Outreachy Internship: Improve suricata-update

Hi there!
It’s been 5 weeks since I started my journey of outreachy internship working with OISF on the project suricata-update. In this blog post, I’ll be explaining my project and what I’ve been working on so far.

About my internship project

The name of the project I’m working on is “Improve suricata-update”. Suricata-update is a subproject of Suricata. Since suricata is too big of a project, I’ll try to explain it from what I’ve read and understood.

What is Suricata?

Suricata is a free and open source network threat detection engine that provides capabilities including real-time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring and offline pcap processing. It inspects the network traffic using a powerful and extensive rules and signature language and performs very well for detection of complex threats and attacks.

What is Suricata-update?

Suricata-update is a tool for downloading and managing the rulesets for Suricata. It makes it easier for users to find available rule sets, as well as allowing rule writers to make their rules more discoverable. These rulesets are defined by some security sources like proofpoint, secureworks, etc.

Features of suricata-update include:

  • Default to Emerging Threats Open ruleset if no configuration provided.
  • Automatic discovery of Suricata version for use in rule set URLs.
  • Flowbit resolution
  • Enable, disable, drop and modify filters that should be familiar to users of Pulled Pork and Oinkmaster.
  • Easy enabling of additional rule sets from the index.

Suricata Rules

A rule/signature is a notation made up of certain keywords and options in a language that Suricata understands so that it is possible to detect and/or prevent a threat to the system that Suricata is monitoring. It consists of the following:

  • The action, that determines what happens when the signature matches
  • The header, defining the protocol, IP addresses, ports and direction of the rule.
  • The rule options, defining the specifics of the rule.

An example of a rule taken from an open database of Emerging Threats is as follows:

drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN Likely Bot Nick in IRC (USA +..)”; flow:established,to_server; flowbits:isset,is_proto_irc; content:”NICK “; pcre:”/NICK .*USA.*[0-9]{3,}/i”; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;)

In this example drop is the action, tcp $HOME_NET any -> $EXTERNAL_NET anyis the header and rest of the part are the options. To know more about rule sets please follow this link.

Suricata-update options

Suricata-update provides various command line options and arguments to pass parameters to the programs. These are the command-line options for suricata-update:

The detailed functionality of these options can be seen here.

Improve suricata-update project

For my internship, I am working on improving suricata-update. Tech stack of the project is Python. I have completed the following tasks for the project:

  • Fixed a bug related to –no-merge command
  • Cleanup unused and scattered imports
  • Improved permission warnings for non-root users
  • Updated docs to setup directories with correct permissions
  • Separated code for rule matching
  • Logged warning on duplicate Sid

I have mentioned about description of some of these tasks in my previous blogs.
I’m still working on the following tasks:

  • Separate code for command line parsers: Parsers module is broken into smaller functions based on different parsers with reduced repetitions of add_argument by storing the arguments in a tuple and adding the parsers to the loop thus making code cleaner and compact.
  • Adding a –offline command line option: Currently, suricata-update downloads the rules going online over the net and there’s no such command as “offline” preventing from downloading over the net and using cached files. Therefore, I am working on adding a command line option –offline which uses locally cached latest version of rules without trying to download rules from sources.
  • Redo variable and function names reserved for Python: Working on changing conflicting variable and function names which suricata-update uses like “filter” which are reserved for use in Python standard modules.

For the next task I’ll be working on checking versions of suricata and suricata-update by adding a “–check-versions” command.

By contributing to the project I am able to learn the internals of Suricata. There have been many hurdles along the way throughout my journey, but there are always such supporting and helping mentors for guiding me.

I hope I was able to give an overview of the project. Thanks for reading. Stay tuned for more updates.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s