npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
When to Use
- Deploying a high-performance IDS/IPS capable of multi-threaded packet processing for 10+ Gbps network links
- Monitoring network traffic with protocol-aware inspection for HTTP, TLS, DNS, SMB, and other protocols
- Generating structured EVE JSON logs for direct SIEM ingestion without custom parsers
- Running in inline (IPS) mode to actively block malicious traffic at network choke points
- Combining signature-based detection with protocol anomaly detection and file extraction
Do not use as a standalone security solution without complementary controls, for encrypted traffic inspection without TLS decryption capabilities, or on systems with insufficient CPU/memory for the expected traffic volume.
Prerequisites
- Suricata 7.0+ installed from PPA or source (
suricata --build-info) - Network interface on a span port, tap, or inline bridge for traffic capture
- AF_PACKET or DPDK support for high-performance packet capture
- Emerging Threats Open or Pro ruleset subscription (or Snort Talos rules via oinkcode)
- suricata-update tool for automated rule management
- Elasticsearch/Kibana or Splunk for log analysis and visualization
Workflow
Step 1: Install Suricata and Dependencies
# Install from PPA (Ubuntu/Debian)
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt update
sudo apt install -y suricata suricata-update jq
# Verify installation
suricata --build-info | grep -E "Version|AF_PACKET|NFQueue"
# Or install from source for latest features
sudo apt install -y libpcre2-dev build-essential autoconf automake libtool \
libpcap-dev libnet1-dev libyaml-dev libjansson-dev libcap-ng-dev \
libmagic-dev libnetfilter-queue-dev libhiredis-dev rustc cargo cbindgen
git clone https://github.com/OISF/suricata.git
cd suricata && git clone https://github.com/OISF/libhtp.git -b 0.5.x
./autogen.sh && ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--enable-nfqueue --enable-af-packet
make -j$(nproc) && sudo make install install-confStep 2: Configure Network Interfaces
# Disable NIC offloading features
sudo ethtool -K eth1 gro off lro off tso off gso off rx off tx off sg off
# Set interface to promiscuous mode
sudo ip link set eth1 promisc on
# For high-performance deployments, configure AF_PACKET with multiple threads
# Edit /etc/suricata/suricata.yamlStep 3: Configure suricata.yaml
# /etc/suricata/suricata.yaml (key sections)
# Network variables
vars:
address-groups:
HOME_NET: "[10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16]"
EXTERNAL_NET: "!$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"
SMTP_SERVERS: "$HOME_NET"
# Default rule path
default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rules
# AF_PACKET configuration for high performance
af-packet:
- interface: eth1
threads: auto
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
use-mmap: yes
ring-size: 200000
buffer-size: 262144
# EVE JSON logging (primary output format)
outputs:
- eve-log:
enabled: yes
filetype: regular
filename: eve.json
pcap-file: false
community-id: true
types:
- alert:
tagged-packets: yes
payload: yes
payload-printable: yes
http-body: yes
http-body-printable: yes
- http:
extended: yes
- dns:
query: yes
answer: yes
- tls:
extended: yes
- files:
force-magic: yes
force-hash: [md5, sha256]
- smtp:
extended: yes
- flow
- netflow
- anomaly:
enabled: yes
- stats:
totals: yes
threads: yes
# PCAP logging for captured packets that trigger alerts
- pcap-log:
enabled: yes
filename: alert-%n.pcap
limit: 100mb
