Stamus-Networks-Blog

What Protocols are Used in Suricata?

Written by Dallon Robinette | Oct 30, 2023 2:24:00 PM

Suricata is one of the most powerful open-source intrusion detection systems (IDS) available leveraging Suricata rules to detect a wide range of threats, but many people aren’t aware of the wide range of protocols Suricata can handle to monitor and analyze network traffic. Additionally, Suricata is capable of producing various types of log data that make it function as a fully capable network security monitoring system (NSM). Let’s review some of the details.

What protocols are used in Suricata?

Suricata can handle a wide range of protocols to effectively monitor and analyze network traffic for suspicious activity, including but not limited to:

Basic Protocols:

  • TCP (Transmission Control Protocol)
  • UDP (User Datagram Protocol)
  • ICMP (Internet Control Message Protocol)
  • IP (Internet Protocol)

Application Layer Protocols (Layer 7):

  • HTTP (Hypertext Transfer Protocol)
  • HTTP/2:
  • FTP (File Transfer Protocol):
  • TLS/SSL (Transport Layer Security/Secure Sockets Layer):
  • SMB (Server Message Block):
  • DNS (Domain Name System):

Other Supported Protocols:

  • Dcerpc (Distributed Computing Environment Remote Procedure Call):
  • DHCP (Dynamic Host Configuration Protocol):
  • SSH (Secure Shell):
  • Many More

This is not an exhaustive list, but it highlights the most common protocols Suricata can work with. For a more complete list of which protocols are used in Suricata, please visit the Suricata user docs or the Suricata GitHub.

Which type of log does Suricata generate?

Suricata is versatile when it comes to log generation. It can produce several log types depending on your configuration and what information you want to capture:

  • Alert Logs: These are the most common logs generated by Suricata. They detail detected suspicious activity that matches a rule in its rule set. The logs typically include information like the timestamp, rule ID, source and destination IP addresses, ports involved, and a brief description of the detected event.
  • Flow Logs: Suricata can capture information about network flows, even if no alert is triggered. These logs provide a more detailed record of network traffic, including data about protocol usage, packet direction, and volume.
  • Protocol Transaction Logs: Suricata can log specific details about various protocols it analyzes, such as HTTP, DNS, or SMB. These logs offer granular insights into application layer activity on your network.
  • Fast Detection Logs (eve.json): This is a JSON-formatted log that provides comprehensive information about network events, including details from alert logs, flow logs, and even captured packet data (PCAP) if configured.
  • File Information (fileinfo) & Anomaly Logs: Suricata can log information about files encountered during analysis, along with any detected anomalies in network traffic behavior.

The specific types of Suricata logs generated depend on your configuration settings. You can choose to enable or disable different logging options based on your needs and desired level of detail.

What format does Suricata use?

Suricata primarily uses YAML:

  • YAML (YAML Ain't Markup Language): This format is used for Suricata's primary configuration file, suricata.yaml. YAML is a human-readable data serialization language that allows you to define various settings for Suricata's operation, including:
    - Network interfaces to monitor
    - Rule sets to load
    - Logging preferences
    - Alerting options

Additionally, Suricata interacts with other formats depending on its logging configuration:

  • JSON (JavaScript Object Notation): Suricata can generate detailed logs in JSON format, particularly the eve.json logs. This format offers a structured way to store information about network events, making it easier for parsing and analysis by tools and SIEM systems.
  • PCAP (Packet Capture): If you configure Suricata to capture full packet data for certain events, it will use the PCAP format, a standard format for storing network traffic captures. This allows for deeper forensic analysis of suspicious network activity.

How to use Suricata?

Using Suricata involves several key steps:

  1. 1. Installation:

First, choose a platform. Suricata is available for various operating systems like Linux, FreeBSD, UNIX, Mac OS X, and Windows. Download the installer suitable for your chosen platform from https://suricata.io/download/. The installation process generally involves following the instructions provided by the download source using your system’s package manager, or you can compile the code if you prefer a more customized approach.

  1. 2. Configuration:

Suricata relies on a configuration file to define its operational parameters. The file specifies details like network interfaces to monitor, rule sets to use, logging options, and potential actions for detected threats. Popular options for rule sets include those available from Emerging Threats (ET) and Snort rules. You can also create custom rules to address specfic vulnerabilities or concerns within your network.

  1. 3. Running Suricata:

Once configured, you can initiate Suricata using the appropriate system commands (e.g., systemctl start suricata on some Linux distributions).

  1. 4. Monitoring and Maintenance:

Regularly review Suricata logs to identify potential threats and investigate suspicious activity. Make sure to also keep Suricata's rule sets updated with the latest threat signatures to ensure optimal protection. This may involve periodic manual updates or setting up automated update mechanisms. Always make sure to monitor Suricata's resource consumption (CPU, memory) to ensure it's functioning optimally. You might need to adjust configurations or upgrade hardware if performance bottlenecks occur.

Additional Tips:

  • Start with a Basic Setup: Begin with a basic configuration and gradually add complexity as you gain experience with Suricata.
  • Test Your Configuration: Before deploying Suricata in a production environment, thoroughly test your configuration with simulated traffic to identify and address any potential issues.
  • Community Resources: The Suricata community offers a wealth of resources, including documentation, tutorials, and forums. Leverage these resources for learning and troubleshooting.
  • Consider Training: If your IT team lacks experience with Suricata or IDS/IPS concepts, consider professional training to ensure effective implementation and management.

Learn More About Suricata

To begin learning more about Suricata, we recommend downloading the open-source book published by Stamus Networks titled “The Security Analyst’s Guide to Suricata” — the first practical guide to threat detection and hunting using Suricata, the world’s most popular open-source network security engine.

Written for security operations center (SOC) analysts and threat hunters who use Suricata to gain insights into what is taking place on their networks, the book provides vital information on entry points and an in-depth analysis of the most important Suricata features.

To be notified of new blog posts and other news, make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.