[Oisf-users] Suricata Heartbeat Alert

Charles Devoe Charles.Devoe at cisecurity.org
Wed Aug 2 00:39:51 UTC 2017

So our solution was to create a rule that would alert on a special packet that we inject to the sniffing interface.  We then filter for that alert (using SID 0) and log this to a file, the fiel is monitored by splunk and it checks to assure that the alert is triggered every 15 minutes.

Charles DeVoe Jr.
Manager of Engineering
Multi-State Information Sharing and Analysis Center (MS-ISAC)
31 Tech Valley Drive
East Greenbush, NY 12061

charles.devoe at cisecurity.org<mailto:charles.devoe at cisecurity.org>
(518) 266-3494
7x24 Security Operations Center
SOC at cisecurity.org<mailto:SOC at cisecurity.org> - 1-866-787-4722

[cid:image001.png at 01D2F965.2E3564F0]
       [id:image002.png at 01D2926D.D9CF2E90] <https://www.facebook.com/CenterforIntSec>     [id:image003.png at 01D2926D.D9CF2E90] <https://twitter.com/CISecurity>    [id:image004.png at 01D2926D.D9CF2E90] <https://www.youtube.com/user/TheCISecurity>     [id:image005.png at 01D2926D.D9CF2E90] <https://www.linkedin.com/company/the-center-for-internet-security>

From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of amar countersnipe.com
Sent: Tuesday, August 01, 2017 10:25 AM
To: Jason Ish <ish at codemonkey.net>; oisf-users at lists.openinfosecfoundation.org; Kerry Milestone <Kerry.Milestone at ed.ac.uk>
Subject: Re: [Oisf-users] Suricata Heartbeat Alert

As we all know Suricata is an IDS engine and not an IDSystem. I generally refer to it as IDE. It's all about what you feed it and how you manage the information that it generates which determines real usage abilities.

My answer to the original question will be yes, there are many ways to have Suricata create heartbeat alerts. Most of them will require some add-ons to Suricata's ability to do its own task. One thing to remember is that Suricata by itself doesn't do any alerts....it needs signatures to alert on. It's really a case of can you either create a rule or manage the regular IDS events in a manner that will alert you to a "dead" system. The answer to that is yes and in the commercial world IDS systems that rely on Suricata as an IDE, deliver this in many ways.

You could setup a rule to alert on all TCP traffic between two nodes, but only raise an "alert" every hour or whatever time interval you choose. The alert I refer to is not an IDS event but an email for example. You could also setup alerts based on minimum or maximum false positives or many other factors. All of these will require some scripting/coding/manipulation of events generated by Suricata.

Actually the simplest way could be to create an icmp rule, create a script to do a ping request, and then run the script as a cron job every so often. Of course you will still need to deliver the event to yourself somehow.

On August 1, 2017 at 7:13 AM Kerry Milestone <Kerry.Milestone at ed.ac.uk<mailto:Kerry.Milestone at ed.ac.uk>> wrote:

In many ways, I believe the heartbeat for something like an IDS must be
out-of-band which tests the entire service platform and not just the
application itself.

Something which has gone through as many as possible pathways, for
instance from IP -> ICMP|TCP|UDP -> stream -> app etc. Done by sending
some novel payloads or maybe an odd flag set on a DNS lookup, or
requesting a HTTP resource with something specific in the middle of it,
hosting a URL with a slightly bent SSL signature, maybe something which
is fragmented or is a long file, forcing suri to do some LUA (or Rust)
if adventurous.

This way an agent, which sends the packets, will report ensuring that
the expected alert was raised within n amount of time. It works to just
graph the stats and alert on unexpected deltas, but this does not give
you the safe business reliance of the heartbeat originally intended,
especially so if deployed in-line. This reporting latency can be very
quick and a useful measure of the system such as when using redis (1)
and eve flow output.

Other than the fairly comprehensive stats output, I'm not sure Suricata
should support a special heartbeat output (thus is internally slightly
'different' to real traffic) apart from one day as part of an in-line HA
instance to keep state and session(stream) databases consistent with the
running peer.

On 31/07/17 23:22, Jason Ish wrote:

Or, if using eve, just look for the stats event record that is published
periodically. Its presence alone could be used to tell you that Suricata
is alive. Values within it can be used to see if packets are actually
being read.

On 28/07/17 15:38, Jason Ish wrote:

No, Suricata does not support this. I know others have accomplished this
by using a custom rule and periodically injecting a special packet into
their network as a heartbeat. This is more a complete test as it tests
the actual packet reception by the monitoring system as well.

(1) https://redis.io/topics/latency-monitor<https://redis.io/topics/latency-monitor>

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org<http://suricata-ids.org> | Support: http://suricata-ids.org/support/<http://suricata-ids.org/support/>
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users>

Conference: https://suricon.net<https://suricon.net>
Trainings: https://suricata-ids.org/training/<https://suricata-ids.org/training/>

Kind regards

Amar Rathore

CounterSnipe Systems LLC
Tel: +1 617 701 7213
Mobile: +44 (0) 7876 233333
Skype ID: amarrathore
Web: www.countersnipe.com<http://www.countersnipe.com> <http://www.countersnipe.com/<http://www.countersnipe.com/>>

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions.

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

. . . . .
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170802/b27fc1ba/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 14323 bytes
Desc: image001.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170802/b27fc1ba/attachment-0010.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1892 bytes
Desc: image002.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170802/b27fc1ba/attachment-0011.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 2176 bytes
Desc: image003.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170802/b27fc1ba/attachment-0012.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1889 bytes
Desc: image004.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170802/b27fc1ba/attachment-0013.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 2058 bytes
Desc: image005.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170802/b27fc1ba/attachment-0014.png>

More information about the Oisf-users mailing list