[Oisf-users] Suricata Heartbeat Alert

Kerry Milestone Kerry.Milestone at ed.ac.uk
Tue Aug 1 11:13:40 UTC 2017 

In many ways, I believe the heartbeat for something like an IDS must be
out-of-band which tests the entire service platform and not just the
application itself.

Something which has gone through as many as possible pathways, for
instance from IP -> ICMP|TCP|UDP -> stream -> app etc.  Done by sending
some novel payloads or maybe an odd flag set on a DNS lookup, or
requesting a HTTP resource with something specific in the middle of it,
hosting a URL with a slightly bent SSL signature, maybe something which
is fragmented or is a long file, forcing suri to do some LUA (or Rust)
if adventurous.

This way an agent, which sends the packets, will report ensuring that
the expected alert was raised within n amount of time.  It works to just
graph the stats and alert on unexpected deltas, but this does not give
you the safe business reliance of the heartbeat originally intended,
especially so if deployed in-line.  This reporting latency can be very
quick and a useful measure of the system such as when using redis (1)
and eve flow output.

Other than the fairly comprehensive stats output, I'm not sure Suricata
should support a special heartbeat output (thus is internally slightly
'different' to real traffic) apart from one day as part of an in-line HA
instance to keep state and session(stream) databases consistent with the
running peer.







On 31/07/17 23:22, Jason Ish wrote:
> Or, if using eve, just look for the stats event record that is published
> periodically. Its presence alone could be used to tell you that Suricata
> is alive. Values within it can be used to see if packets are actually
> being read.

On 28/07/17 15:38, Jason Ish wrote:
> No, Suricata does not support this. I know others have accomplished this
> by using a custom rule and periodically injecting a special packet into
> their network as a heartbeat. This is more a complete test as it tests
> the actual packet reception by the monitoring system as well.


(1) https://redis.io/topics/latency-monitor

-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

More information about the Oisf-users mailing list