15.10. Intrusion Detection

You can find the Intrusion Detection Settings at Services → Intrusion Detection.

The Intrusion Detection is using Suricata, an open source-based intrusion detection system (IDS) and intrusion prevention system (IPS).

15.10.1. General Settings

Suricata Suricata

On this page Suricata can be enabled or disabled.

The Mode can be IDS (Intrusion Detection System), IPS (Intrusion Prevention System) or IDS & IPS.

One or more Interfaces can be selected where traffic should be analyzed by Suricata.

The option Advanced allows the usage of Pass Last and Custom Options.

Pass Last will change the order of rule execution. Usually Pass rules are evaluated before drop rules.

IPS Check Firewall will also monitor all traffic coming and going from the VT AIR itself. Be aware that this might block traffic to the GUI or services on the Firewall. The default is off, it is better to use good Firewall Rules to protect the VT AIR itself.

Multiple Home Networks can be added with their ip address and port. By default the networks 192.168.0.0/16, 10.0.0.0/8 and 172.16.0.0/12 are created. Home Networks are often used in the default rules to identify internal and external traffic and to apply different rules.

15.10.2. Performance Settings

Intrusion Detection performance heavily depends on memory settings.

Suricata Performance

Max Pending Packets This can range from one packet to tens of thousands/hundreds of thousands of packets. It is a trade of higher performance and the use of more memory (RAM), or lower performance and less use of memory. A high number of packets being processed results in a higher performance and the use of more memory. A low number of packets, results in lower performance and less use of memory.

Default Packet Size With the default-packet-size option, you can set the size of the packets on your network. It is possible that bigger packets have to be processed sometimes. The engine can still process these bigger packets, but processing it will lower the performance.

Encryption Bypass Encrypted traffic has very little information for IPS. With this option it will be offloaded after initial inspection which leads to a huge speedup and frees resources to process more packets.

Defragmented Packet Memory (MB) Maximum memory to use to reassembly defragment packets.

Flow Packet Memory (MB) Maximum amount of bytes the flow-engine will use. More memory will result in faster processing.

Flow Hash Size Higher Hash size gives better performance but needs more memory.

Flow Prealloc To mitigate the engine from being overloaded, this option instructs Suricata to keep a number of flows ready in memory.

TCP Stream Memory (MB) Maximum amount of bytes the tcp stream engine will use. More memory will result in faster processing.

TCP Stream Prealloc Sessions prealloc per stream thread

TCP Stream Reassembly Memory (MB) Maximum amount of bytes the tcp stream reassembly engine will use. More memory will result in faster processing.

TCP Stream Reassembly Segment Prealloc Reassembly Segment prealloc per stream thread

TCP Stream Bypass The bypass option activates ‘bypass’ for a flow/session when either side of the session reaches its depth. Bypass can lead to missing important traffic. It is still enabled by default as it leads to speedups.

Reset Performance Settings will calculate a general value based on available memory ressources for each option. You can tweak the values if your setup requires different settings.

15.10.3. Update

Suricata

Here you can configure which rules should be installed. You can choose from ETOpen Emerging Threats rules or ETPro Emerging Threats rules.

Update Interval creates a cronjob which will update the rules according to the selected time interval.

Be aware that the more rules you select the slower Suricata gets. It might be advisable to only use rules and categories that you need.

15.10.4. Rules

Suricata

Here you can see all installed and used rule files which ususally correspond to a single category. Each rule file can be disabled and enabled on the actions column on the right side. You can also click on the detail icon of each rule to see the specific definion of it.

Multiple SIDs can be added to disable specific rules by their Signature ID.

At the bottom you can add Custom Rules.

15.10.5. Logs

Suricata

The logs page shows log information of rules which got triggered. The first column shows the type which can be Alert or Drop. In the actions column you can also disable the rule via its SID. It’s also possible to enable it again.

15.10.6. Example Suricata Configuration

In your VT AIR’s software you get to choose between two rule packages that you can enable. Each set of rules is divided into different categories. Based on these categories you can specify in greater detail what kind of traffic you want to be blocked. Not all of these might be desireable under all circumstances.

By default Suricata creates its own set of rules. These can be found here.

When enabling the Emerging Threats Open Rules they will be shown to you as emerging-XXX under Services → Suricata → Rules. A detailed description of the different categories can be found in the official documentation.

Suricata Emerging Threats Open Rules