With the max-pending-packets setting you can set the number of packets
you allow Suricata to process simultaneously. This can range from one
packet to tens of thousands/hundreds of thousands of packets. It is a
you allow Suricata to process simultaneously. This can range from one
packet to tens of thousands/hundreds of thousands of packets. It is a
trade of higher performance and the use of more memory (RAM), or lower
performance and less use of memory. A high number of packets being
processed results in a higher performance and the use of more
memory. A low number of packets, results in lower performance and less
use of memory. Choosing a low number of packets being processed while
use of memory. Choosing a low number of packets being processed while
having many CPU's/CPU cores, can result in not making use of the whole
computer-capacity. (For instance: using one core while having three
waiting for processing packets.)
@ -91,7 +91,7 @@ Action-order
All signatures have different properties. One of those is the Action
property. This one determines what will happen when a signature
matches. There are four types of Action. A summary of what will
matches. There are four types of Action. A summary of what will
happen when a signature matches and contains one of those Actions:
1) Pass
@ -102,9 +102,9 @@ packet).
2) Drop
This only concerns the IPS/inline mode. If the program finds a
This only concerns the IPS/inline mode. If the program finds a
signature that matches, containing drop, it stops immediately. The
packet will not be sent any further. Drawback: The receiver does not
packet will not be sent any further. Drawback: The receiver does not
receive a message of what is going on, resulting in a time-out
(certainly with TCP). Suricata generates an alert for this packet.
@ -149,7 +149,7 @@ Splitting configuration in multiple files
-----------------------------------------
Some users might have a need or a wish to split their suricata.yaml
file in to seperate files, this is available vis the 'include' and
file in to separate files, this is available vis the 'include' and
'!include' keyword. The first example is of taking the contents of the
outputs section and storing them in outputs.yaml
@ -248,7 +248,7 @@ the use of more disc space, so enable only the outputs you need.
Line based alerts log (fast.log)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This log contains alerts consisting of a single line. Example of the
This log contains alerts consisting of a single line. Example of the
appearance of a single fast.log-file line:
::
@ -316,7 +316,7 @@ This output supports IPv6 and IPv4 events.
# By default unified2 log files have the file creation time (in
# unix epoch format) appended to the filename. Set this to yes to
# disable this behaviour.
# disable this behavior.
#nostamp: no
# Sensor ID field of unified2 alerts.
@ -393,7 +393,7 @@ server, ttl, resource record data. This logging can also be performed
through the use of the :ref:`Eve-log capability <eve-json-format>` which
offers easier parsing.
Example of the apperance of a DNS log of a query with a preceding reply:
Example of the appearance of a DNS log of a query with a preceding reply:
::
@ -441,9 +441,9 @@ The pcap-log option can be enabled and disabled.
There is a size limit for the pcap-log file that can be set. The
default limit is 32 MB. If the log-file reaches this limit, the file
will be rotated and a new one will be created. The pcap-log option
will be rotated and a new one will be created. The pcap-log option
has an extra functionality for "Sguil":http://sguil.sourceforge.net/
that can be enabled in the 'mode' option. In the sguil mode the
that can be enabled in the 'mode' option. In the sguil mode the
"sguil_base_dir" indicates the base directory. In this base dir the
pcaps are created in a Sguil-specific directory structure that is
based on the day:
@ -544,7 +544,7 @@ want the output-data to be written to the log file.
- stats:
enabled: yes #By default, the stats-option is enabled
filename: stats.log #The log-name. Combined with the default logging directory
filename: stats.log #The log-name. Combined with the default logging directory
#(default-log-dir) it will result in /var/log/suricata/stats.log.
#This directory can be overruled with a absolute path. (A
#directory starting with / ).
