8                             
                                                                                                                                                                                                                                                                              888                           
                   S SSXSSSXX%S@X%X@X%X@          8 X X@S@X@X@X@X@@@@@@@@@@@@@8             XXX@X@X@X@@@@@@@@@@@@8@8@8@8            888888888888888888888888888888                                                     88888888888888888888                   888888888888    88@8                          
                    %SX               X S         @S%@                       8XS            8@X@                       @@@            888                       888                                                    8888               888                 88       88X    888888                        
                       X%               SSS       XSX  @                       8S@          8X  8X                      @@@@            8@8                       888                                                  88  88               888               88       888    88  88tX                      
                         S                % S     S%X   X                        8%X        8X    8                       XX@            @@8@                      8888                                                88    88              888              88       888    88    8888                    
                           S                SSX   %X@     S                       8S@@      8      8S                       8@@            @X@                       888                8                              88      8               888            88       888    88      888                   
                            X S S S S S S XS 8X    @S      % SSX8 SSXSSSXSSSXX%S@X88X@@     8S       8%XX@X@X@X@X@@@@@@@@@@@XXS@             X@X@X@X@@@@@@@@@@@@8@8@88@888            88888                            88       88              888           8        8@8    88        888                 
                             X                @    S                %S                      @        8               8       8X%             8@X               @X                    8888@8@8                          88         88             88           88       888    8          8888               
                            .S  .S            S    XS                S                      XS       @               8       8SS             8X8               XX                     @8X@@8X88                        88           8            88           88       888    88           888              
                            :S    :S          S    XX                S                      S        X               @       8 X             8X                8@                       @@@X8X8X@                      88            88          88           88       888    88             888            
                            ;S      :        .S   .S                 S                       X       %               X       @S              8S8               8X                         @@SXX8S@@                    88              88       888           88       888888888              8888          
                            tS       ;S      ;S   :X        .        S                       S                       S       X%@             8SS               8S                           X@XS8S@@@                  8@8               8888888888           88       88      88              88@          
                            %X         tS    tS   ;X%       :       .S S S S                 S                       %       S%X             @SS               8S                             8XS8S8@@X                  @8@               888                88       8       88 8             88          
                            SX           %   %X   tS        ;       :X X X X S               S                               %X@             X @               8                                8X8S8%XX@                 @@@@              8888              88       8       8   88           88          
                            XX             S SX   %8.       t       ;        :X S            S                                XX             SSS               @S                                  8SXSXSXS            XX   @X@               @88             88       8       8     88         88          
                            @X              X8;   SS%       %       t          ;S.          :S                                S               XS               X                                     8S8X8SXS          8@XX   8@@               @@@           8@       8       8       8        88          
                            8@               X8   X8t       S       %            tS;        ;S       :                        X%              SSX              SS                                      8@@X88 X        8X8 @   8X@S              @@@@         @8       8       8        88      88          
                            8X               @S   @XS       X       S             %@;S      tS       ;               .        XS              XS  S             S                                       8S8SSSSX8      8X  8X@   8XS               8@@        @X       @       8          88    88          
                            8X               8@   888       @       XXXXXXSXSXSXS@St8:%     %X       t               :       .S               SS                S                                     @ XSS8 SX        8@    8S@   8S@               8@@      XX       @       @            88  88          
          8@8X8X8@8X8X8@8X8@8@               8X   8XS       8       @8                      SX       %               ;       :X               XS     S          S                                   X XSX88S           8X     8S@8  8X@               88@8    8@       X       @              @@88          
           8XSXS@S@SXXXX@S8888               8X   888       8       8X                      XX       S               t       ;X%             .S        S        S                                 % @X 88XS            @S       8 X XX@8 X X@S@X@X@X@@8@8@%   8X       8@@888@XXX              @@@          
            8888             8               8@   888       8       8X                      @X       X               %       tS              :X         .       S                                SS@ %88X              XX         @                      8S   8S       8@@X@XS8 8%              @@          
              8X8            8               88   888       8       8X                      @X       @               S       %8.             tX%          :    .S                              X% S8888                %           X                     8    8S       8SS       8X@            8@          
                8@8          8               8@   888       8       8@                      8@       @               X       SS%             %X            ;S  ;S                            X S 888                    X            S                   @S   8        8S          8S@          8@          
                 8@8X        8               8X   8@8       8       8X8X8@8X8               8X       8               @       X8t   XXSXSX%SS@S88             tXS                           S% 888S                      S              %                 X    @S       8SS          8X@         8X          
                   8X8X      8               8X   8@8       8@8X8X8X8%XXX@XX888             8X8      8               8       @XS     X@SX8%8;8 :SSX%SSX%S%XtXS:8 %                      :X S 888                        S                S              SSX   X S      @ S            8S        8X          
                     8X8     8               8X     8@8     8                 8@8            888     8               8     88S        @8%8                      S8:%                 ;S:@ 8 88                           X                 S           SSX     S%XS    XSX              8 X     8           
                       8@8   8               88      8@8X   8                  8@8X            8@8   8               8   88S8           8S8@                      SXS                tXS 8 8                               S                          XX         %X    SSX               @ S    @S          
                        8@8X 8               8@        8X8  8                    8X8             8@8 8               8  888               8X8                       XXX                %8                                   .S                      X%              S   S                  XSX X S          
                          8X8X               8X          8@8X                     8X8X            8@8@               8@8@                   8@8                      @8SX                                                    :X S               S S%%                X @%8                   S @8           
                            8S8X8@8X8X8@8X8X8S@           8X8X8X8@8X8X8@8X8X8@8X8X8@@@8S            8S8@8X8X8@8X8X8@8SX                      888X8X8@8X8@8X8@8X8@8@88S@8XS                                                     ;S S.S S S % S S X S                    XS                     %  S          
                                                                                                                                                                                                                                                                         X                       S          
                                                                                                                                                                                                                                                                                                            
