A case study on the implementation of an intrusion prevention environment with the Suricata tool
Abstract
This article presents a case study on the implementation of an intrusion prevention environment in a computer network of an educational institution. The adopted architecture was based on using a Network Intrusion Prevention System (NIPS) together with Host Intrusion Prevention System (HIPS), to detect and block attacks aimed at the network. The Suricata software was configured inline, filtering the network traffic. To visualize the logs, the Elasticsearch, Logstash, and Kibana (ELK) stack was configured together with the Synesis tool, allowing the visualization of the data through a Web interface. With this, it was possible to detect and block threats, including scans, communications originated by malicious hosts, among others. From this, actions were taken such as the addition of new firewall rules, creation of a blacklist, among other measures that contributed to raising the network's security level.
References
CERT.br (2021). Incidentes Reportados ao CERT.br - 2020.
COWART, R. (2020). synesis™ Lite for Suricata. Acesso em 07 jun. 2021. Disponível em: https://github.com/robcowart/synesis_lite_suricata.
Farhaoui, Y. (2016). How to secure web servers by the intrusion prevention system (ips)? International Journal of Advanced Computer Research, 6:65–71.
Kak, A. (2021). Lecture Notes on “Computer and Network Security”. Purdue University.
Kaspersky (2016). Host-based Intrusion Prevention System (HIPS).
Kirstens, Wichers, Jkurucar, and Kingthorin (2021). Intrusion Detection. Acesso em 14 jul. 2021. Disponível em: https://owasp.org/www-community/controls/Intrusion_Detection.
Meeks, B. (2017). Suricata STREAM Alerts. Acesso em 13 jul. 2021. Disponível em: https://forum.netgate.com/topic/114340/suricata-stream-alerts/3.
Morais, G. (2011). ANÁLISE E IMPLEMENTAÇÃO DE SISTEMAS IDS E IPS. UNIVERSIDADE DE LISBOA, page 71.
Mota Filho, J. E. (2018). IDS / IPS para a segurança em redes. In 15º Congresso Latino-americano de Software Livre e Tecnologias Abertas (15º LATINOWARE)., Foz do Iguaçu.
Proofpoint (2020). ET Category Descriptions. Acesso em 13 jul. 2021 Disponível em: https://tools.emergingthreats.net/docs/ETPro%20Rule%20Categories.pdf.
Stallings, W. and Brown, L. (2014). Seguranc¸a de Computadores: Princípios e Práticas. Elsevier, Rio de Janeiro.
Suricata (2021). Setting up IPS/inline for Linux. Acesso em 01 jul. 2021. Disponível em: [link].
Utimura, L. N. and Costa, K. A. (2018). Aplicação e Análise Comparativa do Desempenho de Classificadores de Padrões para o Sistema de Detecção de Intrusão Snort. Anais do XXXVI Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos.
Wong, K., Dillabaugh, C., Seddigh, N., and Nandy, B. (2017). Enhancing suricata intrusion detection system for cyber security in scada networks. In 2017 IEEE 30th Canadian Conference on Electrical and Computer Engineering (CCECE), pages 1–5.
Xing, T., Xiong, Z., Huang, D., and Medhi, D. (2014). Sdnips: Enabling software defined networking based intrusion prevention system in clouds. In 10th International Conference on Network and Service Management (CNSM) and Workshop, pages 308–311.