@ -633,7 +633,7 @@ Detection engine
Inspection configuration
~~~~~~~~~~~~~~~~~~~~~~~~
The detection-engine builds internal groups of signatures. Suricata loads signatures, with which the network traffic will be compared. The fact is, that many rules certainly will not be necessary. (For instance: if there appears a packet with the UDP-protocol, all signatures for the TCP-protocol won't be needed.) For that reason, all signatures will be divided in groups. However, a distribution containing many groups will make use of a lot of memory. Not every type of signature gets its own group. There is a possibility that different signatures with several properties in common, will be placed together in a group. The quantity of groups will determine the balance between memory and performance. A small amount of groups will lower the performance yet uses little memory. The opposite counts for a higher amount of groups. The engine allows you to manage the balance between memory and performance. To manage this, (by determining the amount of groups) there are several general options:high for good performance and more use of memory, low for low performance and little use of memory. The option medium is the balance between performance and memory usage. This is the default setting.The option custom is for advanced users. This option has values which can be managed by the user.
The detection-engine builds internal groups of signatures. Suricata loads signatures, with which the network traffic will be compared. The fact is, that many rules certainly will not be necessary. (For instance: if there appears a packet with the UDP-protocol, all signatures for the TCP-protocol won't be needed.) For that reason, all signatures will be divided in groups. However, a distribution containing many groups will make use of a lot of memory. Not every type of signature gets its own group. There is a possibility that different signatures with several properties in common, will be placed together in a group. The quantity of groups will determine the balance between memory and performance. A small amount of groups will lower the performance yet uses little memory. The opposite counts for a higher amount of groups. The engine allows you to manage the balance between memory and performance. To manage this, (by determining the amount of groups) there are several general options:high for good performance and more use of memory, low for low performance and little use of memory. The option medium is the balance between performance and memory usage. This is the default setting.The option custom is for advanced users. This option has values which can be managed by the user.
::
@ -645,13 +645,13 @@ The detection-engine builds internal groups of signatures. Suricata loads signat
sgh-mpm-context: auto
inspection-recursion-limit: 3000
At all of these options, you can add (or change) a value. Most
At all of these options, you can add (or change) a value. Most
signatures have the adjustment to focus on one direction, meaning
focusing exclusively on the server, or exclusively on the client.
If you take a look at example 4, *the Detection-engine grouping tree*,
you see it has many branches. At the end of each branch, there is
actually a 'sig group head'. Within that sig group head there is a
actually a 'sig group head'. Within that sig group head there is a
container which contains a list with signatures that are significant
for that specific group/that specific end of the branch. Also within
the sig group head the settings for Multi-Pattern-Matcher (MPM) can be
@ -668,7 +668,7 @@ For setting the option sgh-mpm-context, you can choose from auto, full
or single. The default setting is 'auto', meaning Suricata selects
full or single based on the algorithm you use. 'Full' means that every
group has its own MPM-context, and 'single' that all groups share one
MPM-context. The two algorithms ac and ac-gfbs are new in 1.03. These
MPM-context. The two algorithms ac and ac-gfbs are new in 1.03. These
algorithms use a single MPM-context if the Sgh-MPM-context setting is
'auto'. The rest of the algorithms use full in that case.
@ -749,7 +749,7 @@ These are the proceedings:
1)A packet comes in.
2)The packed will be analysed by the Multi-pattern-matcher in search
2)The packed will be analyzed by the Multi-pattern-matcher in search
of patterns that match.
3)All patterns that match, will be further processed by Suricata (signatures).
@ -790,7 +790,7 @@ used with the final step of the pattern matcher, namely the validation
of the pattern. For this option the same counts as for the hash-size
option: setting it to low will cause lower memory usage, but lowers
the performance. The opposite counts for a high setting of the
bf_size: higher memory usage, but (generally) higher performance. The
bf_size: higher memory usage, but (generally) higher performance. The
bloom-filter sizes can vary from low (512) - medium (1024) - high
(2048).
@ -889,13 +889,13 @@ become active.
