ToolsFebruary 9, 20262 min readby 0xt0pus

Suricata

Open-source IDS/IPS for network traffic analysis and threat detection using signatures

#blue-team#ids-ips#network-analysis#dfir

Suricata

Description

Suricata is an open-source NSM (Network Security Monitoring) tool that can analyze live traffic and PCAP files. By default, it works as an IDS (Intrusion Detection System) to monitor network traffic. It can also work as an IPS (Intrusion Prevention System) and block traffic based on matched signatures. Suricata can be installed on a single machine or on a Gateway to inspect inbound and outbound traffic and alert.

Usage 1: Test Suricata Configuration

Validate that the Suricata configuration file is correctly loaded.

Command:

sudo suricata -T /etc/suricata/suricata.yaml

Usage 2: Analyze a PCAP File Against Suricata Signatures

Run Suricata against a PCAP file to detect malicious activity. This creates four log files (fast.log, eve.json, stats.log, suricata.log) in the current directory.

Command:

sudo suricata -r 2017-06-28-traffic-analysis-exercise.pcap

Usage 3: View Alerts from fast.log

Check the first ten lines from fast.log to see detected malware download stages and C&C communications.

Command:

cat fast.log | head -n10

Usage 4: Monitor Live Alerts (Tail fast.log)

Tail Suricata's fast.log file in real-time to watch for suspicious traffic as it is detected.

Command:

sudo tail -n0 -f /var/log/suricata/fast.log

Usage 5: Detect Nmap Scan with Suricata IDS

Fire an Nmap http-enum scan while Suricata is running to demonstrate signature-based detection of web application attack traffic (matched against Nmap User-Agent).

Command:

nmap --script http-enum cyberdefenders.org -p80

Usage 6: Create a Custom Suricata Signature

Write a custom rule to detect traffic to a specific HTTP host. Edit the local rules file and add the signature.

Command:

sudo vim /var/lib/suricata/rules/local.rules

Example Custom Rule:

alert http any any -> any any (msg:"CCD test HTTP Host"; content:"cyberdefenders.org"; endswith; http_host; sid:1000000; rev:1;)

Example VPNFilter Malware Detection Rule:

alert http any any -> any any (msg:"VPNFilter malware User-Agent"; content:"Mozilla/6.1 (compatible|3B| MSIE 9.0|3B| Windows NT 5.3|3B| Trident/5.0)"; http_user_agent; sid:2; rev:1;)

Usage 7: Reload Suricata Rules Without Restart

After adding new rules and updating suricata.yaml to include the rule file (e.g., - local.rules), reload rules without restarting Suricata.

Command:

sudo kill -USR2 $(pidof suricata)

Log Files Reference

Suricata creates five default log files under /var/log/suricata/:

  • suricata.log & suricata-start.log - Log messages of Suricata itself
  • stats.log - Statistics records on a fixed interval (default every 8 seconds)
  • fast.log - Suspicious traffic found by Suricata
  • eve.json - Both detailed traffic and fast logs in JSON format

Signature Structure

A Suricata signature consists of three parts:

  1. Action - Determines what happens when the signature matches (e.g., alert)
  2. Header - Defines the protocol, IP addresses, ports, and direction (e.g., http any any -> any any)
  3. Options - Defines the specifics of the rule (e.g., msg, content, sid, rev)