max-files: 50
mode: normal
use-stream-depth: no
honor-pass-rules: no
# Stream engine settings
stream:
memcap: 512mb
checksum-validation: no
reassembly:
memcap: 1gb
depth: 1mb
toserver-chunk-size: 2560
toclient-chunk-size: 2560
# Detection engine
detect:
profile: high
custom-values:
toclient-groups: 200
toserver-groups: 200
sgh-mpm-context: auto
inspection-recursion-limit: 3000
# Protocol detection and parsing
app-layer:
protocols:
http:
enabled: yes
memcap: 64mb
tls:
enabled: yes
detection-ports:
dp: 443, 8443
ja3-fingerprints: yes
dns:
enabled: yes
tcp:
enabled: yes
udp:
enabled: yes
smb:
enabled: yes
detection-ports:
dp: 139, 445
ssh:
enabled: yes
hassh: yesStep 4: Download and Manage Rulesets
# Update Suricata rules using suricata-update
sudo suricata-update
# Enable additional rule sources
sudo suricata-update list-sources
sudo suricata-update enable-source et/open
sudo suricata-update enable-source oisf/trafficid
sudo suricata-update enable-source ptresearch/attackdetection
# Update with all enabled sources
sudo suricata-update
# Check rule statistics
sudo suricata-update list-sources --enabled
wc -l /var/lib/suricata/rules/suricata.rules
# Disable noisy rules
sudo tee /etc/suricata/disable.conf << 'EOF'
# Disable overly broad rules
2100498
2013028
2210000-2210050
group:emerging-policy.rules
EOF
# Create custom local rules
sudo tee /etc/suricata/rules/local.rules << 'EOF'
# Detect reverse shell connections
alert tcp $HOME_NET any -> $EXTERNAL_NET 4444 (msg:"LOCAL Reverse Shell Port 4444"; flow:established,to_server; content:"|2f 62 69 6e 2f|"; sid:9000001; rev:1; classtype:trojan-activity; priority:1;)
# Detect DNS tunneling by query length
alert dns $HOME_NET any -> any any (msg:"LOCAL DNS Tunneling Long Query"; dns.query; content:"."; offset:50; sid:9000002; rev:1; classtype:policy-violation; priority:2;)
# Detect TLS to suspicious JA3 hash (Cobalt Strike default)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL Cobalt Strike JA3 Hash"; ja3.hash; content:"72a589da586844d7f0818ce684948eea"; sid:9000003; rev:1; classtype:trojan-activity; priority:1;)
# Detect SSH brute force
alert ssh $EXTERNAL_NET any -> $HOME_NET 22 (msg:"LOCAL SSH Brute Force Attempt"; flow:to_server; threshold:type both, track by_src, count 10, seconds 60; sid:9000004; rev:1; classtype:attempted-admin; priority:2;)
# Detect data exfiltration via HTTP POST (large uploads)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL Large HTTP POST Upload"; flow:to_server,established; http.method; content:"POST"; http.content_len; content:">"; byte_test:8,>,10000000,0,string; sid:9000005; rev:1; classtype:policy-violation; priority:2;)
EOF
# Add local rules to configuration
echo " - local.rules" | sudo tee -a /etc/suricata/suricata.yamlStep 5: Deploy and Validate
# Validate configuration
sudo suricata -T -c /etc/suricata/suricata.yaml -v
# Run Suricata in IDS mode
sudo suricata -c /etc/suricata/suricata.yaml --af-packet=eth1 -D
# Or run in IPS mode (inline with NFQueue)
# First configure iptables to send traffic to NFQueue
# sudo iptables -I FORWARD -j NFQUEUE --queue-num 0
# sudo suricata -c /etc/suricata/suricata.yaml -q 0 -D
# Create systemd service
sudo tee /etc/systemd/system/suricata.service << 'EOF'
[Unit]
Description=Suricata IDS/IPS
After=network.target
Requires=network.target
[Service]
Type=simple
ExecStartPre=/usr/bin/suricata -T -c /etc/suricata/suricata.yaml
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --af-packet=eth1 --pidfile /var/run/suricata.pid
