Suricata Sensors

This section will guide you through the possibilities and configurations scenarios for using vanilla Suricata sensors with Clear NDR® Central Server.

Register a Suricata Sensor

Preparing a Suricata Sensor

A Suricata sensor can be any of the following major Linux distributions:

  • CentOS

  • Debian

  • Fedora

  • RedHat

  • SUSE

  • Ubuntu

that has Suricata running as a service.

On the remote (to be managed rulesets/log data) sensors you need to have the following in place:

  • Default Python version > 2.6 (Python 3 is not supported)

  • User called ams dedicated to CNCS connection

  • Passwordless sudo for that ams user

  • The /home/ams/ directory for that user is present

  • Make sure the system has rsync package installed

  • SSH enabled

  • Able to start/restart/stop suricata as a service via sudo aka - service suricata restart, service suricata start, service suricata stop

  • Suricata config file location as follows: /etc/suricata/suricata.yaml

  • Rule section in suricata.yaml containing only scirius.rules file

NOTE: Other rules need to be commented out as shown below :

detail of a rule set up for CNCS

NOTE: On CentOS based sensors:

  • The option Defaults requiretty in /etc/sudoers needs to be commented

  • /etc/hostname needs to be set with Clear NDR® Central Server IP/name information for logshipping

Note

Password for ams user should be used as one time password for probe registration in the Clear NDR® Central Server interface.

Once a Suricata sensor registration has been made the password of the ams user will be reset by CNCS. After that Clear NDR® Central Server will switch to use SSH key pair communication only.

Shipping logs from a Suricata Sensor

Clear NDR® Central Server also offers the possibility to centralize logs from a remote Suriacta sensor installation. You can enable that feature at any time for a particular Suricata sensor. Please see below Step 3 (optional).

Adding a remote sensor for the first time

After all requirements are in place you can add the sensor to CNCS as follows:

Step 1

In CNCS - go to Appliances , on the left hand side under Appliance handling click on Add probe. Fill in the information as on suggested/shown on the example below. Please note that you can add/chose a ruleset at a later stage if you would like:

Add Suricata Sensor/probe for rule management in CNCS

NOTE: Please make sure selected Type is Suricata for non Stamus issued appliances.

NOTE: If the remote installation has the IP address changed it will need to be reflected in these settings as well.

Step 2

Go to Appliances, select the newly added sensor/probe, click on Edit (under the Action tab on the left hand side), check the information and make sure it is correct, click on Interfaces and select the sniffing interface for the probe, click Submit:

Add Suricata Sensor/probe for rule management in CNCS

That step concludes the probe registration to the CNCS for rule management.

Step 3 (optional)

If you would like to ship the logs from the remote Suricata sensor to Clear NDR® Central Server go to Appliances, select the newly added sensor, click on Edit (under the Action tab on the left hand side), check the information and make sure it is correct, click on Settings and check the box Install filebeat, click Submit. Under Pending modifications on the left hand side panel select Apply changes. You can either schedule or apply directly.

NOTE After executing the steps above, you should do an Update/Push Ruleset in order to enable log shipping from the remote Suricata sensor to Clear NDR® Central Server.

To do that, go to Appliances, select Update rulesets from the Action panel on the left. Then, select the relevant remote Suricata sensor from the Appliances table. Select Actions checkbox and click on the Apply button. Once the Update/Push Ruleset task is finished, logs should start coming to CNCS.