                                                                                                                                                                                                                                                                                                            
                                                                                                                                                                                                                                                                                                            
                                                                                                                                                                                                                                                                                                            
                                                                                                                                                                                                                                                                                                            

NanoPi R4S: Adding Suricata, An Intrusion Detection System

============================================================


In the last post we created a transparent network bridge and monitor using the NanoPi R4S. Now that we have a platform that can capture and summarize our network traffic, why don't we also analyze and alert on security events that can occur within our network? One of the most widely used open-source solutions for Intrusion Detection is Suricata. It compares packet captures to heuristic known-threat databases to see if there are compromised hosts on the network talking to bad actors or behaving aberrantly. These heuristics or 'rules' are free for basic versions but many companies offer paid versions that contain rules that detect the latest threats. Again, I prefer the NanoPi R4S as it provides two onboard network ports and just enough horse power to run our application. The 1GB version is sufficient to run Suricata, but the 4GB version is recommended if you wish to run Suricata and anything else (eg. ntopng or snort.) All of this can also be done on the Raspberry Pi 4, but it would require a mirrored port or running our traffic over a USB network device which can quickly become problematic.


Things you will need:

******************


  • NanoPi R4S (1GB/2GB/4GB memory)
  • MicroSD Card (8GB+)
  • MicroSD Card Reader
  • USB-C wall power adapter
  • USB to Ethernet Jack
  • 3x Cat5e / Cat6 Cables
  • Ancillary PC to flash the MicroSD card (*PC1)
  • Intermediate level of Linux knowledge
  • Completion of NanoPi R4S: Implementing a Transparent Network Monitor Tutorial up to #12 at least.
  • Optional: NanoPi R4S Acrylic Case / USB to UART cable for debugging
  • Optional: USB Sound Card & Portable Speaker for audible alerts [X] [X]


Notes:

******


  • For my amusement I built an audible element to our alerts with a few additional devices. This is a good exercise in taking the alerts and automating tasks. Other examples could include automated blocking of the threat traffic by inserting firewall rules.



Steps:

******

                                         @@8@.XXX 8X.S88@8@                                         
                                   8%@XX:X  8S ;  tX888;X 8.:@XS%8                                  
                              X@ .t.8@X.  @XX t8 8:S8 SXX8@t%St88@ 88t                              
                           888@888.:: ;@; S.X8;XS:8X;t@8;88S%X8 ;;8@88:8.                           
                        X88:X;: @8;@S88X:X;:@@@X:8t%8X:@t8;;S%8 XX8X:S:::@XX                        
                     8@.;tSX@88;;8::8t X  8@SS:.S@88S%:.8 :8:: :8%8X.;SXS :;t88                     
                   8.@X%8;X.8;8:.88:8@ 8: .S@8%8t8:8.%%X..8 .t888.tX8S :t.X@:S  8                   
                 %.8.;:@.8 X88..8.t@8;.t88XtX8XX@.8 %X. t8t8@.8 8@8 8:S;88;8t8t;8                 
               8.tt8 t:XX@:::@%888@%X8;8S.8. 8@;%:8@@8.S.:@ 8t;8.@8;8X;8;X8;8%XXt;;X;               
              8X8 XX@8.@:88.@X:8.X@t:88@X;8;8@.8%8@.888:X@88@XX%8: 8;@8;.:@8@:t8888 %8              
            S88:8.8  ;@:.8 S8.XX8@8t;;;;..X:@;8:X88S8X.:X;;.:%;.8@;8%@X8.X:X: ;@X:%t:S            
           :@::X.88;88.@X888t@888S.  ;8.: 88%@      X@:@t8@8X@@X@t X@ 8.8 .t@88X ;8 8  St           
          8X%8:@.t8t XS8X88:;@8@.:%8.:88%8 SS           8:8 888:.8@X @:@X888:S8:88@ 8@8t8X8         
        88@%8. @tt8:@8..@X8;%8;:8;8;8@;;8.            888@. 88:t8..%;X:;88:X8X8:@%@S8:S.S8        
       888;888:8@ 8 @8;.%8;S.8.8 8:8:8@8.:8;        S@@;88%@8@8St:.8888@8:;8tX;8; 88 @ t8@8@8       
      .8 :.X8:X88.8:888;8XXX::8;:88 8 8.@%8.      St88888 @:%.t.;88SX:..%8.S;8@:88 .8 .8:;;8 8      
      8.88:@:888;:8%8 8:888:888.8@t8.8: t.::       t8@:888t..;88888X88t88;8%88;8tt8XtX8 8:888t8     
     888@;@888Xt.8.:8:X88t8.@88.:8X88:8t;@ 8        ;8%.;.:88;8 :.8S8 8t@8;.8;8;8t:S8;X@t88@t@:8    
    8:8t       X88;8.8888;::88:88@.8:8 : :.88        88;88 8.8%8X;:S8@;.t8..;88.:8.: 8t @.@t:888    
   8:8;.      S888:S.@:88.S;88;:@XS88;X88;8@:         8.8;.;8:8@8S.t888t%t88.S8;t:88:;88888;888   
   %X;88    .:88X8X8X:8;;88:888:8:@8:XX8888;8          ;8:;S888@%;X8X8;8..888::@X%8888@88.@;8;XX88  
  8888St    S8888X%8...X88:X;.:88888S8;8.88888         8t88X:88t;X8X.88888.88t8X;888:8.:88888:8.8t  
  88@88.      88%@8@888X  @88.:.888;X8X@%8@%..         S.888:8S8S;@S88;888:88.8t8.X.:88XX8;X:88@::8 
 8.;%.X88      8t.%888       @@8:Xtt;8.8%%8%88         :%S.8@88.8SS:%;@X:@;.8X88;%@X%8:8S8XSX@;888@ 
 8X88:8;8      88S@8;8      8888888S%%@;%88%8%         ;88;X88;X:;.%:;88X888@.88@@:S8::@;8X;8:@.8.: 