ExecReload=/bin/kill -USR2 $MAINPID
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
sudo systemctl enable --now suricata
# Test with a known signature
curl http://testmynids.org/uid/index.html
# Should trigger ET GPL rule for uid.
# Verify alerts are generated
sudo tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")'Step 6: Integrate with SIEM and Monitor
# Parse EVE JSON with jq for quick analysis
# Top 10 alerts
cat /var/log/suricata/eve.json | jq -r 'select(.event_type=="alert") | .alert.signature' | sort | uniq -c | sort -rn | head -10
# Extract IOCs from alerts
cat /var/log/suricata/eve.json | jq -r 'select(.event_type=="alert") | [.timestamp, .src_ip, .dest_ip, .alert.signature, .alert.severity] | @csv' > alert_summary.csv
# JA3 fingerprint analysis
cat /var/log/suricata/eve.json | jq -r 'select(.event_type=="tls") | [.src_ip, .tls.ja3.hash, .tls.sni] | @csv' | sort | uniq -c | sort -rn
# DNS query analysis
cat /var/log/suricata/eve.json | jq -r 'select(.event_type=="dns" and .dns.type=="query") | [.src_ip, .dns.rrname, .dns.rrtype] | @csv' | sort | uniq -c | sort -rn | head -20
# Configure Filebeat for Elastic integration
sudo tee /etc/filebeat/modules.d/suricata.yml << 'EOF'
- module: suricata
eve:
enabled: true
var.paths: ["/var/log/suricata/eve.json"]
EOF
sudo filebeat modules enable suricata
sudo systemctl restart filebeat
# Monitor Suricata performance
cat /var/log/suricata/eve.json | jq 'select(.event_type=="stats") | .stats.capture' | tail -1
# Check for packet drops: kernel_drops should be 0Key Concepts
| Term | Definition |
|---|---|
| EVE JSON | Suricata's primary logging format producing structured JSON events for alerts, protocol metadata, flow records, and statistics |
| AF_PACKET | Linux kernel packet capture mechanism used by Suricata for high-performance traffic capture with kernel-bypass capabilities |
| JA3/JA3S | TLS fingerprinting method that creates hash values from TLS Client Hello and Server Hello parameters for identifying applications and malware |
| HASSH | SSH fingerprinting method similar to JA3 that creates hashes from SSH key exchange parameters to identify SSH client and server implementations |
| Community ID | Standardized flow identifier hash that enables correlation of the same network flow across different monitoring tools (Suricata, Zeek, Wireshark) |
| suricata-update | Official rule management tool that downloads, merges, and manages multiple rulesets with enable/disable controls |
Tools & Systems
- Suricata 7.0+: Open-source multi-threaded IDS/IPS/NSM engine with protocol detection, file extraction, and JA3/HASSH fingerprinting
- suricata-update: Ruleset management tool supporting ET Open, ET Pro, Snort rules, and custom rule sources
- Elastic Stack (ELK): Log aggregation and visualization platform with native Suricata module in Filebeat for dashboards and alerting
- Scirius: Web-based Suricata rule management interface for editing, enabling/disabling, and monitoring rule performance
- Evebox: Lightweight event viewer for Suricata EVE JSON logs with alert management and escalation capabilities
Common Scenarios
Scenario: Deploying Suricata IDS on a 10 Gbps Enterprise Network Perimeter
Context: A technology company needs to deploy IDS at their internet egress point handling 10 Gbps of traffic. They require protocol-level metadata logging for threat hunting, signature-based alerting for known threats, and JA3 fingerprinting for detecting malware C2 communications. Alerts must feed into their Elastic SIEM.
