<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Arial",sans-serif;
color:windowtext;
font-weight:normal;
font-style:normal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head><body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">So our solution was to create a rule that would alert on a special packet that we inject to the sniffing interface. We then filter for that alert (using SID 0) and log this
to a file, the fiel is monitored by splunk and it checks to assure that the alert is triggered every 15 minutes.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><b>Charles DeVoe Jr.</b><o:p></o:p></p>
<p class="MsoNormal">Manager of Engineering<o:p></o:p></p>
<p class="MsoNormal">Multi-State Information Sharing and Analysis Center (MS-ISAC) <o:p></o:p></p>
<p class="MsoNormal">31 Tech Valley Drive<o:p></o:p></p>
<p class="MsoNormal">East Greenbush, NY 12061<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><a href="mailto:charles.devoe@cisecurity.org">charles.devoe@cisecurity.org</a><o:p></o:p></p>
<p class="MsoNormal">(518) 266-3494<o:p></o:p></p>
<p class="MsoNormal">7x24 Security Operations Center<o:p></o:p></p>
<p class="MsoNormal"><a href="mailto:SOC@cisecurity.org"><span style="color:#0563C1">SOC@cisecurity.org</span></a> - 1-866-787-4722<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><img border="0" width="237" height="55" style="width:2.4687in;height:.5729in" id="Picture_x0020_1" src="cid:image001.png@01D30B06.5332BDE0" alt="cid:image001.png@01D2F965.2E3564F0"><o:p></o:p></p>
<p class="MsoNormal"> <a href="https://www.facebook.com/CenterforIntSec"><span style="color:windowtext;text-decoration:none"><img border="0" width="32" height="33" style="width:.3333in;height:.3437in" id="Picture_x0020_2" src="cid:image002.png@01D30B06.5332BDE0" alt="id:image002.png@01D2926D.D9CF2E90"></span></a> <a href="https://twitter.com/CISecurity"><span style="color:windowtext;text-decoration:none"><img border="0" width="32" height="33" style="width:.3333in;height:.3437in" id="Picture_x0020_3" src="cid:image003.png@01D30B06.5332BDE0" alt="id:image003.png@01D2926D.D9CF2E90"></span></a> <a href="https://www.youtube.com/user/TheCISecurity"><span style="color:windowtext;text-decoration:none"><img border="0" width="32" height="33" style="width:.3333in;height:.3437in" id="Picture_x0020_4" src="cid:image004.png@01D30B06.5332BDE0" alt="id:image004.png@01D2926D.D9CF2E90"></span></a> <a href="https://www.linkedin.com/company/the-center-for-internet-security"><span style="color:windowtext;text-decoration:none"><img border="0" width="32" height="33" style="width:.3333in;height:.3437in" id="Picture_x0020_5" src="cid:image005.png@01D30B06.5332BDE0" alt="id:image005.png@01D2926D.D9CF2E90"></span></a><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Oisf-users [mailto:oisf-users-bounces@lists.openinfosecfoundation.org]
<b>On Behalf Of </b>amar countersnipe.com<br>
<b>Sent:</b> Tuesday, August 01, 2017 10:25 AM<br>
<b>To:</b> Jason Ish <ish@codemonkey.net>; oisf-users@lists.openinfosecfoundation.org; Kerry Milestone <Kerry.Milestone@ed.ac.uk><br>
<b>Subject:</b> Re: [Oisf-users] Suricata Heartbeat Alert<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<br>
<o:p></o:p></p>
<p>As we all know Suricata is an IDS engine and not an IDSystem. I generally refer to it as IDE. It's all about what you feed it and how you manage the information that it generates which determines real usage abilities.<o:p></o:p></p>
<p>My answer to the original question will be yes, there are many ways to have Suricata create heartbeat alerts. Most of them will require some add-ons to Suricata's ability to do its own task. One thing to remember is that Suricata by itself doesn't do any
alerts....it needs signatures to alert on. It's really a case of can you either create a rule or manage the regular IDS events in a manner that will alert you to a "dead" system. The answer to that is yes and in the commercial world IDS systems that rely on
Suricata as an IDE, deliver this in many ways.<o:p></o:p></p>
<p>You could setup a rule to alert on all TCP traffic between two nodes, but only raise an "alert" every hour or whatever time interval you choose. The alert I refer to is not an IDS event but an email for example. You could also setup alerts based on minimum
or maximum false positives or many other factors. All of these will require some scripting/coding/manipulation of events generated by Suricata.<o:p></o:p></p>
<p>Actually the simplest way could be to create an icmp rule, create a script to do a ping request, and then run the script as a cron job every so often. Of course you will still need to deliver the event to yourself somehow.
