One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1172876 |
| Date de publication | 2019-06-25 13:00:00 (vue: 2019-06-25 16:01:22) |
| Titre | Suricata IDS: an overview of threading capabilities |
| Texte |
A common discussion in the security industry is how to improve the effectiveness of detection and prevention systems. You can find tons of documentation and books about: The Defender's Dilemma, Blue Team vs Red Team, A Comprehensive Security Approach, among others. However, in any organization, it is very important to move beyond theory and implement specific solutions to detect security attacks and security threats.
In this post, I want to share some thoughts about one specific topic: Network Intrusion Detection Systems (NIDS), specifically a really good piece of software called Suricata.
Let's start with some background. Intrusion detection is a broad concept that refers to some type of mechanism or process to identify security threats. Organizations typically use solutions like Host Intrusion Detection Systems (HIDS) and Network Intrusion Detection Systems. In addition, response capabilities are also quite popular in Intrusion Detection Systems (IDS). In fact, several vendors offer Endpoint Detection and Response (EDR) and some vendors are using a new acronym: Network Detection and Response (NDR). I think the industry is trying to be more consistent by adding the word “response” in both endpoint detection and network detection.
In NIDS, there are two main approaches: signature-based detection and anomaly-based detection.
A signature-based intrusion detection system operates in real time capturing traffic and looking for signature matches. If a match is found, the system will generate an alarm.
An anomaly-based system is looking for abnormal behavior that represents threats. Instead of being concentrated on the packet, it looks for unusual behavior, anomalies and deviations from normal.
Having said that, let’s switch gears to the main topic of this post which is Suricata.
What is Suricata?
In the official documentation, you will find this:
“Suricata is a high-performance Network IDS, IPS, and Network Security Monitoring engine. It is open source and owned by a community-run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF” [1].
Besides the official definition, I think Suricata is a very powerful open source NIDS. It is a signature-based IDS and once it is properly configured, Suricata is capable of doing real-time traffic inspection in order to trigger alarms when suspicious activity is detected in your environment. Suricata also offers a very extensive list of features. The complete list can be found here:
https://suricata-ids.org/features/all-features/
From that list, I would like to highlight an important one: Threading [2].
Suricata threading
Suricata is capable of running multiple threads. If you have hardware with multiple CPUs/cores, the tool can be configured to distribute the workload on several processes at the same time. You can start running with a single thread and process packets one at a time. Nevertheless, from my experience, multi-threading is a much better configuration and the way to improve Suricata’s performance.
Suricata has four thread modules:
Packet acquisition: responsible for reading packets from the network.
Decode and stream application layer: decodes the packets and inspects the application.
Detection: compares signatures and can be run in multiple threads.
Outputs: in this module, all the alarms are processed.
Figure 1 |
| Envoyé | Oui |
| Condensat | | “yaml 32gb abbreviated able about acquisition add adding addition ain’t alienvault all all | also amount analyzing any anywhere™ are are: article assigned at&t auditing auto autofp available avoid be | best binary called can capabilities check cli com/ comes conclusion configuration configure cores correlating could cover covered cpus cybersecurity dag dedicated dependencies detect detect | detection dev disabled distribution does don’t during each each | easy enable enough environment erf essential event examples: experience explore false figures file firewall firewall/router first flow form format foundation freebsd friendly from from | going good guide hand hardware hardware: have how however https://www human ids ids: important includes including incoming industry information install installation installations interface interfaces intrusion issues just kit known lab language learning least let’s linux log logging | logs mac management many markup memory mention mode mode | more multi need netmap network next nics nids now offers oisf once one only open openbsd option options order other overview package packages packet packets per performance pfsense pfsense: plan platform please positives post practice process processed processing product provide ram read recommend references remember repository requirements responsible robust run runmode runmodes same sample security see send server server: several should show siem single singled socket software source specific stable step strongly suggested suricata suricata’s system systems tasks tasks | test them then third those thread thread | threaded threading three tool traffic tuning types ubuntu unified unix unlike use users uses using usm usma verifying visit: want well where which will windows without won’t workers works would yaml your |
| Tags | Tool |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.