Suricata-IDS and file server or storage

Hello,
Please consider the figure below:

Client ---> Suricata-IDS ---> File server or Storage

Is it possible for Suricata-IDS to filter the requests sent to the file server or storage before reaching the destination?
Can Suricata-IDS be useful for increasing the security of a file server or storage?

Thank you.

Hi @Hack3rcon !
Welcome to our forum. :slight_smile:
If I understand your setup correctly, if you the protocol used to interact with the file server and if Suricata has the support to detect that protocol, it should be possible, I think.

1 Like

Hello,
Thank you so much for your reply.
The protocol is SMB. The main question is how Suricata-IDS should be configured to check these requests? Suricata-IDS must act as a mediator and check all the requests before reaching the server.

Hi @Hack3rcon,

You can use Suricata in inline or IPS mode. I suspect you are but you’ve labeled it as “Suricata IDS” and “IDS” is not an inline mode.

Hello,
Thank you so much for your reply.
In a local network with some clients, when the clients browse the file server IP address, then their request must be forwarded to the Suricata-IDS and then if their requests are OK, Suricata-IDS to allow them to access the server. Therefore, Suricata-IDS must exchange requests between the file server and the clients. Something like an Apache reverse proxy.
How can I configure Suricata-IDS to do this?

Start here if you want Suricata to selectively forward packets between the local network and the network containing the server: 15. Setting up IPS/inline for Linux — Suricata 7.0.1-dev documentation

1 Like

Hello,
Thank you so much for your reply.
Please consider the following scenario:

Clients (192.168.1.X) ---> Suricata-IDS (192.168.1.200) ---> Windows File Server (192.168.1.201)

I have some questions:

1- How many NICs should my Suricata-IDS server have?

2- Windows uses port 445 for file sharing across the network. Are these rules OK?

$ sudo iptables -I INPUT -p tcp --sport 445  -j NFQUEUE
$ sudo iptables -I OUTPUT -p tcp --dport 445 -j NFQUEUE
$ sudo iptables -I INPUT -p udp --sport 445  -j NFQUEUE
$ sudo iptables -I OUTPUT -p udp --dport 445 -j NFQUEUE

3- How can I make sure that client requests are passed through the Suricata-IDS server? In a network, all clients see each other. For example, when a client enter //192.168.1.201 in Windows explorer, then why his\her requests must pass through the Suricata-IDS server?

Your Suricata IPS system should have at least 3 NIC ports

  • Management NIC port: 1
  • Monitoring NIC ports: 2

You’ll have to setup your network so that alltraffic from the clients must travel through the Suricata IPS system.

The answer to question 2 depends on how you’re configuring Suricata for packet acquisition.

1 Like

Hello,
Thank you so much for your reply.

1- What do you mean by “You’ll have to setup your network so that alltraffic from the clients must travel through the Suricata IPS system”? Do you mean that in a switched network the switches should be configured to send traffic to the Suricata-IDS server?

2- Suppose that my server has three NICs with the following IP addresses:

eth0: 192.168.1.2
eth1: 192.168.1.3
eth2: 192.168.1.4

Can you show me the correct iptables rules?

you would have to use the FORWARD chain for that. I would recommend playing around with the overall setup first, write some iptables LOG targets to see if the traffic would actually pass that route and also that routing is working properly on the system that should become the IPS.

Once this is done you should start with embedding the Suricata part via NFQUEUE.

1 Like

Hello,
Thank you so much for your reply.
I think you didn’t see my previous post:
In a network, all clients and servers see each other. For example, when a client enter //192.168.1.201 in Windows explorer, then why his\her requests must pass through the Suricata-IDS server?

In a network domain where servers and clients are connected to each other with a switch and see each other. I have two options:

1- Configure the switch so that all requests to the file server are forwarded to the Suricata-IDS server, then Suricata-IDS forwards them to the file server after analysis.

2- Remove the file server from the network and connect it directly to the Suricata-IDS server. Now, I need to configure Suricata-IDS to send the requests to the file server after analyzing them.