<o:p></o:p></p>
<p><o:p> </o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p>On August 1, 2017 at 7:13 AM Kerry Milestone <<a href="mailto:Kerry.Milestone@ed.ac.uk">Kerry.Milestone@ed.ac.uk</a>> wrote:<o:p></o:p></p>
<p>In many ways, I believe the heartbeat for something like an IDS must be<br>
out-of-band which tests the entire service platform and not just the<br>
application itself.<o:p></o:p></p>
<p>Something which has gone through as many as possible pathways, for<br>
instance from IP -> ICMP|TCP|UDP -> stream -> app etc. Done by sending<br>
some novel payloads or maybe an odd flag set on a DNS lookup, or<br>
requesting a HTTP resource with something specific in the middle of it,<br>
hosting a URL with a slightly bent SSL signature, maybe something which<br>
is fragmented or is a long file, forcing suri to do some LUA (or Rust)<br>
if adventurous.<o:p></o:p></p>
<p>This way an agent, which sends the packets, will report ensuring that<br>
the expected alert was raised within n amount of time. It works to just<br>
graph the stats and alert on unexpected deltas, but this does not give<br>
you the safe business reliance of the heartbeat originally intended,<br>
especially so if deployed in-line. This reporting latency can be very<br>
quick and a useful measure of the system such as when using redis (1)<br>
and eve flow output.<o:p></o:p></p>
<p>Other than the fairly comprehensive stats output, I'm not sure Suricata<br>
should support a special heartbeat output (thus is internally slightly<br>
'different' to real traffic) apart from one day as part of an in-line HA<br>
instance to keep state and session(stream) databases consistent with the<br>
running peer.<o:p></o:p></p>
<p>On 31/07/17 23:22, Jason Ish wrote:<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p>Or, if using eve, just look for the stats event record that is published<br>
periodically. Its presence alone could be used to tell you that Suricata<br>
is alive. Values within it can be used to see if packets are actually<br>
being read.<o:p></o:p></p>
</blockquote>
<p>On 28/07/17 15:38, Jason Ish wrote:<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p>No, Suricata does not support this. I know others have accomplished this<br>
by using a custom rule and periodically injecting a special packet into<br>
their network as a heartbeat. This is more a complete test as it tests<br>
the actual packet reception by the monitoring system as well.<o:p></o:p></p>
</blockquote>
<p>(1) <a href="https://redis.io/topics/latency-monitor">
https://redis.io/topics/latency-monitor</a><o:p></o:p></p>
<p>--<br>
The University of Edinburgh is a charitable body, registered in<br>
Scotland, with registration number SC005336.<o:p></o:p></p>
<p>_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">
oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org">
http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/">
http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><o:p></o:p></p>
<p>Conference: <a href="https://suricon.net">
https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/">
https://suricata-ids.org/training/</a><o:p></o:p></p>
</blockquote>
<p><o:p> </o:p></p>
<div>
<p>Kind regards<o:p></o:p></p>
<p>Amar Rathore<o:p></o:p></p>
<p style="margin-bottom:12.0pt">CounterSnipe Systems LLC <br>
Tel: +1 617 701 7213 <br>
Mobile: +44 (0) 7876 233333 <br>
Skype ID: amarrathore <br>
Web: <a href="http://www.countersnipe.com">
www.countersnipe.com</a> <<a href="http://www.countersnipe.com/">http://www.countersnipe.com/</a>>
<o:p></o:p></p>
<p><span style="font-size:8.0pt">This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately
by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.</span><o:p></o:p></p>
<p><span style="font-size:8.0pt">E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability
for any errors or omissions.</span> <o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
..... <o:p></o:p></p>
</div>
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender
immediately and permanently delete the message and any attachments.
<br /><br />. . . . .</body></html>