Approach:
- Deploy Suricata on a server with 16 CPU cores, 64 GB RAM, and dual 10G NICs using AF_PACKET with 14 worker threads
- Enable ET Open and ptresearch/attackdetection rulesets via suricata-update, totaling approximately 35,000 active rules
- Configure EVE JSON logging with community-id, extended HTTP/TLS/DNS metadata, and file hashing (MD5 + SHA256)
- Enable JA3 and HASSH fingerprinting for TLS and SSH traffic profiling
- Write custom rules for organization-specific threats: known bad JA3 hashes, DNS queries to DGA domains, large data uploads to uncommon destinations
- Integrate with Elastic via Filebeat's Suricata module, deploying pre-built Kibana dashboards for real-time visibility
- Tune rules over a 2-week baseline period, disabling false-positive generators and adjusting thresholds
Pitfalls:
- Not allocating sufficient CPU threads, causing packet drops at peak traffic volumes
- Enabling all available rules without tuning, overwhelming analysts with false positives
- Forgetting to disable NIC offloading, resulting in incorrect checksums and missed detections
- Not enabling community-id, making it difficult to correlate Suricata events with Zeek or other tools
Output Format
## Suricata IDS Deployment Report
**Sensor**: suricata-gw-01 (10.10.1.251)
**Interface**: eth1 (span from border router)
**Configuration**: /etc/suricata/suricata.yaml
**Worker Threads**: 14 AF_PACKET threads
**Active Rules**: 35,247 (ET Open + Custom)
### Performance Metrics (24-hour)
| Metric | Value |
|--------|-------|
| Packets Processed | 847,293,421 |
| Kernel Drops | 0 (0.000%) |
| Alerts Generated | 1,247 |
| Unique Signatures Fired | 89 |
| JA3 Fingerprints Observed | 342 unique |
| Files Extracted | 2,847 |
### Top 10 Alert Signatures
| Count | SID | Signature | Severity |
|-------|-----|-----------|----------|
| 312 | 2024897 | ET POLICY curl User-Agent Outbound | 3 |
| 189 | 9000003 | LOCAL Cobalt Strike JA3 Hash | 1 |
| 145 | 2028765 | ET SCAN Nmap SYN Scan | 2 |
| 98 | 9000002 | LOCAL DNS Tunneling Long Query | 2 |
### Critical Alerts Requiring Immediate Triage
1. SID 9000003: Cobalt Strike JA3 from 10.10.5.12 to 203.0.113.50 (189 alerts)
2. SID 9000002: DNS tunneling from 10.10.3.45 to suspect-domain.xyz (98 alerts)References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md2.6 KB
Suricata API Reference
Suricata CLI
# Validate configuration
suricata -T -c /etc/suricata/suricata.yaml -v
# Run IDS mode with AF_PACKET
suricata -c /etc/suricata/suricata.yaml --af-packet=eth1 -D
# Run IPS mode with NFQueue
suricata -c /etc/suricata/suricata.yaml -q 0 -D
# Analyze PCAP file
suricata -c /etc/suricata/suricata.yaml -r capture.pcap -l /tmp/output/
# Reload rules without restart (Unix socket)
suricatasc -c reload-rulessuricata-update CLI
# Update all enabled rule sources
suricata-update
# List available sources
suricata-update list-sources
# Enable a source
suricata-update enable-source et/open
suricata-update enable-source oisf/trafficid
# Disable specific SIDs via /etc/suricata/disable.conf
echo "2100498" >> /etc/suricata/disable.confEVE JSON Event Types
| event_type | Description |
|---|---|
alert |
IDS/IPS alert with signature match |
http |
HTTP request/response metadata |
dns |
DNS query and answer records |
tls |
TLS handshake with JA3/JA3S hashes |
flow |
Network flow summary on completion |
files |
Extracted file metadata with hashes |
stats |
Engine performance statistics |
anomaly |
Protocol anomaly detection events |
smtp |
SMTP transaction metadata |
ssh |
SSH handshake with HASSH fingerprint |
EVE JSON Parsing with jq
# Top alert signatures
jq -r 'select(.event_type=="alert") | .alert.signature' eve.json | sort | uniq -c | sort -rn
# Extract alert IOCs as CSV
jq -r 'select(.event_type=="alert") | [.timestamp,.src_ip,.dest_ip,.alert.signature] | @csv' eve.json
# JA3 fingerprint analysis
jq -r 'select(.event_type=="tls") | [.src_ip,.tls.ja3.hash,.tls.sni] | @csv' eve.json
# DNS query analysis
jq -r 'select(.event_type=="dns" and .dns.type=="query") | [.src_ip,.dns.rrname] | @csv' eve.json
# Performance stats (check for drops)
jq 'select(.event_type=="stats") | .stats.capture' eve.json | tail -1Suricata Rule Syntax
action protocol src dst (msg:"text"; content:"match"; sid:N; rev:N;)
# JA3-based detection
alert tls $HOME_NET any -> any any (
msg:"Suspicious JA3"; ja3.hash; content:"<hash>"; sid:9000010; rev:1;
)
# DNS keyword detection
alert dns any any -> any any (
msg:"DNS tunneling"; dns.query; content:"."; offset:50; sid:9000011; rev:1;
)Unix Socket Control (suricatasc)
suricatasc -c reload-rules # Reload rules live
suricatasc -c iface-list # List monitored interfaces
suricatasc -c capture-mode # Show capture mode
suricatasc -c uptime # Show uptimeScripts 1
agent.py7.6 KB
#!/usr/bin/env python3
"""Suricata IDS/IPS monitoring and EVE JSON log analysis agent."""
