What is Suricata? Intro to a Best of Breed Open Source IDS and IPS

by Bricata on June 4, 2019

“ESG research indicates network security monitoring is most often the center of gravity for threat detection. In other words, SOC analysts detect suspicious activity on the network first and then pivot elsewhere for further investigation.” So, wrote, Jon Oltsik a security analyst for ESG, in a piece for CSO Online summarizing observations from the RSA Conference.

In his assessment, network security monitoring can provide security leaders and CISOs with the most value for their investment. Among the technologies he cited were open source tools including Snort, Suricata, and Zeek (formerly known as the Bro framework).

Since our founding in 2014, Bricata has been a staunch advocate of open source technologies. To that end, it’s encouraging to see a prominent analyst highlighting open source security tools and the unique value they offer security teams in the never-ending battle that is cybersecurity. We’ve previously explored Zeek in depth and thought this was a good opportunity to do the same with Suricata.

What is Suricata?

Suricata is an open source network threat detection engine that provides capabilities including intrusion detection (IDS), intrusion prevention (IPS) and network security monitoring. It does extremely well with deep packet inspection and pattern matching which makes it incredibly useful for threat and attack detection.

While many of the features and functionalities are similar to Snort – Suricata is different in several important ways:

It’s multi-threaded so a single instance can perform at much higher traffic volumes;
There is more support available for application layer protocols;
It supports hashing and file extraction; and
It has hooks for the Lua scripting language, which can be used to modify outputs and even create complex and detailed signature detection logic.

In summary, Suricata is a best-of-breed signature-based intrusion detection platform – and it’s one of three important detection engines on the Bricata platform.

What is the advantage of a multi-threaded signature detection platform?

Enterprise networks today are handling more and more traffic and many typically carry 10 gigabytes per second on a backbone. So, the multi-threaded nature of Suricata allows its users to scale horizontally on a single appliance by adding packet processing threads as the traffic volume makes necessary.

In the Bricata platform, we’ve done this in an automated fashion under the hood. There are no special configurations or anything an administrator needs to do – and that’s a unique capability that Bricata provides.

There are a lot of signature detection engines out there so why should a cybersecurity team consider making it part of their tool kit?

One of the distinguishing traits of Suricata, especially in comparison to Snort, is that it has a dynamic protocol protection capability that is port agnostic. This means it can identify some of the more common application layer protocols, like HTTP, DNS, TLS, when these are communicating over non-standard ports. The rule language allows you to construct matching conditions in the application layer protocol to a much greater extent than comparable IDS tools.

For example, you can match HTTP header fields and values, or write rules to look at the HTTP post body. This gives you an awareness of the context for that network transaction, which can influence that matching logic that you’re using. By comparison, with other IDS tools, you’d write a rule that looks for a content match – a certain string inside a packet payload – without that context.

To be clear, it is possible to understand this context without the additional application layer protocol support – it just requires a deeper level of understanding around the packet and protocol structure. In those cases, context is applied to content by matching the byte values at predefined offsets – the distances from one another – that represent demarcations in the packet structure. This is complicated and easy to get wrong.

The application layer support Suricata provides simplifies this dramatically. Instead of having to know specific byte values and field lengths, if you want to match on a value in an HTTP host header you simply use the rule option keyword: http_host. This is much easier to get right.

Can Suricata help security teams in the race against time between a new vulnerability being announced and a patch working its way through change management?

Suricata can absolutely help address this gap. It’s an open source tool, so anyone can write a Suricata rule the same way anyone can write a Snort rule. When new vulnerabilities are disclosed or a proof of concept exploit code is released, this usually happens pretty quickly. For example, a security researcher will craft a Suricata rule and publish it for all to use. These rules allow you to monitor for the use of that exploit even as you usher a patch through your enterprise change management process.

This is important because, in large organizations, it can take a while to patch vulnerabilities. In 2018, it took organizations 34 days to patch even the most critical CVEs. In part, this is why concepts like threat hunting have become increasingly popular, but you also need to execute on the fundamentals flawlessly. Suricata can help you do just that.

It’s worth pointing out, there are also subscription services like ET Pro which provide updated rule sets. At last count, there were some 47,000 rules available for Suricata. Since this is a pro-subscription, there are researchers dedicated to watching vulnerability and breach disclosures – and developing new rules based on the threat intelligence they obtain.

Emerging Threats provides the rule set updates we use in the Bricata platform. The product ships with a threat intelligence subscription which means our customers get those updates automatically every hour. We are confident when we get coverage for new disclosures rapidly – usually inside 24 hours or so. We also make it easy to ingest other threat intelligence sources, including Snort rules, if the customer has a preference – and assuming the source is formatted properly.

How does Suricata work in intrusion prevention mode?

This depends in part on how you are using the technology and there a few ways you can do this with Suricata. In the Bricata platform, the administrator chooses whether they want to configure the system in detection or prevention mode. If our sensors are deployed in-line, you choose prevention mode and the Suricata engine drops the packets in-flight if it determines a rule matches those packets. It’s worth pointing out that this isn’t a point of differentiation because Snort works this way too.

Does Suricata have a community?

Suricata is backed by the Open Information Security Foundation (OISF) which provides long term protection for the openness of the code and helps to foster a community. The OISF helps to provide structure to Suricata training opportunities, resources, and the annual conference, SuriCon.

Those interested in learning more can follow Suricata on Twitter – @Suricata_IDS – and below we’ve curated several additional resources from around the web.