 88888%88      tX888;8    S::888;8888Xt8S8SX8X         .S888@8888888@8;8:;888@88%;8;t888%t;8Xt88@88 
 S888;XX8      88X8888    8;X8@%:8S8St8@;:8888           :t8::8888t88S8888;t%8:;888@8:888;8S:8888S8@
888@8X88@       @:8t88      Xtt88:S8S@t@88;8S8           @88;8888888%%888%%888X8S8XS8%:888;888tt8888
8X888888%       8888888     .:88t@S:%8%88@:S:8           8%8t88%8%8;8X8888888:8%@@8%8888;@8;@;8S88X8
88%S8S88%       S88888%      888888%888t8%8%S8           :88@8t8%88;tXX@8888%St:88888SS88X%8;8;X8888
8t888X888      8;S8%:t@     888X8X88;@%tt8;8t          88%88888%X;;ttX88t88;S;;88t:t8S8:SSt%888;S88X
t888S88t       @88S@88X     XX8@S888t88;8S%tX          8%@8t88%X88%t88XXt8;:88;8tt%t;8888@;tt;@88%%8
88;88%@@       88@8888@      88@@88t%8X%S@S8           @t88%88Xt88S%8888;X8@%8@@%8%S888S8;88XS8tt@t8
 8%8@S8        @8;X8;8X       ;88888%S888SS            S8888S8t;StXt88S8X8S@@t@8S%%tS%;;tX;88;SS@888
 88888  88    X888@%%8@       X888t888@88t             %888;t%t8@8S@8@;8t88t8S%888%%@S8%88888%8%t@X 
    :@ X888   8@8tX8S@       @8@88%888XS8    8t        @SX@;S%8@t@8tX%@8S8@@8t@88X8888%8@88XX8t@X%t 
        88   8Xt8t8@8S       @%t%%8X@8tX   @@%X8      t8@t8tS@8%@t@88;8;X8%@%%S8XX88@8888888@%%X@88 
            8SSS@8%@%        8t@XSS888t8   888S%     8%tX8@%888%88t8S@%8S88X888@@t8t%t88XSS%S88St8  
              8@88S@        888tt88S8888  :Xtt%X    SX88@888%%8@8X8@888@tSX8@8@tt8SS%8X8S888888%tX  
                88%: 8@S    Xt8%tt88@8X   %8@SX8   88@88@S8%XS88@tSXStt8@@t@%8S88X@@%8t8888@88S@@   
                  @  S@S   :@@8t8888@8   8@8@X88  @SS8@S8@888%8888%Xt@X88t@tSS@8X@t@S@@XX@8888888   
                    88@@  8S8X8SSXSS88  8@8@XS@%  88%88t8@S88@8@SS@SX8t888X@8@8St888X88SX8X%8@%X    
                     888  %88SSS@888   8888@8%XXS  8X@88S%888X8X8S8888X@8%@@8@X@@88@%88@%X8X8X8     
                           888                       88S@8XSXS@@8888X8@XSX8@S8X88@S%88%88@8SX8      
                                                       t8S@8%%@8@8888%%8888@S8S8%@@SS@@XSS8XX       
                                                          %88%@XS88888S88X88@8X88X8S8%88888X.       
                                                            88S8X@88S@88@88XX88X888SSX88%8X         
                                                              88X@8@8@8@X@@8S@8@X88888@8%8          
                                                                 88S8888SS8:@                       