import json
import os
import subprocess
import sys
from collections import Counter
from datetime import datetime
SURICATA_BIN = os.environ.get("SURICATA_BIN", "/usr/bin/suricata")
SURICATA_CONF = os.environ.get("SURICATA_CONF", "/etc/suricata/suricata.yaml")
EVE_LOG = os.environ.get("SURICATA_EVE_LOG", "/var/log/suricata/eve.json")
RULES_DIR = os.environ.get("SURICATA_RULES_DIR", "/var/lib/suricata/rules")
def check_suricata_status():
"""Check Suricata installation and running status."""
version = {"installed": False}
try:
result = subprocess.run(
[SURICATA_BIN, "--build-info"], capture_output=True, text=True, timeout=10
)
for line in result.stdout.splitlines():
if "Suricata version" in line.lower() or "version:" in line.lower():
version = {"installed": True, "version": line.strip()}
break
if not version.get("version"):
version = {"installed": True, "build_info": result.stdout[:300]}
except FileNotFoundError:
version = {"installed": False, "error": "Suricata not found"}
running = False
try:
r = subprocess.run(["pgrep", "-x", "suricata"], capture_output=True, text=True, timeout=120)
running = r.returncode == 0
except FileNotFoundError:
pass
return {**version, "running": running}
def validate_config():
"""Validate Suricata configuration."""
try:
result = subprocess.run(
[SURICATA_BIN, "-T", "-c", SURICATA_CONF, "-v"],
capture_output=True, text=True, timeout=60
)
return {
"valid": result.returncode == 0,
"output": result.stderr.strip()[-500:] if result.stderr else result.stdout.strip()[-500:],
}
except Exception as e:
return {"valid": False, "error": str(e)}
def parse_eve_alerts(log_path=None, limit=10000):
"""Parse EVE JSON log for alert events and produce statistics."""
log_path = log_path or EVE_LOG
if not os.path.exists(log_path):
return {"error": f"EVE log not found: {log_path}"}
alerts = []
signatures = Counter()
src_ips = Counter()
dest_ips = Counter()
severities = Counter()
with open(log_path, "r") as f:
for i, line in enumerate(f):
if i > limit:
break
line = line.strip()
if not line:
continue
try:
event = json.loads(line)
except json.JSONDecodeError:
continue
if event.get("event_type") != "alert":
continue
alert_info = event.get("alert", {})
sig = alert_info.get("signature", "unknown")
signatures[sig] += 1
src_ips[event.get("src_ip", "unknown")] += 1
dest_ips[event.get("dest_ip", "unknown")] += 1
severities[alert_info.get("severity", 0)] += 1
alerts.append({
"timestamp": event.get("timestamp"),
"src_ip": event.get("src_ip"),
"dest_ip": event.get("dest_ip"),
"signature": sig,
"sid": alert_info.get("signature_id"),
"severity": alert_info.get("severity"),
})
return {
"total_alerts": len(alerts),
"top_signatures": signatures.most_common(15),
"top_src_ips": src_ips.most_common(10),
"top_dest_ips": dest_ips.most_common(10),
"severity_distribution": dict(severities),
"recent_alerts": alerts[-10:],
}
def parse_eve_dns(log_path=None, limit=50000):
"""Analyze DNS queries from EVE log for threat hunting."""
