Analyzing Packet Data with Suricata
I will be using Suricata to examine a packet log and with the custom rule provided, determine how many events occurred within the log, and extract the details in a readable format.
The main learning lesson from this project will be to understand Suricata as a program and getting familiar with manipulating .json files using jq commands.
Starting Suricata and Examining Alert Rules
The command will instruct Suricata to read the network capture in sample.pcap using the rule in custom.rules and do NOT go through checksum verification while using elevated privileges.
The content inside custom.rules is an alert rule that states that any connection leaving the HOME network to the EXTERNAL network with a “GET” response under HTTP protocol, return a message “GET on wire”
The results show that two packets met the criteria of the custom rules out of 200 total packets within the .pcap file.
Suricata file outputs
Suricata will produce 4 files; 3 .log, and 1 .json inside the directory /var/log/suricata
These four files produced are incredibly important files as an analyst
- Eve.json — is a java script object notation file format that Suricata will commonly output due to its accessibility with other network analyzing tools and its ease of readability.
- Fast.log — is a log output that contains concise and compact data of all logged connections in the packet.
- Stats.log — is another log output that records other metrics such as resource utilization, packet/flow stats, and general performance.
- Suricata.log — this is the main log file that contains detailed information about a logged connection. Generally will contain the same data as a fast log but in more depth.
When fast.log is opened only the timestamp, alert message, severity, protocol, and source/dest IP’s are shown in this log.
Logging in this reduced format allows Suricata to record very specific network details without impacting performance while being concise about network events.
Using only the cat command to open the json file reveals the content is poorly formatted
JSON Query(jq) will help me manipulate the contents inside a .json file and format it for better readability
The “.” in jq represents the root of the file, similarly to Linux beginning their directory at root
The command jq . will format the specified json file and print out the contents in an easy to read structure.
When data is formatted this way, it is generally not efficient for processing or integration due to all of the existing indentations and white space produced to “pretty-print” the file.
After taking a look at the .json file and identifying all of the objects. I will specifically filter for data on a specific set of objects such as .timestamp, .flow_id, .alert, etc.
The -c represents compact output and this command is generally used to compact and condense the data based on the objects provided.
-c will also remove all unnecessary indentations and white spaces used to “pretty print” the .json file and print out the data in a shortened version.
Another way I can search is by key-value pairing. Searching through this method will pull all data relating to the specific pairing using select and a specific object (flow_id).
I can use this form of searching to isolate a specific connection and filter all related data concerning that particular ID.
Summary
Suricata is an amazing tool for IDS/IPS and I can understand why security analysts use this as part of their defense network.
The ability to efficiently gather network data and output it into an accessible file format for various SIEMS and other log analysis tools allows Suricata to be scalable and versatile as an IDS/IPS.