Feed on
Posts
Comments

Last Thursday, I was very glad that the Open Information Security Foundation (OISF) released the first public beta version of Suricata. It has been three years in the making. Several new releases are expected this month culminating in a production quality release shortly thereafter. OISF describes Suricata an “an Open Source Next Generation Intrusion Detection and Prevention Tool, not intended to just replace or emulate the existing tools in the industry, but to bring new ideas and technologies to the field.” It is looking very promising.

The Suricata Engine and the HTP Library are available to use under the GPLv2. The new engine supports “Multi-Threading, Automatic Protocol Detection (IP, TCP, UDP, ICMP, HTTP, TLS, FTP and SMB! ), Gzip Decompression, Fast IP Matching and coming soon hardware acceleration on CUDA and OpenCL GPU cards”. GPU integration allows the use of graphic cards to accelerate operations. Mike Cloppert in his post, “Detection, Bandwidth, and Moore’s Law” pointed out:

It appears the authors well understand the point in this post, and the corresponding state of the art in solving parallel computing problems. GPU’s are emerging as a good commodity solution to parallel processing. This is covered in depth by a number of recent publications discussing parallelism, and I am by no means an expert in this field, so I will simply leave follow-up on this point as an exercise for the reader.

The HTP Library is an HTTP normalizer and parser written by Ivan Ristic, creator of Mod Security and author of the soon to be released book “ModSecurity Handbook“. This integrates and provides very advanced processing of HTTP streams. The HTP library is required by the engine, but may also be used independently in a range of applications and tools. Additional details have been provided by Ivan in his post, “HTTP parser for intrusion detection and web application firewalls.” Ivan writes concerning the development, “For the first release of the parser the goal is to be able to parse HTTP streams reliably. In the subsequent versions I will work in the parser’s security properties (such as the ability to see through evasion attacks).”

New Ideas and Concepts

Quoting from the OISF announcement, some of the next generation capabilities include:

  • Multi-Threading: so very necessary.
  • Automatic Protocol Detection: the engine has keywords for IP, TCP, UDP, ICMP, HTTP, TLS, FTP and SMB. Users can write rules to detect a match within a stream regardless of the port the stream occurs on. This is important for malware detection and control. Detections for more layer 7 protocols are being developed.
  • Gzip Decompression: the HTP Parser will decode Gzip compressed streams.
  • Independent HTP Library: the HTP Parser will be usable by other applications such as proxies, filters, etc. The parser is available as a library under GPLv2 for easy integration ito other tools.
  • Standard Input Methods: support for NFQueue, IPFRing, and the standard LibPcap to capture traffic. IPFW support will be available soon.
  • Unified2 Output: support for standard output tools and methods.
  • Flow Variables: it is possible to capture information out of a stream and save that in a variable which can then be matched against later.
  • Fast IP Matching: the engine will automatically use a special fast matching preprocessor on rules that are IP matches only (such as the RBN and compromised IP lists at Emerging Threats).
  • HTTP Log Module : HTTP requests can be automatically output into an apache-style log format file for monitoring and logging activity completely independent of rulesets and matching.

A few features to look forward to in a few weeks:

  • Global Flow Variables: the ability to store more information from a stream or match (actual data, not just setting a bit) over a period of time allowing comparing values across many streams and time.
  • Graphics Card Acceleration: using CUDA and OpenCL to make use of the processing power of even old graphics cards to accelerate the IDS. Offloading the very computationally intensive functions of the sensor will greatly enhance performance.
  • IP Reputation: will allow sensors and organizations to share intelligence and eliminate many false positives.
  • Windows Binaries: will be released once there is a reasonably stable body of code.

Folks Behind It

The team is listed on the OISF site. It is an all star cast including Matt Jonkman, Victor Julien, Will Metcalf, Nathan Jimerson, Margaret Skinner, Josh Smith, Brian Rectanus, Breno Silva Pinto, Anoop Saldanha, Gurvinder Singh Dahiya, Jason MacLulich, Jason Ish, Kirby Kuehl, Dennis Henderson, Martin Solum, Ivan Ristic, Pablo Rincon, and Gerardo Iglesias Galvan.

I also wanted to point out some of the heavy hitting organizations involved. The initial funding for OISF comes from the US Department of Homeland Security (DHS), the US Navy’s Space and Warfare Command (SPAWAR), and a number of private companies that participate in the OISF Consortium. The OISF is a part of the DHS Homeland Open Security Technology (HOST) program. OISF works with Open Source Software Institute and has received legal guidance from the Software Freedom Law Center.

OISF is a US nonprofit, a 501c(3) and will not commercialize, sell, patent, copyright, or profit from the engine. OISF Consortium members are donating coders, equipment, and financial support in exchange for the ability to commercialize the engine. The important take away is that OISF has long term support for future development of Suricata.

Final Thoughts

Suricata is a very exciting and promising IDS/IPS engine. It has a great group of people behind it and future development appears secured. It is a project that is in the early stages. Do not expect to download it and simply install on a production environment. For testing the software and providing feedback, the engine and the HTP Library are available for download. To keep apprised of the latest developments join the oisf mailing lists where you discuss and share feedback. The blog of Victor Julien, Suricata’s lead developer, is another great source for the latest news and information.

To finally answer the burning question: why the name Suricata? According to the OISF site, Suricata comes from the Latin genus name for the meerkat and “the Meerkat takes security and vigilance as a life or death responsibility. There is always at least one individual on guard, watching, ready to alert the entire organization. Very much like an IDS sensor. It is always watching, always ready to alert you to danger. Or something like that…”

6 Responses to “Suricata: A Next Generation IDS/IPS Engine”

  1. Shinkan says:

    “Global Flow Variables”.
    That will be a major breakthrough.
    I’ve been waited for that since a long time.
    We’ll now be able to build serious “dynamic aware” rules.

    Regarding GPU acceleration, I’m not convinced at all that including it worth it. I guess we’ll “very soon” be able to buy COTS machines that will come equipped with hardware automatic units dispatching and parallelization, and such a stuffed processor that software prepared GPU accel will be obsoleted.

  2. Ihab El Bakri says:

    GPU accel. sounds great !!
    i think it will be an alternative to snort_inline.
    are there any rule sets( like snorts) or configs to use it with iptables as a filter?
    thanks in advance
    Ihab Elbakri

  3. Ihab El Bakri says:

    Anyone successfully loaded rules to suricata ?
    i got the message:
    *** glibc detected *** suricata : free () :invailed pointer 0xb7eff2a1 ***
    Aborted
    thank in advance
    Ihab ElBakri

Trackbacks/Pingbacks

  1. [...] This post was mentioned on Twitter by John Gerber, Priority 1 Medical. Priority 1 Medical said: System Advancements at the Monastery » Blog Archive » Suricata: A …: Gzip Decompression, Fast IP Matching and.. http://bit.ly/8WAG2W [...]

  2. [...] looks like something fun to play with, a new entry in the open source IDS/IPS arena. System Advancements at the Monastery >> Blog Archive >> Suricata: A Next Generation IDS/… Tags: ( ids suricata [...]

Leave a Reply

Bad Behavior has blocked 1390 access attempts in the last 7 days.