Suricata for Probe Manager¶

Licence Version

Presentation¶

Suricata version 4.0.4 RELEASE

Install and update Suricata NIDS on a remote server.
Configure the settings and test the configuration.
Add, Delete, Update scripts and signatures.
Tests signatures compliance.
Tests signatures if generates alert via Pcap.
Add rules via HTTP or via upload file.
Schedule rules update via HTTP (EmergingThreat …)
Group rules into groups and assign this to probes.
Possibility to add into blacklist an IP, Domain or MD5.
Implements IP reputation.
Ability to have scripts called via rules as a filter condition in signatures and to write arbitrary output.

Install with ProbeManager

Name: Give a unique name for this instance, example: server-tap1_suricata.
Secure deployment: Specify if you want rules to be verified at each deployment.
Scheduled rules deployment enabled: Enable scheduled deployment of rules.
Scheduled check enabled: Enable instance monitoring. (Check if the probe is active)
Server: Specify the server for the probe.
Probe already installed: Specify if the probe is already installed.
Rulesets: Choose the sets of rules that will be deployed on this probe.
Configuration: Give the configuration of the probe.

Allows you to modify the Suricata configuration.

Under ‘Conf advanced’: there are the most important settings of Suricata to simplify the configuration. This application will generate the YAML file.

Type: (IP, MD5, HOST). For IP and HOST, a signature is created automatically. For MD5, a text file is stored with a single md5 per line.
Value: The value for this type.
Comment: To keep track of information.
Rulesets: Choose the sets of rules that will contain this blacklist.

Ip: Specify an IP address.
Category: Specify a Category (short name and long description).
Reputation score: The reputation score is the confidence that this IP is in the specified category, represented by a number between 1 and 127 (0 means no data).

Allows to modify and create new Classtype

Name: (IP, MD5, HOST). For IP and HOST, a signature is created automatically, for MD5, it store a text file with a single md5 per line.
Description: A description for this classtype.
Security Level: A priority of 1 (high) is the most severe and 4 (very low) is the least severe.

‘Uptime’: indicate the time elapsed since the last time the application was started.
‘Refresh Instance Status’: is a button to know the status of the application (running or not).
‘Update instance’: you need to edit the configuration file to change the version number you want.
‘Deploy configuration’: copy configuration files to the remote server, and reload the Suricata instance.
‘Deploy rules’: copy rule (signatures and scripts) files to the remote server, and reload the Suricata instance.
‘Deploy reputation list’: copy the IP and Category reputation files to the remote server. The probe is not reloaded because if categories change, Suricata should be restarted. And Restarting can result in packet loss, which is why it is up to the user to intentionally restart.