In the option 'cpu affinity' you can set which CPU's/cores work on which
thread. In this option there are several sets of threads. The management-,
receive-, worker- and verdict-set. These are fixed names and can not be
changed. For each set there are several options: cpu, mode, and prio. In the
changed. For each set there are several options: cpu, mode, and prio. In the
option 'cpu' you can set the numbers of the CPU's/cores which will run the
threads from that set. You can set this option to 'all', use a range (0-3) or a
comma separated list (0,1). The option 'mode' can be set to 'balanced' or
'exclusive'. When set to 'balanced', the individual threads can be processed by
all cores set in the option 'cpu'. If the option 'mode' is set to 'exclusive',
there will be fixed cores for each thread. As mentioned before, threads can
there will be fixed cores for each thread. As mentioned before, threads can
have different priority's. In the option 'prio' you can set a priority for each
thread. This priority can be low, medium, high or you can set the priority to
'default'. If you do not set a priority for a CPU, than the settings in
@ -972,7 +972,7 @@ packet is reconstructed by the defragment-engine, the engine sends on
the reassembled packet to rest of Suricata.
There are three options within defrag: max-frags, prealloc and
timeout. At the moment Suricata receives a fragment of a packet, it
timeout. At the moment Suricata receives a fragment of a packet, it
keeps in memory that other fragments of that packet will appear soon
to complete the packet. However, there is a possibility that one of
the fragments does not appear. To prevent Suricata for keeping waiting
@ -997,7 +997,7 @@ Flow Settings
Within Suricata, Flows are very important. They play a big part in the
way Suricata organizes data internally. A flow is a bit similar to a
connection, except a flow is more general.All packets having the same
connection, except a flow is more general.All packets having the same
In addition to these fields, if the extended logging is enabled in the suricata.yaml file the following fields are (can) also included:
* "length": The content size of the HTTP body
* "status": HTTP statuscode
* "status": HTTP statuscode
* "protocol": Protocol / Version of HTTP (ex: HTTP/1.1)
* "http_method": The HTTP method (ex: GET, POST, HEAD)
* "http_refer": The referer for this action
In addition to the extended logging fields one can also choose to enable/add from 50 additional custom logging HTTP fields enabled in the suricata.yaml file. The additional fields can be enabled as following:
In addition to the extended logging fields one can also choose to enable/add from more than 50 additional custom logging HTTP fields enabled in the suricata.yaml file. The additional fields can be enabled as following:
::
@ -474,7 +474,7 @@ SMB Fields
* "filename" (string): filename for CREATE and other commands.
* "disposition" (string): requested disposition. E.g. FILE_OPEN, FILE_CREATE and FILE_OVERWRITE. See https://msdn.microsoft.com/en-us/library/ee442175.aspx#Appendix_A_Target_119
* "access" (string): indication of how the file was opened. "normal" or "delete on close" (field is subject to change)
* "created", "accessed", "modified", "changed" (interger): timestamps in seconds since unix epoch
* "created", "accessed", "modified", "changed" (integer): timestamps in seconds since unix epoch
* "size" (integer): size of the requested file
* "fuid" (string): SMB2+ file GUID. SMB1 FID as hex.
Suricata can alert via sylog which is a very handy feature for central log collection, compliance, and reporting to a SIEM. Instructions on setting this up can be found in the .yaml file in the section where you can configure what type of alert (and other) logging you would like.
Suricata can alert via sylog which is a very handy feature for central log collection, compliance, and reporting to a SIEM. Instructions on setting this up can be found in the .yaml file in the section where you can configure what type of alert (and other) logging you would like.
However, there are different syslog daemons and there can be parsing issues with the syslog format a SIEM expects and what syslog format Suricata sends. The syslog format from Suricata is dependent on the syslog daemon running on the Suricata sensor but often the format it sends is not the format the SIEM expects and cannot parse it properly.
However, there are different syslog daemons and there can be parsing issues with the syslog format a SIEM expects and what syslog format Suricata sends. The syslog format from Suricata is dependent on the syslog daemon running on the Suricata sensor but often the format it sends is not the format the SIEM expects and cannot parse it properly.
