Suricata as IPS


It is sad to see that articles on the prevention or prevention of intrusions on the Habré are so unpopular.
Young fighter course: we are protected by a router. Continuation: IPS - 5 pluses.
SNORT as a service IPS - 25 pluses.
OSSEC: Big Brother is watching you - 13 pluses.
However, articles on the analysis of the consequences of penetration are very popular. I'll try to throw another popularization of information security.

Description of Suricata

Intrusion Prevention System - a software or hardware network and computer security system that detects intrusions or security breaches and automatically protects them.
IPS systems can be seen as an extension of Intrusion Detection Systems (IDS), since the task of tracking attacks remains the same. However, they differ in that IPS must monitor activity in real time and quickly implement actions to prevent attacks. Possible measures are blocking traffic flows in the network, resetting connections, issuing signals to the operator. IPSs can also defragment packets, reorder TCP packets to protect against packets with altered SEQ and ACK numbers.
suricata - open source IPS / IDS system. Founded by developers who worked on the IPS version of Snort. The main difference between Suricata and Snort is the ability to use a GPU in IDS mode, a more advanced IPS system, multitasking, as a result of high performance that allows you to handle traffic up to 10Gbit on conventional equipment, and much more, including full support for the Snort rule format. It is better to read about everything on the official website . Let's talk about IPS today.

Suricata uses two IPS modes: NFQ and AF_PACKET
NFQ IPS mode works as follows:
1) The packet gets into iptables
2) The iptables rule directs it to the NFQUEUE queue, for example iptables -I INPUT -p tcp -j NFQUEUE
3) From the NFQUEUE queue, packets can be processed at the user level, which Suricata does
4) Suricata runs the packets according to the configured rules (rules) and depending on them, one of three verdicts can make: NF_ACCEPT , NF_DROP and the most interesting - NF_REPEAT .
5) Packets that fall into NF_REPEAT can be marked in the system, and sent back to the beginning of the current iptables tables, which gives great potential for influencing the fate of packages using iptables rules.

Starting with version 1.4, Suricata can work as an IPS using the zero copy AF_PACKET system mode , but with some limitations. The system should work as a gateway with two network interfaces. If a packet falls under the DROP rule, then it is simply not forwarded to the second interface. The advantages of zero copy are the speed of processing packets, which will undoubtedly appeal to providers who, in case of inaction, run the risk of fines from Roskomnadzor.

Installing Suricata on Ubuntu is described on the official Wiki

Let's consider an example with NFQ on a WEB server

Configure the initial iptables rule:
# в очередь направляются пакеты, которые идут на 80-й порт и <b>НЕ</b> попадают под маску 0x1/0x1 для исключения бесконечного цикла
iptables -t mangle -I PREROUTING -p tcp -m tcp --dport 80 -m mark ! --mark 0x1/0x1 -j NFQUEUE --queue-num 0

We use mangle, because this table is one of the first in the package path.
The option --queue-bypass appeared in the 2.6.38 kernel and allows you to skip all packets in the queue when there is no listening application NFQUEUE. Those. if Suricata is not running, then all packages that fall under the rules will go on as if nothing had happened.
The option --queue-num sets the queue number.
-m mark! --mark 0x1 / 0x1 ignores all packets that have already been processed by Suricata.
Configure Suricata in IPS mode (relative to the standard configuration that comes with the packet):
  mode: repeat
# настройка маски для обработанных пакетов
  repeat-mark: 1
  repeat-mask: 1
... ... ...
default-rule-path: /etc/suricata
 - test.rules
# остальные правила можно закомментировать

A Suricata rule that responds to TEST text in a package (/etc/suricata/test.rules):
pass tcp any any -> any any (content: "TEST"; msg: "TEST was marked!"; nfq_set_mark:0x2/0xffffffff; sid:2455;)

sid must be unique
In conjunction with the Suricata setting and the rule, the marking and mask of the “bad” packet will be: 0x02 / 0xfe (0xff XOR 0x01 = 0xfe)
Run Suricata:
suricata -q 0 -c /etc/suricata/suricata.yaml

Further analysis of packets by iptables rules:
# детектируем пакет, на который сработало правило
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -m mark --mark 0x2/0xfe -j LOG --log-prefix "TEST packet detected"

After execution on the remote client:

An entry of the form will appear in / var / log / syslog:
Sep  9 14:23:06 server kernel: [ 2897.581561] TEST packet detectedIN=eth0 OUT= MAC=c5:d5:08:8f:2d:be:ce:df:3e:af:8c:06:08:00 SRC= DST= LEN=133 TOS=0x00 PREC=0x00 TTL=64 ID=57685 DF PROTO=TCP SPT=33949 DPT=80 WINDOW=115 RES=0x00 ACK PSH URGP=0 MARK=0x3

Do not forget that Suricata only labels packages. For a rule to work on the whole connection as a whole, it is necessary to mark it:
# Копируем маркировку пакетов в маркировку соединений
iptables -t mangle -A PREROUTING -m mark --mark 0x2/0xfe -j CONNMARK --save-mark
# детектируем соединение, на которое сработало правило
iptables -t mangle -A PREROUTING -m connmark --mark 0x2/0xfe -j LOG --log-prefix "TEST connection detected"
# И наоборот, копируем маркировку с соединения на все пакеты
iptables -t mangle  -A PREROUTING -m connmark --mark 0x2/0xfe -j CONNMARK --restore-mark

If you pay attention to a wonderful addition to iptables like RAW DNAT / SNAT, then using Suricata you can route different types of traffic to different destination addresses. Here, too, there are several nuances like loss of connection integrity, but this can be easily solved using proxy software that can restore connections on the fly.

In addition, Suricata can modify packages on the fly. For example:
pass tcp any any -> any any (content: "TEST"; replace:"SETS"; msg: "TEST was marked!"; nfq_set_mark:0x2/0xffffffff; sid:2455;)

It replaces the TEST text in the package with SETS, but on one condition - the replacement data must be exactly the same size as the original. In this case, the command:
curl -v

save to the WEB server log: - - [09/Sep/2013:14:51:04 +0400] "GET /SETS HTTP/1.1" 200 151 "-" "curl/7.26.0"

Let's consider an example with AF_PACKET on the gateway

Everything is simpler here. The suricata.yaml configuration should look something like this:
  - interface: eth0
    threads: 1
    defrag: yes
    cluster-type: cluster_flow
    cluster-id: 98
    copy-mode: ips
    copy-iface: eth1
    buffer-size: 64535
    use-mmap: yes
  - interface: eth1
    threads: 1
    cluster-id: 97
    defrag: yes
    cluster-type: cluster_flow
    copy-mode: ips
    copy-iface: eth0
    buffer-size: 64535
    use-mmap: yes

The number of processor threads should be no more than one for kernels older than 3.6, otherwise an increase in the number of threads will cause an infinite loop.
The MTU on both network interfaces must be identical.

Launch Suricata:
suricata -c /etc/suricata/suricata.yaml --af-packet


Suricata is a flexible packet processing tool that allows you to change routes depending on the contents of the package, detect attacks and prevent bad packets from getting into the system (for example, DROP or replace packets until they reach the WEB server). Perhaps right now, government providers are using Suricata as a DPI.

To write the article, we used information from the blog of one of the developers of Suricata and the official Wiki .