¶ External list Integration – suricata(IDS/IPS)
Suricata supports integration of external IOC lists for threat detection using datasets. IOCs like IPs, domains, and URLs must be properly formatted and referenced in rules. This enables real-time traffic analysis and alerting based on custom threat intelligence.
¶ 1. Prerequisites
- Suricata Version: Ensure you are using Suricata version 7.0 or later, as the dataset feature was introduced in this version.
- Operating System: A Unix-like operating system (e.g., Linux) is recommended for optimal compatibility and performance.
- Dependencies: Install necessary tools such as jq for JSON parsing and base64 for encoding, which are commonly used in processing IOC feeds.
¶ 2. Requirements
- Supported IOC Types: Suricata can handle various IOCs, including:
1.IP addresses (IPv4 and IPv6)
2.Domain names
3.URLs
4.File hashes (e.g., SHA256) - Data Formatting:
1.String-based IOCs (e.g., domains) should be base64-encoded.
2.Hash-based IOCs should be in hexadecimal format. - Rule Files: Custom Suricata rules must be created to utilize the datasets for matching against network traffic.
¶ 3.Configuration Steps
-
¶ Prepare the IOC List
- Obtain your external IOC list in a structured format (e.g., JSON). We can still you .txt format but must ensure the content matches Suricata’s expected dataset structure
- Extract relevant IOCs using tools like jq. For example, to extract domains:
cat iocs_list.json | jq -c -r '.data[] | select(.ioc_type == "domain") | .ioc' >
domains.txt
-
¶ Encode the IOC List
- For string-based IOCs, encode each entry in base64:
while IFS= read -r line; do echo -n "$line" | base64; done < domains.txt >>
domains_iocs.list
- For string-based IOCs, encode each entry in base64:
-
¶ Place the IOC List
- Move the encoded IOC list to Suricata's rules directory:
sudo cp domains_iocs.list /etc/suricata/rules/
sudo chown suricata:suricata /etc/suricata/rules/domains_iocs.list
- Move the encoded IOC list to Suricata's rules directory:
-
¶ Create Suricata Rule
- Write a custom rule to alert on matches from the dataset. For example:
alert http any any -> any any (msg:"Malicious Domain Detected"; http.host;
dataset:isset,malicious_domains; sid:1000001; rev:1;) - This rule checks if the http.host field matches any entry in the malicious_domains dataset.
- Write a custom rule to alert on matches from the dataset. For example:
-
¶ Update Suricata Configuration.
- Ensure the new rule file is included in suricata.yaml under the rule-files section:
rule-files: - custom.rules
- Ensure the new rule file is included in suricata.yaml under the rule-files section:
-
¶ Define the dataset in suricata.yaml:
datasets:
- name: malicious_domains
type: string
format: base64
file: /etc/suricata/rules/domains_iocs.list -
¶ Restart Suricata
- Apply the changes by restarting the Suricata service:
sudo systemctl restart suricata
- Apply the changes by restarting the Suricata service:
¶ 4. Limitations
-
Manual Updates: Suricata does not automatically fetch and update external IOC lists; this process must be managed manually or through custom automation scripts.
-
Performance Considerations: Large datasets may impact performance; it's essential to monitor resource usage and optimize rules and datasets accordingly.
-
Encoding Requirements: Incorrect encoding of IOCs can lead to ineffective detection; ensure proper formatting as per Suricata's requirements.
¶ 5. Official Documentation
- Suricata User Guide: https://docs.suricata.io/