Popular syslog daemons
----------------------
* **syslogd** - logs system messages
* **syslog-ng** - logs system messages but also suports TCP, TLS, and other enhanced enterprise features
* **syslog-ng** - logs system messages but also supports TCP, TLS, and other enhanced enterprise features
* **rsyslogd** - logs system messages but also support TCP, TLS, multi-threading, and other enhanced features
* **klogd** - logs kernel messages
* **sysklogd** - basically a bundle of syslogd and klogd
If the syslog format the Suricata sensor is sending is not compatible with what your SIEM or syslog collector expects, you will need to fix this. You can do this on your SIEM if it is capable of being able to be configured to interpret the message, or by configuring the syslog daemon on the Suricata sensor itself to send in a format you SIEM can parse. The latter can be done by applying a template to your syslog config file.
If the syslog format the Suricata sensor is sending is not compatible with what your SIEM or syslog collector expects, you will need to fix this. You can do this on your SIEM if it is capable of being able to be configured to interpret the message, or by configuring the syslog daemon on the Suricata sensor itself to send in a format you SIEM can parse. The latter can be done by applying a template to your syslog config file.
Finding what syslog daemon you are using
----------------------------------------
@ -27,7 +27,7 @@ There are many ways to find out what syslog daemon you are using but here is one
cd /etc/init.d
ls | grep syslog
You should see a file with the word syslog in it, e.g. "syslog", "rsyslogd", etc. Obviously if the name is "rsyslogd" you can be fairly confident you are running rsyslogd. If unsure or the filename is just "syslog", take a look at that file. For example, if it was "rsyslogd", run:
You should see a file with the word syslog in it, e.g. "syslog", "rsyslogd", etc. Obviously if the name is "rsyslogd" you can be fairly confident you are running rsyslogd. If unsure or the filename is just "syslog", take a look at that file. For example, if it was "rsyslogd", run:
::
@ -41,12 +41,12 @@ At the top you should see a comment line that looks something like this:
# rsyslog Starts rsyslogd/rklogd.
Locate those files and look at them to give you clues as to what syslog daemon you are running. Also look in the *start()* section of the file you ran "less" on and see what binaries get started because that can give you clues as well.
Locate those files and look at them to give you clues as to what syslog daemon you are running. Also look in the *start()* section of the file you ran "less" on and see what binaries get started because that can give you clues as well.
Example
-------
Here is an example where the Suricata sensor is sending syslog messages in rsyslogd format but the SIEM is expecting and parsing them in a sysklogd format. In the syslog configuration file (ususally in /etc with a filename like rsyslog.conf or syslog.conf), first add the template:
Here is an example where the Suricata sensor is sending syslog messages in rsyslogd format but the SIEM is expecting and parsing them in a sysklogd format. In the syslog configuration file (usually in /etc with a filename like rsyslog.conf or syslog.conf), first add the template:
modbus: access write coils # Write access to Coils table
modbus: access read discretes, address <100 # Read access at address smaller than 100 of Discretes Input table
modbus: access write holding, address 500, value >200 # Write value greather than 200 at address 500 of Holding Registers table
modbus: access write holding, address 500, value >200 # Write value greater than 200 at address 500 of Holding Registers table
With the setting **unit**, you can match on:
@ -108,7 +108,7 @@ Examples::
modbus: unit 10, access read # Unit identifier 10 and Read access
modbus: unit 10, access write coils # Unit identifier 10 and Write access to Coils table
modbus: unit >10, access read discretes, address <100 # Greater than unit identifier 10 and Read access at address smaller than 100 of Discretes Input table
modbus: unit 10<>20, access write holding, address 500, value >200 # Greater than unit identifier 10 and smaller than unit identifier 20 and Write value greather than 200 at address 500 of Holding Registers table
modbus: unit 10<>20, access write holding, address 500, value >200 # Greater than unit identifier 10 and smaller than unit identifier 20 and Write value greater than 200 at address 500 of Holding Registers table
Pascal Delalande
7 years ago
committed by
Victor Julien