[Oisf-users] Suricata Heartbeat Alert

amar countersnipe.com amar at countersnipe.com
Tue Aug 1 14:24:29 UTC 2017

As we all know Suricata is an IDS engine and not an IDSystem. I generally refer to it as IDE. It's all about what you feed it and how you manage the information that it generates which determines real usage abilities.

My answer to the original question will be yes, there are many ways to have Suricata create heartbeat alerts. Most of them will require some add-ons to Suricata's ability to do its own task. One thing to remember is that Suricata by itself doesn't do any alerts....it needs signatures to alert on. It's really a case of can you either create a rule or manage the regular IDS events in a manner that will alert you to a "dead" system. The answer to that is yes and in the commercial world IDS systems that rely on Suricata as an IDE, deliver this in many ways.

You could setup a rule to alert on all TCP traffic between two nodes, but only raise an "alert" every hour or whatever time interval you choose. The alert I refer to is not an IDS event but an email for example. You could also setup alerts based on minimum or maximum false positives or many other factors. All of these will require some scripting/coding/manipulation of events generated by Suricata.

Actually the simplest way could be to create an icmp rule, create a script to do a ping request, and then run the script as a cron job every so often. Of course you will still need to deliver the event to yourself somehow.

>     On August 1, 2017 at 7:13 AM Kerry Milestone <Kerry.Milestone at ed.ac.uk> wrote:
>     In many ways, I believe the heartbeat for something like an IDS must be
>     out-of-band which tests the entire service platform and not just the
>     application itself.
>     Something which has gone through as many as possible pathways, for
>     instance from IP -> ICMP|TCP|UDP -> stream -> app etc. Done by sending
>     some novel payloads or maybe an odd flag set on a DNS lookup, or
>     requesting a HTTP resource with something specific in the middle of it,
>     hosting a URL with a slightly bent SSL signature, maybe something which
>     is fragmented or is a long file, forcing suri to do some LUA (or Rust)
>     if adventurous.
>     This way an agent, which sends the packets, will report ensuring that
>     the expected alert was raised within n amount of time. It works to just
>     graph the stats and alert on unexpected deltas, but this does not give
>     you the safe business reliance of the heartbeat originally intended,
>     especially so if deployed in-line. This reporting latency can be very
>     quick and a useful measure of the system such as when using redis (1)
>     and eve flow output.
>     Other than the fairly comprehensive stats output, I'm not sure Suricata
>     should support a special heartbeat output (thus is internally slightly
>     'different' to real traffic) apart from one day as part of an in-line HA
>     instance to keep state and session(stream) databases consistent with the
>     running peer.
>     On 31/07/17 23:22, Jason Ish wrote:
>         > > 
> >         Or, if using eve, just look for the stats event record that is published
> >         periodically. Its presence alone could be used to tell you that Suricata
> >         is alive. Values within it can be used to see if packets are actually
> >         being read.
> > 
> >     > 
>     On 28/07/17 15:38, Jason Ish wrote:
>         > > 
> >         No, Suricata does not support this. I know others have accomplished this
> >         by using a custom rule and periodically injecting a special packet into
> >         their network as a heartbeat. This is more a complete test as it tests
> >         the actual packet reception by the monitoring system as well.
> > 
> >     > 
>     (1) https://redis.io/topics/latency-monitor
>     --
>     The University of Edinburgh is a charitable body, registered in
>     Scotland, with registration number SC005336.
>     _______________________________________________
>     Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>     Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>     List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>     Conference: https://suricon.net
>     Trainings: https://suricata-ids.org/training/

Kind regards

Amar Rathore

CounterSnipe Systems LLC
Tel: +1 617 701 7213
Mobile: +44 (0) 7876 233333
Skype ID: amarrathore
Web: www.countersnipe.com <http://www.countersnipe.com/>

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170801/fc1340be/attachment-0002.html>

More information about the Oisf-users mailing list