Problem



The most common weakness of Intrusion Detection and Prevention System is encrypted traffic inspection. The SSH encrypted traffic requires private/public keys for encryption/decryption and it is very hard to obtain the private key from attackers.



Solution



How we can do that? If you are running Suricata as IPS, SSH Dynamic, Reverse and Port Forwarding tunnel will be detected by the following rules :



# ssh (port 5228=Google Talk, port 6697=IRC)

alert tcp any any -> any 22 (msg:"LOCAL SSH connect"; flow:established,to_server; app-layer-protocol:ssh; sid:1000008; rev:1;)



drop tcp any any -> any 22 (msg:"LOCAL not SSH but Port 22"; flow:established,to_server; app-layer-protocol:!ssh; sid:1000009; rev:1;)



drop tcp any any -> any ![22,5228,6697] (msg:"LOCAL SSH but not Port 22"; flow:established,to_server; app-layer-protocol:ssh; sid:1000010; rev:1;)



The first rule will alert you that there is a SSH connection to the port 22. The second rule will block the traffic the not SSH protocol but connect to port 22. The last rule will block the SSH connection that are not connecting to port 22, 5228 or 6697, where port 5228 is Google Talk and port 6697 is IRC.



If you do not use standard port 22 for SSH, please change the value when necessary.



Reference



SSH Brute Force and Suricata

Protocol Anomalies Detection



That's all! See you.

Linux/Mac/FreeBSD/UNIX/Windows Source: 
http://www.openinfosecfoundation.org/download/suricata-1.4.4.tar.gz
http://www.openinfosecfoundation.org/download/suricata-1.4.4.tar.gz.sig
Windows (win32) installer:
https://redmine.openinfosecfoundation.org/attachments/download/919/Suricata1.4.4-1-32bit.msi

Improvements

• No longer force "nocase" to be used on http_host
• Invalidate rule if uppercase content is used for http_host w/o nocase
• Warn user if bpf is used in af-packet IPS mode
• Better test for available libjansson version

Fixes

• Fixed accuracy issues with relative pcre matching (#784)
• Improved accuracy of file_data keyword (#788)
• Invalidate negative depth (#770)
• Fix http host parsing for IPv6 addresses (#761)
• Fix fast.log formatting issues (#773)
• Fixed deadlock in flowvar set code for http buffers (#801)
• Various signature ordering improvements
• Minor stream engine fix

Hardware



Laptop : Lenovo ThinkPad X201s Type 5397-G9B

Processor : Intel Core i7 CPU L640 @ 2.13GHz (2-core with 4 HT)

Memory : 8GB DDR3 RAM

Storage : AData SX900 512GB SSD



Software



Operating System : Ubuntu Desktop 12.04 LTS x86_64

Intrusion Prevention System : Suricata 1.4 (inline mode)



Introduction



Suricata is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field.



There is an Ubuntu PPA of Suricata for Ubuntu 10.04 to 13.04 and the Ubuntu 13.04 is included Suricata in her repositories too. Meanwhile, those packages have IPS mode through NFQUEUE enabled. In addition, Suricata supports nVidia CUDA which requires to recompile the source code with suitable parameter.



Suricata not only can installed on servers but also on desktops and laptops. It performs quiet well on an Intel Atom ITX machine.



For the features, please read here for details.



Installation



Step 0 :



This step is for SSD only and make sure you have enough memory.



sudo nano /etc/fstab



Add the following to the "/" (or "/home" and "/" or alike) :



discard,noatime,nodiratime



To make it look like :



UUID=99f0925f-badc-4939 .... -7df6eca0c720 / ext4 discard,noatime,nodiratime,errors=remount-ro 0 1



Then, add the following :



tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0

tmpfs /var/spool tmpfs defaults,noatime,mode=1777 0 0

tmpfs /var/log tmpfs defaults,noatime,mode=0755 0 0

tmpfs /var/log/suricata tmpfs defaults,noatime,mode=0755 0 0



After that, edit the following :



sudo nano /etc/rc.local



Add the following right before the "exit 0" :



echo deadline > /sys/block/sda/queue/scheduler

echo 1 > /sys/block/sda/queue/iosched/fifo_batch



Step 1 :



sudo add-apt-repository ppa:oisf/suricata-stable

sudo apt-get update

sudo apt-get install suricata htp



Step 2 :



