Suricata – The Open Source IDS/IPS

I recently listened to an episode of my favorite network security podcast PaulDotCom Security Weekly and gained interest with a project that was discussed in a segment of the show. Episode 198 can be listened to here. The episode featured a guest interview of Matt Jonkman and Will Metcalf who are both involved in the Suricata Project. The Suricata Project is a open source Intrusion Detection System developed by the Open Information Security Foundation, which is funded by the Department of Homeland Security. The Project has used approximately 1 million tax dollars to date so it could be of interest to anyone in the public. The first stable release is going to be available on July 1st, 2010 and can be downloaded from the OISF website.

The goal of the project isn’t to make a a replaceable IDS necessarily but instead to bring the community together to identify current and future IDS/IPS needs and desires. Since the project is funded by the government, they have yearly brainstorming sessions in which anyone is welcome to join new ideas and needs are discussed.

According to the interview, IDS development is behind what it should be right now and should be at the point as far as automation goes. They compared it to the early days of anti-virus how many tasks had to be manually achieved by the user but now days the software runs exclusively in the background with minimal user interaction. They claimed that most IDSs run in log only mode because they aren’t reliable enough to block or allow traffic without some type of administrative interaction.

To achieve this automation, one of the features they are working on is a IPreputation system which is currently still in beta development. The IPreputation system acts as a behavioral detection by using many different rules about a particular IP address to give it an overall score, different rules will hold different values as certain behaviors are much more suspicious and potentially harmful to a network. If that score is over the threshold set by the administrator then the IP will be blocked. This is a much better system then just having a cut and dry IP blacklist, because there will clearly be IP’s that aren’t tagged as dangerous that are going to be used for malicious intent. The interviewees said that Cisco also has a similar system and has great success with it. I have also heard of IPreputation systems being used for email administrators who can more effectively block spam.

Another key feature they addressed with Suricata was that it runs on a multi-threaded engine, and this is the only IDS that has this. I found this hard to believe considering how long multi-core processing has been around, but the interviewees said that this feature alone would be worth switching to it. If you are more interested listen to the podcast and listen to the interview, or check out the OISF website.