Tools & Techniques - Suricata 4.0 (High-performance Network IDS, IPS & NSM engine)
On July 27th, 2017 the OIS (Open Information Security Foundation) & the Suricata project team issued a major update release to the Suricata IDS/IPS engine.
The summary of improvements includes:
- Improved Detection - based on feedback from the rule writing teams at Emerging Threats & Positive Technologies the project added improved inspection for HTTP, SSH & other protocols
- Improved TLS detection & logging, & the addition of NFS support.
- Improved EVE JSON logging functionality including inner/outer ip logging for encapsulated traffic & extended HTTP request/response logging
- RUST support
- Major TCP stream engine update
Full details of the release can be found here.
I've been a big fan & user of Suricata for just over a year now & I've previously written about deploying Suricata on Centos (or RHEL) here. The project still maintains some of the best documentation for an open project I've come across & you can find everything you need to install Suricata here.
Additional resources that might be useful for anyone considering deploying or upgrading existing Suricata installations might include Suricata 4.0 RPMs (here) & the Stamus Networks write up on Suricata 4.0 improvements (here).
I've just got my first Suricata 4.0 install into the lab & I've summarised the steps I took below. It goes without saying that you need to consider your own setup & services when planning to upgrade.
Suricata 3.x -> 4.0 upgrade narrative
- Backup config, rules & any scripts
- Remove Suricata 3.x
- Download Suricata 4.0 (http://downloads.suricata-ids.org/)
- Build & install Suricata
- Review / amend suricata.yaml (to preserve host & logging values, tuning, etc)
- Configure Rule management (i.e. oinkmaster) - Your existing rule management solution should persist throughout the upgrade although you'll probably want to check with your rule providers. If you use the ET community rules the new URL is: https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz
- Check / validate scheduled tasks (execution, restarts after rule updates etc)
- Test Suricata Operation (i.e. $ curl -L www.testmyids.com)
- Verify logging / outputs (log forwarding, ingestion, field extraction etc)