To get the Emerging Threats rules :



cd /etc/suricata/



sudo wget https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz



sudo tar -xvzf emerging.rules.tar.gz



sudo ln -s /etc/suricata/rules/reference.config /etc/suricata/reference.config



sudo ln -s /etc/suricata/UbuntuPPA-configs/classification.config /etc/suricata/classification.config



sudo cp /etc/suricata/UbuntuPPA-configs/suricata-ppa-1.4-6ubuntu6.yaml /etc/suricata/suricata.yaml



*** You can use reference.config and classification.config at /etc/suricata/rules.



sudo touch /etc/suricata/threshold.config



Step 3 :



sudo nano /etc/suricata/suricata.yaml



Locate the following lines :



default-log-dir: /usr/local/var/log/suricata/

default-rule-path: /usr/local/etc/suricata/rules

classification-file: /usr/local/etc/suricata/classification.config

reference-config-file: /usr/local/etc/suricata/reference.config

#pid-file: /var/run/suricata.pid

#- rule-reload: true

#threshold-file: /usr/local/etc/suricata/threshold.config



- drop

enable: no



Replace with the following lines :



default-log-dir: /var/log/suricata/

default-rule-path: /etc/suricata/rules

classification-file: /etc/suricata/classification.config

reference-config-file: /etc/suricata/reference.config

pid-file: /var/run/suricata.pid

- rule-reload: true

threshold-file: /usr/local/etc/suricata/threshold.config



- drop

enable: yes



To test if it work or not :



sudo suricata -c /etc/suricata/suricata.yaml -i eth0



Several minutes later, check the /var/log/suricata/stats.log and /var/log/suricata/http.log to see if there are some entries or not.



Step 4 :



sudo iptables -A INPUT -j NFQUEUE

sudo iptables -A OUTPUT -j NFQUEUE

sudo iptables -A FORWARD -j NFQUEUE



To test if it work or not :



sudo suricata -c /etc/suricata/suricata.yaml -q 0



Step 5 :



sudo apt-get install oinkmaster



sudo nano /etc/oinkmaster.conf



Append the following line :



url = https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz



sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules



Step 6 :



When everything is working fine, you can put them in the /etc/rc.local just right above "exit 0" :



iptables -A INPUT -j NFQUEUE --queue-balance 0:3

iptables -A OUTPUT -j NFQUEUE --queue-balance 0:3

iptables -A FORWARD -j NFQUEUE --queue-balance 0:3

/etc/suricata/ips



Then create a file /etc/suricata/ips :



sudo nano /etc/suricata/ips

suricata -D -c /etc/suricata/suricata.yaml -q 0 -q 1 -q 2 -q 3



chmod +x /etc/suricata/ips



Then create the update-rule



sudo nano /etc/suricata/update-rules



oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

kill -USR2 `pidof suricata`



sudo chmod +x /etc/suricata/update-rules





Step 7 :



Whenever you want to update the rules, you can :



sudo /etc/suricata/update-rules



That's all! See you.

Suricata is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field.



There is an Ubuntu PPA of Suricata for Ubuntu 10.04 to 13.04 and the Ubuntu 13.04 is included Suricata in her repositories too. Meanwhile, those packages have IPS mode through NFQUEUE enabled. In addition, Suricata supports nVidia CUDA which requires to recompile the source code with suitable parameter.



Suricata not only can installed on servers but also on desktops and laptops. It performs quiet well on an Intel Atom ITX machine.



For the features, please read here for details.



The following is a basic and general setup of Suricata. For more advanced settings, please refer to the Reference below.





