da_667

RE: https://infosec.exchange/@suricata/116291041184617317

Got some of my work featured in this post as well -- Operating in the margins, and Suricata: An Operator's Guide release up to chapter 9.

This newsletter appears to be run about once quarterly-ish. If you have anything network forensics related, more specifically, Suricata-related, Let me know. I want to pass it along and ensure that the rest of our community gets recognition.

Likewise, If you have a Suricata/NSM related question, you want answered, I would be happy to answer it, and write about it on community.emergingthreats.net, so that everyone can benefit from the insight.

As always, thanks to OISF, and @ish for featuring my work, alongside the work of the community.

#Suricata #OISF #newsletter

Mar 25 at 6:46pmWeb
Show threadA wizard did it  🇨🇦17h ago

@da_667 @ish Ok here's a question: Can I use Suricata in conjunction with an older Layer 3 Firewall to achieve the same functionality I would get out of a modern, Layer 7 NGFW?

Or am I fundamentally misunderstanding Suricata's role?

Show threadda_66717h ago

That's an excellent question you bring up. So this is my opinion, but Suricata has a lot of features that NGFWs do. Its entirely possible to do something like what you're thinking to replace an NGFW.

In fact, if you're curious to try out a pre-built example, you might consider taking a look at OPNSense.

OPNSense is, essentially a fork of PFSense with a good number of changes under the hood.

There's a pre-configured/pre-installed Suricata installation that integrates in with the rest of the firewall functionality, and you can also acquire access to the Emerging Threats Pro Set, through an agreement to provide generalized alert telemetry.

Otherwise, Suricata is well-documented. One of the features for firewall integration with inline operation includes NFQueue, but there's also AFPACKET and other traffic capture modes available as well.

As far as features go, they outnumber the stars in the sky at this point.

You want flow? It can do flow. You want file carving? It can do file carving. You want HTTP/SSL logs? It can do that as well.

The latest versions also support integration with nTop's nDPI library for even more rule writing and detection options.

Show threadda_66717h ago
There is a lot of curation that comes with deploying Suricata to eliminate false positives, and thats probably one of the biggest differences from an NGFW -- the care and feeding required to not have to deal with alert fatigue.
Show threadNosirrahSec 🏴‍☠️ guillotine enthusiast17h ago
@da_667 I would tend entire gardens of things to avoid responding to the same alerts every few days. (you know, back when I was employed lol)
Show threadA wizard did it  🇨🇦16h ago

@da_667 OPNSense was exactly the firewall I was thinking of when I posed the question, however I've only played around with is in a homelab setting as a Layer 3 firewall and never installed Suricata or Snort to extend it's capabilities (though I have read of people trying to do this). I've always been curious about it, but it seems like a whole ocean of features to dive into that it's always been on the back burner.

However, now that I have access to some different enterprise tools that have some of the same functionality, I do find myself looking back at Suricata for things like PCAP capture, session rebuilding, and making custom highly targeted rules.

The reason I ask is mostly so I can understand where Suricata fits in the network stack; does it become part of the firewall like the OPNSense integration would suggest? Is it better to mirror a port on the switch and have it run as a separate box with that as it's source? Is it an additional log source for a SIEM? Once it's setup will it do IDS/IPS functions on it's own or am I going to have to sit there manually monitoring the traffic? It's a bunch of little questions that the documentation isn't great about answering directly (mostly because I think the answer is "yes" to everything).

Show threadda_66716h ago

@Mustardfacial so, Suricata can do really effective pcap capture, but usually of just the packet(s) that triggered a given rule. I know that Security Onion features heavy integration with an ELK stack, and I'd imagine they'd probably have some form of pcap logging as well. I know that for Splunk that if the EVE.json logging is enabled, and pcap is enabled, its usually tacked on as a blob of base64 to decode into a pcap for futher analysis, or sometimes, a hex dump.

The biggest time investment with Suricata is generally surrounding rule management and tuning. Figuring what alerts have value to you, disabling the stuff you don't need or don't care about, etc. Once you have that down, the manual work is usually around managing the new rules that come out for false positives, and then deciding if you want to drop traffic inline, or if you're okay with getting alerts, and reviewing them (not many places drop packets when IPS/inline mode is enabled)

Show threadA wizard did it  🇨🇦15h ago
@da_667 I should probably just build one and fuck around with it. Thanks for all of the advice so far.