apt-get install suricata from the screenshot.
Click ‘y’ to confirm the download.
To confirm that Suricata has been installed, type Suricata -V to show its version number.
Managing permissions:
Before managing rule sets and sources, we need to set up permissions, according to the documentation. I will use the script from jstrosch on GitHub.
Copy the raw code into a bash script in terminal, with sudo permissions, otherwise you will not be able to save the file.
In order to execute the bash script, we need to modify its executable permissions using the ‘chmod’ command. Find the path to where you saved the bash script using ‘readlink -f’.
Run the chmod command to make the script executable.
Run the script with sudo.
Now we have the permissions set up. We can now continue to the next step, which is to run Suricata-update.
Rule sets and sources:
Run suricata-update list-sources. This lets us see our sources – where we are getting our rules from. We can get rules from vendors, GitHub or even use personal rules.
We can see the enabled sources by typing suricata-update list-enabled-sources. As you can see, we have no enabled sources.
Let’s say we want to enable the ‘et/open’ rule which is the Emerging Threats Open Ruleset.
Type suricata-update enable-source et/open.
Type suricata-update update-sources now to update the source list.
Listing enabled sources now gives us the et/open source we just added.
Another great resource for open source Suricata rules is from Abuse.ch. Let’s add this as well.
The ja3 fingerprints are hashes generated from a TLS handshake. It is one way to try to fingerprint TLS handshakes, particularly those used by malware actors.
Type suricata-update disable-source [name of source] to remove a source list.
Adding different sources and rulesets allows Suricata to take advantage of the different sets out there and make more efficient decisions when creating alerts. This is not the case 100% of the time when new sources are added, however.
Ingesting Wireshark PCAP logs
I will demonstrate Suricata ingesting logs based on a malicious PCAP file. This shows Suricata performing an offline detection scan, which can be done on your personal files to check for malicious activity. Of course, for production environments, an online, real-time intrusion detection system is more effective.
I will use a malicious PCAP file from jstrosch’s GitHub, which also has other malware samples.
Download both archive.zip and pcap.zip files. To open them, you will need the password ‘infected’. Move these files to the Suricata directory.
Extract the zip files to the Suricata directory.
This is the PCAP file.
Click the image below, to copy the raw pcap.sh script.
Copy the script into a bash script.
Change the permissions to executable as we did before, and run it in sudo mode.
Run the command sudo ./[name of your file].sh betabot.pcap. If you get a no rule files error, run suricata-update and then try again.
If you get an error saying jq can’t be found, that means you need to install jq.
Run sudo apt update and sudo apt install jq.
Run the command again.
Suricata has now given us alerts based on the malicious pcap file.
Thanks for reading!
nice blog