Step 1 :



sudo apt-get install python-software-properties

sudo add-apt-repository ppa:oisf/suricata-stable

sudo apt-get update

sudo apt-get install suricata htp



Step 2 :



To get the Emerging Threats rules :



cd /etc/suricata/



sudo wget https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz



sudo tar -xvzf emerging.rules.tar.gz



sudo ln -s /etc/suricata/rules/reference.config /etc/suricata/reference.config



sudo ln -s /etc/suricata/UbuntuPPA-configs/classification.config /etc/suricata/classification.config



sudo cp /etc/suricata/UbuntuPPA-configs/suricata-ppa-1.4-6ubuntu6.yaml /etc/suricata/suricata.yaml



*** You can use reference.config and classification.config at /etc/suricata/rules.



sudo mkdir /var/log/suricata

sudo touch /etc/suricata/threshold.config



Step 3 :



sudo nano /etc/suricata/suricata.yaml



Locate the following lines :



default-log-dir: /usr/local/var/log/suricata/

default-rule-path: /usr/local/etc/suricata/rules

classification-file: /usr/local/etc/suricata/classification.config

reference-config-file: /usr/local/etc/suricata/reference.config

#pid-file: /var/run/suricata.pid

#- rule-reload: true

#threshold-file: /usr/local/etc/suricata/threshold.config



- drop

enable: no



Replace with the following lines :



default-log-dir: /var/log/suricata/

default-rule-path: /etc/suricata/rules

classification-file: /etc/suricata/classification.config

reference-config-file: /etc/suricata/reference.config

pid-file: /var/run/suricata.pid

- rule-reload: true

threshold-file: /usr/local/etc/suricata/threshold.config



- drop

enable: yes



To test if it work or not :



sudo suricata -c /etc/suricata/suricata.yaml -i eth0



Several minutes later, check the /var/log/suricata/stats.log and /var/log/suricata/http.log to see if there are some entries or not.



Step 4 :



sudo iptables -A INPUT -j NFQUEUE

sudo iptables -A OUTPUT -j NFQUEUE

sudo iptables -A FORWARD -j NFQUEUE



To test if it work or not :



sudo suricata -c /etc/suricata/suricata.yaml -q 0



Step 5 :



sudo apt-get install oinkmaster



sudo nano /etc/oinkmaster.conf



Append the following line :



url = https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz



sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules



Step 6 :



When everything is working fine, you can put them in the /etc/rc.local just right above "exit 0" :



#iptables -F

iptables -A INPUT -j NFQUEUE

iptables -A OUTPUT -j NFQUEUE

iptables -A FORWARD -j NFQUEUE



/etc/suricata/ips



Then create a file /etc/suricata/ips :



sudo nano /etc/suricata/ips

suricata -D -c /etc/suricata/suricata.yaml -q 0

oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

kill -USR2 `pidof suricata`



chmod +x /etc/suricata/ips



Then you can write a cron job to update Emerging Threats Rules everyday.



sudo crontab -e



Append the following :



@daily /etc/suricata/update-rules



Then create the update-rule



sudo nano /etc/suricata/update-rules



oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

kill -USR2 `pidof suricata`



sudo chmod +x /etc/suricata/update-rules





Remarks :



If you want to create a user-interface for the IPS, you can refer to the "Reference" item [12].



If the Suricata acts as IPS gateway, it requires to bridge 2 NICs and 1 NIC for management purpose. In addition, you need to do some changes on the configure files.



If you have 4-cores CPU, you need to change the settings as the following :



iptables -A INPUT -j NFQUEUE --queue-balance 0:3

iptables -A OUTPUT -j NFQUEUE --queue-balance 0:3

iptables -A FORWARD -j NFQUEUE --queue-balance 0:3



suricata -D -c /etc/suricata/suricata.yaml -q 0 -q 1 -q 2 -q 3











Reference



[1] OISF - Open Information Security Foundation

[2] Ubuntu PPA

[3] Suricata - Features

[4] Suricata Rules

[5] Rules reload

[6] Rule Management with Oinkmaster

[7] SmoothSec 2.1 (Suricata IDS distribution)

[8] Setting up IPS/inline for Linux

[9] Installation with CUDA on Ubuntu Server

[10] Suricata, Snorby and Barnyard2 setup guide

[11] Kill process in Linux or terminate a process in UNIX or Linux systems

[12] Installing Snorby on Ubuntu 12.04

[13] Suricata.yaml

[14] Suricata IPS information

[15] Suricata - Windows

[16] Suricata - Mac OSX

[17] Suricata - FreeBSD



That's all! See you.