Suricata Configuration Profiles

The Suricata configuration profiles that IDSTower offers a best-practice based configuration that slightly differ from the standard configuration that is shipped with Suricata.

The main differences are:

  1. Each event type is written in a dedicated file

Normally, Suricata will write all of the events/alerts/stats records into eve.json file, In IDSTower records are written to three different files:

  • suricata-stats.json: this file contains the Suricata’s health stats.

  • suricata-alerts.json: this file contains Alerts generated by Suricata.

  • suricata-nsm.json: this file contains network transactions (eg: http events) that are generated by Suricata.

For both suricata-alerts.json and suricata-nsm.json, the “threaded” option is enabled to increase the performance of the record writing, moreover the “community-id” option is enabled as well.

  1. For Alerts, both the payload and payload-printable options are enabled, this is to give the analyst the ability to better investigate the root cause of the alert.

  2. IP Reputation feature is enabled and used to alert on Indicators of Compromise (IOCs) of IP type.

  3. The “default-rule-path” option is set to “/etc/suricata/rules” and three different rules files are loaded:

  • idstower_suricata.rules: this file contains all the enabled rules in IDSTower, the file is dynamically updated every 5 minutes so that it reflects any rules changed in IDSTower.

  • idstower_iprep_indicators.rules: contains the rules used to alert on IP IOCs.

  • idstower_datasets_indicators.rules: contains the rules used to alert on IOCs (eg: FQDNs, hashes…etc).