Geekly Articles each Day
⬆️ ⬇️

Suricata as IPS

Foreword



It is sad to see that the articles on the prevention or prevention of intrusions on the site are so unpopular.

The course of the young fighter: protected by the router. Continuation: IPS - 5 pluses.

SNORT as a service IPS - 25 advantages.

OSSEC: Big Brother is watching you - 13 plus points.

However, articles on the analysis of the consequences of penetration are very popular. I will try to throw in another popularization of information security.

Suricata Description





Intrusion Prevention System is a software or hardware network and computer security system that detects intrusions or security breaches and automatically protects them.

IPS systems can be viewed as an extension of Intrusion Detection Systems (IDS), since the task of tracking attacks remains the same. However, they differ in that IPS must monitor activity in real time and quickly implement actions to prevent attacks. Possible measures are blocking traffic flows in the network, dropping connections, and issuing signals to the operator. IPS can also perform packet defragmentation, TCP packet reordering to protect against packets with modified SEQ and ACK numbers.

wiki



Suricata is an open source IPS / IDS system. Founded by developers who worked on the IPS version of Snort. The main difference between Suricata and Snort is the ability to use the GPU in IDS mode, a more advanced IPS system, multitasking, as a result, high performance that allows processing traffic up to 10Gbit on conventional equipment, and much more, including full support for the Snort rule format. It is better to read about everything on the official site . Today we will lose IPS.



Suricata uses two IPS modes: NFQ and AF_PACKET



NFQ IPS mode works as follows:

1) Package gets into iptables

2) The iptables rule sends it to the NFQUEUE queue, for example iptables -I INPUT -p tcp -j NFQUEUE

3) From the NFQUEUE queue, packets can be processed at the user level, as Suricata does

4) Suricata runs packages according to the configured rules (rules) and depending on them can make one of three verdicts: NF_ACCEPT , NF_DROP and the most interesting - NF_REPEAT .

5) Packets that fall into NF_REPEAT can be labeled in the system and sent back to the beginning of the current iptables table, which gives a huge potential for influencing the further fate of packets using iptables rules.

')

Starting from version 1.4, Suricata can work as an IPS using the AF_PACKET system's zero copy mode, but with some limitations. The system should work as a gateway with two network interfaces. If the packet falls under the DROP rule, it is simply not forwarded to the second interface. The advantages of zero copy are in the speed of packet processing, which providers will undoubtedly like, who in case of inaction risk running into Roskomnadzor fines.



The installation of Suricata on Ubuntu is described on the official Wiki.



Consider the example of NFQ on the WEB server



Configure the original iptables rule: 

#    ,    80-   <b></b>    0x1/0x1     iptables -t mangle -I PREROUTING -p tcp -m tcp --dport 80 -m mark ! --mark 0x1/0x1 -j NFQUEUE --queue-num 0


Use mangle, because This table is one of the first packages in the path.

The option --queue-bypass appeared in kernel 2.6.38 and allows you to skip all packets in the queue in the absence of an application listening to the NFQUEUE. Those. if Suricata is not running, then all packages that fall under the rules will go on as if nothing had happened.

The option --queue-num sets the queue number.

-m mark! --mark 0x1 / 0x1 ignores all packets that have already been processed by Suricata



Configure Suricata in IPS mode (relative to the standard configuration that comes in the package): 

 nfq: mode: repeat #      repeat-mark: 1 repeat-mask: 1 ... ... ... default-rule-path: /etc/suricata rule-files: - test.rules #




The Suricata rule that responds to the TEST text in the package (/etc/suricata/test.rules): 

 pass tcp any any -> any any (content: "TEST"; msg: "TEST was marked!"; nfq_set_mark:0x2/0xffffffff; sid:2455;)


sid must be unique



In conjunction with the setting of Suricata and the rule, the labeling and mask of the “bad” package will be: 0x02 / 0xfe (0xff XOR 0x01 = 0xfe)



We start Suricata: 

 suricata -q 0 -c /etc/suricata/suricata.yaml




Further packet parsing with iptables rules: 

 #  ,     iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -m mark --mark 0x2/0xfe -j LOG --log-prefix "TEST packet detected"


After running on the remote client: 

 curl http://221.141.200.189/TEST


The following entry will appear in / var / log / syslog: 

 Sep 9 14:23:06 server kernel: [ 2897.581561] TEST packet detectedIN=eth0 OUT= MAC=c5:d5:08:8f:2d:be:ce:df:3e:af:8c:06:08:00 SRC=97.17.34.191 DST=221.141.200.189 LEN=133 TOS=0x00 PREC=0x00 TTL=64 ID=57685 DF PROTO=TCP SPT=33949 DPT=80 WINDOW=115 RES=0x00 ACK PSH URGP=0 MARK=0x3




Do not forget that Suricata labels only packages. In order for the rule to work for the entire connection, it is necessary to mark it: 

 #       iptables -t mangle -A PREROUTING -m mark --mark 0x2/0xfe -j CONNMARK --save-mark #  ,     iptables -t mangle -A PREROUTING -m connmark --mark 0x2/0xfe -j LOG --log-prefix "TEST connection detected" #  ,        iptables -t mangle -A PREROUTING -m connmark --mark 0x2/0xfe -j CONNMARK --restore-mark




If you pay attention to a wonderful addition to iptables like RAW DNAT / SNAT, then using Suricata you can direct different types of traffic to different destination addresses. Here, too, there are several nuances as a loss of the integrity of the connection, but this is easy to solve using proxy software that can restore connections on the fly.



In addition, Suricata can modify packages on the fly. For example: 

 pass tcp any any -> any any (content: "TEST"; replace:"SETS"; msg: "TEST was marked!"; nfq_set_mark:0x2/0xffffffff; sid:2455;)


Replaces the text in the package TEST SETS, but under one condition - the replacement data must be exactly the same size as the original. In this case, the command: 

 curl -v http://221.141.200.189/TEST


save to the web server log: 

 97.17.34.191 - - [09/Sep/2013:14:51:04 +0400] "GET /SETS HTTP/1.1" 200 151 "-" "curl/7.26.0"




Consider an example with AF_PACKET on the gateway



Everything is easier here. The configuration suricata.yaml should look something like this: 

 af-packet: - interface: eth0 threads: 1 defrag: yes cluster-type: cluster_flow cluster-id: 98 copy-mode: ips copy-iface: eth1 buffer-size: 64535 use-mmap: yes - interface: eth1 threads: 1 cluster-id: 97 defrag: yes cluster-type: cluster_flow copy-mode: ips copy-iface: eth0 buffer-size: 64535 use-mmap: yes


The number of handler threads must be no more than one for kernels older than 3.6, otherwise increasing the number of threads will cause an infinite loop.

The MTU on both network interfaces must be identical.



We start Suricata: 

 suricata -c /etc/suricata/suricata.yaml --af-packet




Conclusion



Suricata is a flexible packet processing tool that allows you to change routes depending on the content of the packet, detect attacks and prevent bad packets from entering the system (for example, drop or replace packets until they reach the WEB server). Perhaps now government providers are using Suricata as DPI.



For writing the article, information was used from the blog of one of the Suricata developers and the official Wiki .

Source: https://habr.com/ru/post/192884/

More articles:



All Articles