After a year of development, the Open Information Security Foundation (OISF) made known through a blog post, the release of the new version of Suricata 6.0, which is a network intrusion detection and prevention system that provides a means to inspect various types of traffic.
In this new edition several very interesting improvements are presented, such as support for HTTP / 2, improvements to various protocols, performance improvements, among other changes.
For those who do not know about meerkat, you should know that this software andIt is based on a set of rules externally developed to monitor network traffic and provide alerts to the system administrator when suspicious events occur.
In Suricata configurations, it is allowed to use the signature database developed by the Snort project, as well as the Emerging Threats and Emerging Threats Pro rule sets.
The source code of the project is distributed under the GPLv2 license.
Main novelties of Suricata 6.0
In this new version of Suricata 6.0 we can find the initial support for HTTP / 2 with which innumerable improvements are introduced such as the use of a single connection, header compression, among other things.
Besides that support for RFB and MQTT protocols was included, including protocol definition and logging capabilities.
As well log performance was significantly improved via the EVE engine, which provides JSON output from events. The acceleration is achieved thanks to the use of the new JSON sink generator, written in the Rust language.
EVE registration system scalability increased and implemented the ability to maintain a hotel log file for each broadcast.
In addition, Suricata 6.0 introduces a new rule definition language which adds support for the from_end parameter in the byte_jump keyword and the bitmask parameter in byte_test. In addition, the pcrexform keyword has been implemented to allow regular expressions (pcre) to capture a substring.
The ability to reflect MAC addresses in the EVE record and increase the detail of the DNS record.
Of the other changes that stand out of this new version:
- Added urldecode conversion. Byte_math keyword added.
- Logging capability for the DCERPC protocol. The ability to define conditions for dumping information into the log
- Improved flow motor performance.
- Support to identify SSH implementations (HASSH).
- Implementation of the GENEVE tunnel decoder.
- Rust code rewritten to handle ASN.1, DCERPC, and SSH. Rust also supports new protocols.
- Provide the ability to use cbindgen to generate links in Rust and C.
- Added initial plugin support.
Finally if you want to know more about it, you can check the details by going to the following link.
How to install Suricata on Ubuntu?
To install this utility, we can do it by adding the following repository to our system. To do this, just type the following commands:
sudo add-apt-repository ppa:oisf/suricata-stable sudo apt-get update sudo apt-get install suricata
In case of having Ubuntu 16.04 or having problems with dependencies, with the following command it is solved:
sudo apt-get install libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev libnet1-dev libyaml-dev zlib1g-dev libcap-ng-dev libmagic-dev libjansson-dev libjansson4
Installation done, it is recommended to disable any offloead feature pack on the NIC that Suricata is listening to.
They can disable LRO / GRO on the eth0 network interface using the following command:
sudo ethtool -K eth0 gro off lro off
Meerkat supports a number of operating modes. We can see the list of all execution modes with the following command:
sudo /usr/bin/suricata --list-runmodes
The default run mode used is autofp stands for "automatic fixed flow load balancing". In this mode, packets from each different stream are assigned to a single detection thread. The flows are assigned to the threads with the lowest number of unprocessed packets.
Now we can proceed to start Suricata in pcap live mode, using the following command:
sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml -i ens160 --init-errors-fatal