User Tools

Site Tools


suricata50

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
suricata50 [2019/02/13 09:49]
root
suricata50 [2020/04/07 18:45] (current)
zog [Rules.]
Line 1: Line 1:
-======Attack detector======+===== Attack detector ​Suricata. ​=====
  
-The "Attack detector" ​module is placed ​in the "Security" ​menu. This module is designed to enablingsetting ​up and configuring ​the open source IPS/IDS system ​- Suricata that is used in the ICS CUBE. The system was designed by Open Information Security Foundation in 2009 year. Intrusion Prevention System (IPS) is a network security system, that can detect security breaches and attacks. IPS is monitoring network traffic in real time and can use different methods to prevent breaches - connection hangout, logging of known signatures and let it pass. IPS can also deframent packages, remixing packages to protect system from packages with altered SEQ and ACK numbers. The Suricata system is multitask, so it is high-load and can manage up to 10Gbit traffic channel at the regular hardware and other, including the Snort rules format. At the main page of the module you can see it's status, the "​Disable"​ button (or "​Enable",​ if it's already disabled) and last log messages.+The Attack detector” module is located ​in Security” menu. This module is designed to enableset up and configure ​the open source ​Intrusion Prevention System (IPS- Suricata that is used in ICS CUBE. 
  
-=====Settings=====+IPS is a network security system, that can detect security breaches and attacks. IPS monitors network traffic in real time and can use different methods to prevent breaches: connection termination,​ logging of known signatures and letting healthy connections trough. IPS can also defragment packets, rearrange packet sequences to protect system from packages with altered SEQ and ACK numbers. ​
  
-{{setup_detector.png}}+The Suricata system is multitasking,​ so it capable of high-load and can manage up to 10 Gbit traffic channel at the regular hardware and do other tasks, including interpretation of the Snort rule format
  
-For using the attack ​detector ​signature database correctly in this tab you should locate objects (networksservers and ports) that should be examined. Here you can specify internal and external networksservers network addresses ranges, and also the ports that are in use. By default, there are values that allow attack detector to launch properly. To change the default configuration you should open the drop-down list in the cell and choose values from the address ranges, that is known to ICS CUBE. Or you can type the required value manually in the cell. You can use domain names (like host.ru), ip-addresses (like 192.168.1.1),​ ip-address with prefix (like 192.168.1.1/​24),​ ip-address:​mask (like 192.168.1.1:​255.255.255.0),​ ip-address range (like 192.168.1.1-192.168.1.254),​ user, group, internal, external, VPN, OpenVPN, Wi-Fi networks and other object that ICS CUBE can manage in the cells "​networks"​ and "​servers"​. For the "​ports"​ cell port number (like 25, 100), port ranges (like 1000-2000) and object defined into ICS CUBE are allowed. You can also use ports excluding, for example, "​!80"​ for the «SHELLCODE-ports» cell. You must add the object "Local networks"​ in the "​External networks"​ field for traffic to be analyzed.+The module has five tabs: “Attacks ​detector ​Suricata”“Settings”“Rules”“Updating settings” ​and “Log”.
  
 +==== Attack detector Suricata. ====
  
-=====Rules===== ​+{{:​suricata1.png?​|}}
  
-{{detector_rules.jpg}}+On the “Attacks detector Suricata” tab you can see status of this service and the “Disable” button (or “Enable”,​ if the module is disabled) and last log messages.
  
-In this tab you can see possible database for attack detector module. There are three rule databases: the rules from the snort.org site, recompiled rules from the snort.org and Emerging Threats rules. Each base contains a set of downloadable files, and each file contains a set of rules, grouped according to the security target. For a rule set to work, it is necessary that the base would be downloaded (you can read about this in the "​setting up updates"​),​ if the base wasn't downloaded, next to every file you would see the "​Isn'​t downloaded"​ sign. If the base was downloaded, you can choose either to use all the base entirely, marking the "​apply"​ checkbox. Or, if you want to apply a specific file, or exclude a specific file, you can mark it with "​apply"​ flag itself. Next to every file you can see the amount of rules that it contains. In the right top corner you can see search - it works both with names and amount of rules in a file. To look through the rules and to choose an action you should click on the filename, and the new window with a table will be open. The table contains rule id - the rule number; priority - the value of a threat; warning - the description of an attack; classification - contains information about what class that attack is in; action - defines what would be done is the attack is detected (alert - to log an event and let it pass by, drop - to drop package, allow - let it pass; reject - destroy a package and notify sender about the event); turning the rule on/off fields.+==== Settings====
  
 +{{:​suricata2.png?​|}}
  
-=====Update settings=====+This tab is designed to configure the attack detector Suricata module. To use the attack detector signature database correctly in this tab you should specify such objects as: networks, servers and ports that should be monitored. Here you can specify internal and external networks, server network address ranges, and also ports in use. By default, there are values that allow attack detector to launch properly.
  