  • Install the Suricata dependencies.
  • sudo apt-get install libjansson-dev rustc cargo libmagic-dev libnspr4-dev  \
    libcap-ng-dev python3-yaml liblz4-dev libnss3-dev libpcre3-dev libyaml-dev \
    libevent-core-2.1-6 libevent-pthreads-2.1-6 libhtp2 libltdl7 libnet1 \
    libnetfilter-log1 libnetfilter-queue1 libnspr4 libnss3 libprelude23 libpython-stdlib \
    libpython2-stdlib libpython2.7-minimal libpython2.7-stdlib libyaml-0-2 python python-minimal \
    python-simplejson python2 python2-minimal python2.7 python2.7-minimal


  • Download and extract the latest Suricata.
  • wget https://www.openinfosecfoundation.org/download/suricata-6.0.2.tar.gz && tar -zxf suricata-6.0.2.tar.gz


  • Configure and compile Suricata.
  • cd suricata-6.0.2 && ./configure && sudo make -j6 install-full


  • Create a symbolic link so Suricata can find the rules.
  • ln -s /usr/local/var/lib/suricata/rules /usr/local/etc/suricata/rules


  • Run LD_LIBRARY_PATH=/usr/local/lib sudo suricata-update to download the latest free rulesets. Note we need to set the LD_LIBRARY_PATH so Suricata runs it's tests successfully.
  • 
    nanopi-r4s:~/suricata-6.0.2# LD_LIBRARY_PATH=/usr/local/lib sudo suricata-update
    21/6/2021 -- 21:24:53 -  -- Using data-directory /usr/local/var/lib/suricata.
       21/6/2021 -- 21:24:53 -  -- Using Suricata configuration /usr/local/etc/suricata/suricata.yaml
       21/6/2021 -- 21:24:53 -  -- Using /usr/local/share/suricata/rules for Suricata provided rules.
       21/6/2021 -- 21:24:53 -  -- Found Suricata version 6.0.2 at /usr/local/bin/suricata.
       21/6/2021 -- 21:24:53 -  -- Loading /usr/local/etc/suricata/suricata.yaml
       21/6/2021 -- 21:24:53 -  -- Disabling rules for protocol http2
       21/6/2021 -- 21:24:53 -  -- Disabling rules for protocol modbus
       21/6/2021 -- 21:24:53 -  -- Disabling rules for protocol dnp3
       21/6/2021 -- 21:24:53 -  -- Disabling rules for protocol enip
       21/6/2021 -- 21:24:53 -  -- No sources configured, will use Emerging Threats Open
       21/6/2021 -- 21:24:53 -  -- Last download less than 15 minutes ago. Not downloading https://rules.emergingthreats.net/open/suricata-6.0.2/emerging.rules.tar.gz.
       21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/app-layer-events.rules
       21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/decoder-events.rules
       21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/dhcp-events.rules
       21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/dnp3-events.rules
       21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/dns-events.rules
       21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/files.rules
       21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/http-events.rules
       21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/ipsec-events.rules
       21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/kerberos-events.rules
       21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/modbus-events.rules
       21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/nfs-events.rules
       21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/ntp-events.rules
       21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/smb-events.rules
       21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/smtp-events.rules
       21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/stream-events.rules
       21/6/2021 -- 21:24:54 -  -- Loading distribution rule file /usr/local/share/suricata/rules/tls-events.rules
       21/6/2021 -- 21:24:54 -  -- Ignoring file rules/emerging-deleted.rules
       21/6/2021 -- 21:25:00 -  -- Loaded 30134 rules.
       21/6/2021 -- 21:25:01 -  -- Disabled 14 rules.
       21/6/2021 -- 21:25:01 -  -- Enabled 0 rules.
       21/6/2021 -- 21:25:01 -  -- Modified 0 rules.
       21/6/2021 -- 21:25:01 -  -- Dropped 0 rules.
       21/6/2021 -- 21:25:02 -  -- Enabled 147 rules for flowbit dependencies.
       21/6/2021 -- 21:25:02 -  -- Backing up current rules.
       21/6/2021 -- 21:25:10 -  -- Writing rules to /usr/local/var/lib/suricata/rules/suricata.rules: total: 30134; enabled: 22688; added: 6; removed 45; modified: 1206
       21/6/2021 -- 21:25:10 -  -- Writing /usr/local/var/lib/suricata/rules/classification.config
       21/6/2021 -- 21:25:10 -  -- Testing with suricata -T.
       21/6/2021 -- 21:25:47 -  -- Done.      
           


  • Create a systemd unit file for Suricata. Note we only want to monitor one of the interfaces, not the bridge. sudo nano /etc/systemd/system/suricata.service
  • [Unit]
    Description=Suricata IDS/IDP daemon
    After=network.target
    Requires=network.target
    Documentation=man:suricata(8) man:suricatasc(8)
    Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki
    
    [Service]
    Type=simple
    User=root
    Group=root
    Environment=LD_LIBRARY_PATH=/usr/local/lib
    Environment=CFG=/usr/local/etc/suricata/suricata.yaml
    ExecStart=/usr/local/bin/suricata -c $CFG -i eth0
    ExecReload=/bin/kill -HUP $MAINPID
    ExecStop=/bin/kill $MAINPID
    PrivateTmp=yes
    TimeoutStartSec=300
    
    [Install]
    WantedBy=multi-user.target

  • Enable and start Suricata. systemctl enable suricata && systemctl start suricata

  • Check the startup status of suricata with journalctl -fu suricata
  • root@nanopi-r4s:~# journalctl -fu suricata
       Jun 21 21:53:33 nanopi-r4s systemd[1]: Started Suricata IDS/IDP daemon.
       Jun 21 21:53:33 nanopi-r4s suricata[13445]: 21/6/2021 -- 21:53:33 -  - This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
       Jun 21 21:54:01 nanopi-r4s suricata[13445]: 21/6/2021 -- 21:54:01 -  - all 6 packet processing threads, 4 management threads initialized, engine started.