log_path = log_path or EVE_LOG
if not os.path.exists(log_path):
return {"error": f"EVE log not found: {log_path}"}
domains = Counter()
query_types = Counter()
long_queries = []
with open(log_path, "r") as f:
for i, line in enumerate(f):
if i > limit:
break
try:
event = json.loads(line.strip())
except (json.JSONDecodeError, ValueError):
continue
if event.get("event_type") != "dns":
continue
dns = event.get("dns", {})
rrname = dns.get("rrname", "")
if rrname:
domains[rrname] += 1
query_types[dns.get("rrtype", "unknown")] += 1
if len(rrname) > 60:
long_queries.append({
"src_ip": event.get("src_ip"),
"query": rrname,
"length": len(rrname),
})
return {
"unique_domains": len(domains),
"top_domains": domains.most_common(20),
"query_types": dict(query_types),
"long_queries_suspicious": long_queries[:20],
}
def parse_eve_tls(log_path=None, limit=50000):
"""Extract JA3 fingerprints and TLS metadata from EVE log."""
log_path = log_path or EVE_LOG
if not os.path.exists(log_path):
return {"error": f"EVE log not found: {log_path}"}
ja3_hashes = Counter()
sni_list = Counter()
with open(log_path, "r") as f:
for i, line in enumerate(f):
if i > limit:
break
try:
event = json.loads(line.strip())
except (json.JSONDecodeError, ValueError):
continue
if event.get("event_type") != "tls":
continue
tls = event.get("tls", {})
ja3 = tls.get("ja3", {})
if isinstance(ja3, dict):
h = ja3.get("hash")
else:
h = None
if h:
ja3_hashes[h] += 1
sni = tls.get("sni", "")
if sni:
sni_list[sni] += 1
return {
"unique_ja3": len(ja3_hashes),
"top_ja3_hashes": ja3_hashes.most_common(20),
"top_sni": sni_list.most_common(20),
}
def update_rules():
"""Run suricata-update to fetch latest rulesets."""
try:
result = subprocess.run(
["suricata-update"], capture_output=True, text=True, timeout=120
)
return {"success": result.returncode == 0, "output": result.stdout.strip()[-500:]}
except FileNotFoundError:
return {"success": False, "error": "suricata-update not found"}
def count_rules():
"""Count active Suricata rules."""
rules_file = os.path.join(RULES_DIR, "suricata.rules")
if not os.path.exists(rules_file):
return {"error": "Rules file not found"}
active = 0
with open(rules_file) as f:
for line in f:
if line.strip() and not line.strip().startswith("#"):
active += 1
return {"active_rules": active, "rules_file": rules_file}
def generate_report():
"""Generate full Suricata deployment report."""
return {
"timestamp": datetime.utcnow().isoformat() + "Z",
"status": check_suricata_status(),
"config": validate_config(),
"rules": count_rules(),
"alerts": parse_eve_alerts(),
}
if __name__ == "__main__":
action = sys.argv[1] if len(sys.argv) > 1 else "report"
actions = {
"report": generate_report,
"status": check_suricata_status,
"validate": validate_config,
"alerts": parse_eve_alerts,
"dns": parse_eve_dns,
"tls": parse_eve_tls,
"update-rules": update_rules,
"rules": count_rules,
}
fn = actions.get(action)
if fn:
print(json.dumps(fn(), indent=2, default=str))
else:
print(f"Usage: agent.py [{' | '.join(actions.keys())}]")