-{{update_detector.png}}+To change the default configuration you should open the drop-down list in the cell you want to modify and choose values from the address ranges, that are known to ICS CUBE. Or you can type the required value manually in the cell
  
-There are 2 companies that are active developing attack prevention systems ​Sourcefire and Emerging ThreatsTo download bases "Rules from the snort.org" and "​Recompiled rules from the snort.org"you should:+For the “networks” and “servers” cells, the following values ​​are valid: domain name (like host.com), IP-address (like 192.168.1.1)IP-address with prefix (like 192.168.1.1/​24),​ IP-address:mask (like 192.168.1.1:​255.255.255.0),​ IP-address range (like 192.168.1.1-192.168.1.254),​ user, group, internal, external, VPN, OpenVPN, Wi-Fi networks and other object that ICS CUBE can manage. ​
  
-  ​*Sign up in the Snort.org site (and to subscribe to rules update if necessary), +{{:​suricata3.png?​|}} 
-  *Get the Oinkcode for rules download (is placed in the private dashboard at the snort.org site), + 
-  *Enter this code in the «Oinkmaster code» ​field, +For the “ports” cell the following values ​​are valid: port number (like 25, 100), port ranges (like 1000-2000) and objects defined in ICS CUBE are allowed. You can also exclude ports, for example, “!80” for the «SHELLCODE ports» cell.  
-  *Sign the flag that is next to this field, ​if you really had subscribed to the rules updates), + 
-  *Save.+You must add the object “Local area networks” in the “External nets” field for traffic analyzing. 
 + 
 +==== Rules. ==== 
 + 
 +{{:​suricata4.png?​|}} 
 + 
 +On this tab you can see available database for attack detector module. There are three rule databases: the “Rules from snort.org” source, the “Positive Technologies Open Ruleset (Attack Detection)” and the “Emerging Threats Rules”. 
 + 
 +Each base contains set of downloadable files, and each file contains set of rules, grouped according to the security target. For a ruleset to work, it is necessary that the base has been downloaded (you can read about this in the “Updating settings”),​ if the base hasn't been downloaded, next to each file you will see the “was not downloaded” text.  
 + 
 +If the base has been downloaded, you can choose either to use all of the base entirely, selecting the “Apply” checkbox. Or, if you want to apply a specific file, or exclude a specific file, you can mark the file with “Apply” checkbox. Next to each file you can see the amount of rules that it contains. 
 + 
 +In the right top corner you can see search line - it works both with names and amount of rules in a file. To look through the rules and to choose an action you should click on the filename, and new window with a table will be opened.  
 + 
 +The table contains following tabs: 
 +  * //Rule id// - the rule number;  
 +  * //​Priority//​ - the value of a threat;  
 +  * //Alert// - the description of an attack;  
 +  * //​Classification//​ - contains information about what class that attack is in;  
 +  * //Action// - defines what would be done is the attack is detected (alert - to log an event and let it pass by, drop - to drop package, pass - let it pass; reject - destroy a package and notify sender about the event);  
 +  * //On / Off// - turning the rule on/off. 
 + 
 +==== Updating settings. ==== 
 + 
 +{{:​suricata5.png?​|}} 
 + 
 +This tab is used to configure the process of updating module rules. 
 + 
 +There are 2 companies that are active developing attack prevention systems - Sourcefire and Emerging Threats.  
 + 
 +To download base “Rules from snort.org” you should: 
 +  ​* Sign up in the Snort.org site (and to subscribe to rules update if necessary); 
 +  * Get the Oinkcode for rules download (it is placed in the private dashboard at the snort.org site); 
 +  * Enter this code in the «Oinkcode» ​field; 
 +  * Check the box “Snort.org subscriber” in case if you was subscribed to rules updates; 
 +  * Press “Save” button. 
 + 
 +You can download rules using this code only. Pay attention to the difference between the privileges of the regular signed up user from the one who subscribed to updates.  
 + 
 +After successful downloading of the rules, it will displays in the “Rules” tab without “was not downloaded” text. 
 + 
 +For downloading the “Emerging Threats Rules” database you need to check the box “Install Emerging Threats” and press “Save” button. 
 + 
 +For downloading the “Positive Technologies Open Ruleset (Attack Detection)” database you need to check the box “Positive Technologies Open Ruleset (Attack Detection)” and press “Save” button. 
 + 
 +Also on this tab you can see the “Daily check for rules update” checkbox which is active by default.  
 + 
 +After everything is set, you can press the “Update now” button. 
 + 
 +==== Log. ==== 
 + 
 +The “Log” tab displays a summary of all system messages of the corresponding servers with the date and time. The log is divided into pages, using the “forward” and “back” buttons it is possible to go from page to page, or enter the number of the desired page. 
 + 
 +Log entries are highlighted in color depending on the type of message. Normal system messages are marked in white, system status messages (on / off, user connection) are green, warnings are yellow, errors are red. 
 + 
 +In the upper right corner of the log is a search bar. And the ability to select the period for displaying the event log. By default, the log displays events for the current date. If necessary, you can save the log data to a file by clicking the “Export” button or delete the log data for a certain period by clicking the “Delete logs” button.
  
-You can download rules using this code only. Pay attention to the difference between the privileges of the regular signed up user from the one who subscribed to updates. After successful downloading of the rules of this developer, they will be shown in the "​Rules"​ without "​Isn'​t download"​ sign. 
  
-For downloading the "​Emerging Threats rules" database you can just sigh the "​Install Emerging Threats rules" flag and save changes. Another parameter that can be set up in this tab is an opportunity to check rules updates that was downloaded every day. By default it is signed, but you can change this if necessary. After everything is set, you can push the "​Update now" button.  ​ 
  
  
-=====Log===== ​ 
  
-It shows all system messages of the module with date and time. The log is divided to pages, you can navigate it using "​next"​ and "​previous"​ buttons, or you can enter page number manually. Log entries are colored depending on the message type. Regular messages are white, system status messages (turning on/off, user login) are green, warnings are yellow and errors are red. In the right top corner you can see the search line, and also a calendar to choose a period of time to show messages of. By default the log is showing events of the current date. You can save the log into a file if necessary, using the "​Export"​ button or delete log entries of the specified period of time, using the "​Delete log" button. 
  
suricata50.1550040570.txt.gz · Last modified: 2019/02/13 09:49 by root