  • We can now inspect the log directory to see what is being output by Suricata. These files can get large quite quickly.
  • root@nanopi-r4s:/usr/local/var/log/suricata# ls
       certs  eve.json  fast.log  files  stats.log  suricata.log
       
  • To setup log rotation, create the following file. Add more files and tune to your needs. sudo nano /etc/logrotate.d/suricata_log
  • /usr/local/var/log/suricata/eve.json
    {
        daily
        rotate 3
        missingok
        nocompress
        create
        dateext
        dateformat .%Y-%m-%d
        sharedscripts
        postrotate
                /bin/kill -HUP `ps aux | grep /usr/local/bin/suricata | grep eth0 | grep -v grep | awk '{print $2}'` 2>/dev/null || true
        endscript
    }
    /usr/local/var/log/suricata/stats.log
    {
        daily
        rotate 3
        missingok
        nocompress
        create
        dateext
        dateformat .%Y-%m-%d
        sharedscripts
        postrotate
                /bin/kill -HUP `ps aux | grep /usr/local/bin/suricata | grep eth0 | grep -v grep | awk '{print $2}'` 2>/dev/null || true
        endscript
    }

    Note: You can test your logrotate script with the following: logrotate -d /etc/logrotate.d/suricata_log

  • Inspecting our alerts file sudo tail -f /usr/local/var/log/suricata/fast.log we begin to see various anomalies if there's live traffic.
  • 06/19/2021-22:30:37.747150  [**] [1:2210007:2] SURICATA STREAM 3way handshake SYNACK with wrong ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3]
       06/19/2021-22:30:37.903141  [**] [1:2230002:1] SURICATA TLS invalid record type [**] [Classification: Generic Protocol Command Decode] [Priority: 3]
       06/19/2021-22:30:37.903141  [**] [1:2230010:1] SURICATA TLS invalid record/traffic [**] [Classification: Generic Protocol Command Decode] [Priority: 3]
       06/19/2021-22:30:37.903141  [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3]
       06/19/2021-22:30:37.917964  [**] [1:2230002:1] SURICATA TLS invalid record type [**] [Classification: Generic Protocol Command Decode] [Priority: 3]
       06/19/2021-22:30:37.917964  [**] [1:2230010:1] SURICATA TLS invalid record/traffic [**] [Classification: Generic Protocol Command Decode] [Priority: 3]
       06/19/2021-22:42:04.001392  [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3]
       06/19/2021-22:59:04.001581  [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3]
       06/19/2021-23:08:03.002276  [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3]
       06/20/2021-04:09:49.358670  [**] [1:2224003:1] SURICATA IKEv2 weak cryptographic parameters (PRF) [**] [Classification: Generic Protocol Command Decode] [Priority: 3]
       06/20/2021-04:09:49.358670  [**] [1:2224004:2] SURICATA IKEv2 weak cryptographic parameters (Auth) [**] [Classification: Generic Protocol Command Decode] [Priority: 3]
       

  • Now if you wish to setup audible alerting, connect your USB sound card, speaker, and run the following.
  • sudo apt-get install alsa-utils sox libsox-fmt-all
    sudo sed -i 's/defaults.ctl.card 0/defaults.ctl.card 1/' /usr/share/alsa/alsa.conf
    sudo sed -i 's/defaults.pcm.card 0/defaults.pcm.card 1/' /usr/share/alsa/alsa.conf
    

  • Create an executable script to watch the file and the related service. aplay will kickoff our alarm when it finds a match. You will have to customize this to find alerts you are interested in. The alert sound I used can be found here [X] sudo curl -o /root/eminyildirim_futuristic-alarm.wav https://jedi.sh/eminyildirim_futuristic-alarm.wav

  • sudo nano /usr/local/bin/watcher.sh
    #!/bin/bash
    
    while tail -f /usr/local/var/log/suricata/fast.log -n0 | egrep -m 1 'protocol only one direction|weak cryptographic'
    do
    	aplay /root/eminyildirim_futuristic-alarm.wav &
    done
    

    sudo nano /etc/systemd/system/suricata-alert.service
    [Unit]
    Description=Suricata Log Watcher
    After=network.target
    
    [Service]
    Type=simple
    User=root
    Group=root
    ExecStart=/usr/local/bin/watcher.sh
    Restart=on-failure
    
    sudo chmod +x /usr/local/bin/watcher.sh
    sudo systemctl enable suricata-alert
    sudo systemctl start suricata-alert
    


    Thoughts:

    *************


    Now we can summarize data on the network, and act on that information. This is just the start of what you can do while inline (or out of band on a mirrored port) on the network. Outside of the home setting we could scale this up on actual hardware and ingest our logs to ELK stack to provide a less opaque pane of glass for security and network monitoring.