Suricata Network IDS/IPS Installation, Setup, and How To Tune The Rules &

Further discussion about Snort VS Suricata


Is Snort multi-threaded now? That was one reason I went with Suricata, but using the free Snort rules.

Finally watched this version video, had one question.

When I have blocking turned on, I want to permanently block some of my regular attackers, but not all attacks. Is there an easy way to do this?

And one note about the length of time to block… When you change things like add a VPN, you might want to set the timer very short! I locked myself out doing something that tripped a rule. VPN was connected and things were fine, but I think when I fired off an rdp session it got snagged and blocked my IP from home. I had a second way to get in which let me clear the issue and unblock my IP. Without that other way in, I would have had to wait several hours to try to figure out what went wrong.

The blocks are done by IP so there is not a way permanently block without either manually creating a rule for each person or setting the block clear time to never.

That’s what I thought. I need to dig into the geo blocking and figure out what I did wrong, most of these repeat offenders are from countries that I can block.

Very interesting video.
In my case I spend a lot a lot of time investigating the “generic protocol command decoding” alerts.

I have noted that a lot of times they are caused for a valid reason:

  • Asymmetric routes.
  • Incorrect network mask on one device.
  • Poorly programmed applications, not following the standards. (Included Malware)
  • Miss-configured web services or pages.
  • Network card or its driver.

If you are getting many alerts from one device, I recommend to investigate a before suppressing or disabling rules.

Hi Tom,

Thanks for your wonderful guide to setup Suricata.
I have just set it up using the guide and running it. I have enabled Suricata for only LAN interface, since no ports open in WAN.
I noticed “SURICATA UDPv4 invalid checksum” alerts which are mostly port 53.
Also I have NAT “Redirect DNS” rules in place. I use Intel NIC.

Is it due to mentioned NAT rule?
Should I “Disable hardware checksum offload” in pfsense?

Update: Thanks again Tom, I just gone through your video on 2017 and got the idea of tuning Suricata. So I just disabled the rule.
Thanks again for your tremendous help man.

Thanks a lot for this video. Good you mention it takes time to go through the alerts. My time is precious to me, so I’ll need to make a careful tradeoff whether or not I will use this package.

First question is: do I need some kind of protection at all? Would you be willing to think along?

Here is my use case:
In my home environment, I would like to set up a Synology Cloud server, just to open up our family data shared folders to the internet so whenever we are away from home we can access our data. This way we can do away with Dropbox OneDrive and such.

I have strong account passwords set on my Synology, but otherwise it’s factory set.

Question #1
Are there any risks involved in this setup that would require Suricata?

Question #2
Given the limited number of forwarded ports, would Suricata generate a massive list of alerts I need to crawl through, or would a weekly 10 minute scan be enough?

Thanks!

Q1: It’s only as secure as the Synology software and I don’t think there are any know issue right now.

Q2: I am not sure how much Suricata would have false positives with Synology, but Suricata also always has a lot of alerts.

1 Like

So I wanted to mention that you can inspect ssl traffic with suricata on pfsense. The “gotcha” is that you will need to install squid proxy on pfsense and setup it up with a CA and install the CA on all the devices you want to inspect SSL traffic. You mentioned it can only look at unencrypted but, it can be done. @LTS_Tom :slightly_smiling_face:

When this YT video was made it was based on Suricata v5.0.0. But it appears that it tends to be a memory hog. I’m using an SG-3100 and with Suricata v6.0.4 it does not like running on it. Of course there’s only 2gb of memory. But Suricata keeps dying, system logs show suricata was killed: out of swap space.

Any suggestions on fixing this or does this mean I need to upgrade my appliance that has a significant more resources? Like 8gb of RAM since I plan on using pfBlockerNG, I’m pretty sure that won’t work on 2gb of RAM either.

You will need to move to a system with more memory.

That’s what I was afraid of. I also noticed Negate doesn’t have the SG-3100 in their product line. It goest from 2100 to 4100.

Is the ram soldered in place or socketed?

The RAM is not upgradable. I mean, I could fix the issue by adding an M.2 in there to create more swap space. But that’s really a no-no even with an SSD. Besides this model is not available for purchase anymore. It’s just better to upgrade and I’ve moved from a dual-core to a quad-core with 8 GB of RAM, upgradable to 16 GB and 1 TB of storage. Which is going to be better for my current and future needs. The max storage you could have with the 3100 is 32 GB.

When you’re fine tuning Suricata, why would you want to force-disable a rule to remove a false positive? Doesn’t this just disable the rule entirely for any IP address?

Example, I have a SURICATA STREAM suspected RST injection. I know that this is for my FrankerFaceZ chrome extension. If I force-disable this rule. This would mean that the rule doesn’t apply to any other suspected RST injection regardless of dst ip, correct?

Also, do you fine tune based on the local IP or the external IP? For example, if the dst IP is your local IP but you know the src IP is from say googleusercontent. Do you disable that rule? Or do you disable based on where you local IP is going to not coming from.

There are 3 options when you disable a rule, the option furthest right disables the rule, the other two are source or destination IP. When you mouse over them they tell you what they do.

Yes, I understand that. I know that you can suppress an alert for a rule or a host/network. I also understand that you can disable the rule for all hosts or networks. In your video, you say that to fine-tune the rules you click on the X if you know what host for that rule. I am interrupting from the video that if you know what’s on your network generating the alert for that rule. Disable the rule to fine-tune the rules.

What I’m trying to understand from the video is why would you want to disable a rule for an entire network? And not suppress the rule for the specific host for that rule.

Because if you have several hosts that should be doing what they are doing. It’s fine, we don’t care we know what they are doing. But if you disable that rule then other hosts on that network that shouldn’t be doing what they are doing get away with it because the rule is disabled as a false positive.

Or am I just making things more confusing for myself?