Am I right?

It sounds like you need a transparent bridge IPS which you can do with AF_PACKET IPS, assuming you have a network topology where all the clients and the server are hanging off of the same switch or some model like that.

If this is correct, I think you have 2 options.

  1. Install Suricata right on the file server. Use iptables INPUT/OUTPUT rules to direct the traffic to Suricata for block. This I guess is a host IPS. It doesn’t matter what the network topology is like.
  2. Drop a machine running Suricata between the switch and the file server. So one interface is connected to the file server (or another switch, which connects to the fileserver), and the other network interface runs to the switch the clients are connected to.

In scenario 2 you’d create an AF_PACKET IPS. You’d want a third interface which is going to be the management interface for this IPS machine. The interfaces that make up the IPS should not have IP addresses assigned.

I’m using examples of physical wires and switches as its easier to reason about, and draw on a whiteboard. However, I’m sure something similar could be created with managed switches or packet brokers and VLANs.

1 Like

Hello,
Thank you so much for your reply.
My file server uses Windows OS.
I think the second scenario is appropriate. My Suricata-IDS server has three NICs:

eth0: 192.168.1.2
eth1: 192.168.1.3
eth2:

The eth0 is connected to the switch device and the eth1 connected to the file server. Can you show me the iptables rules that should be written?

I don’t think you can use iptables in this scenario. You’d have to route the traffic through, which is probably going to break your network somewhere. The clients and the server won’t be on the same subnet, causing issues.

Given your topology, you want the bridged IPS. To get there, you want to do something like the following:

  • Choose the interface to be the management interface. This will have an IP address. Lets say you choose eth0 to be this interface. And this is connected to the switch.
  • Configure eth1 and eth2 to be up but never assigned an IP address.
  • Connect eth1 to the switch. This is why its important its configured to not have an IP address.
  • Connect eth2 directly to the file server.

Now follow the example here: 15. Setting up IPS/inline for Linux — Suricata 7.0.1-dev documentation

But as you are using eth0 and eth1make sure theinterfacenames andcopy-iface` names are correct.

Start Suricata without an interface name but the --af-packet command line option. This will bridge eth1 and eth2 together, like a coupler. The file server should obtain an IP address, or whatever, as if its directly connected to the switch. When Suricata is not running the file server will not have connectivity.

I do consider this a somewhat advanced IPS installation, but its the only way to do it without changing the network topology as far as I know. I plan to do a more thorough guide on this for RedHat systems at some point in the future.

1 Like

Hello,
Thanks again.
1- Why iptables is not useful in this scenario?

2- You said “Configure eth1 and eth2 to be up but never assigned an IP address.”, how can a NIC be up, but not have an IP address? Do you mean that I just use the ifup ethX command?

3- In our network, we use DHCP service, and when I connect the NIC to the switch, an IP address is automatically assigned to that NIC. Should DHCP service be disabled for this port of the switch?

4- I guess that in this scenario the Suricata-IDS automatically assigns an IP address to the NIC. Is it right? If yes, then in what range?

5- Is it possible to implement this scenario in a virtual environment? For example, Using VirtualBox and three virtual machines. One VM as a client, one VM as a Suricata-IDS server and another VM as a file server.

The network topology you showed between your clients and server did not involved routing, so I don’t see how iptables would work, which usually works at the ip layer (layer 3). You could use iptables, but as mentioned, you’d have to put your server on a different subnet, and route to it with the Linux machine. This could be an option, that is up to you.

What I’m describing is a bump-in-the-wire layer 2 solution that does not affect your network topology. I’m not network engineer by any means tho. Maybe there is a way iptables could work without routing, but I don’t know how to do it.

This is quite common in monitoring situations. You might have to go to a support channel for your Linux distribution to do this. In general it would be a simple ip link set dev eth1 up, but Linux distributions, and NetworkManager usually take over control. So get help from your distribution here.

Don’t such the DHCP service off for that port. You just want to stop the operating system from assigning an address from DHCP. If your file server uses DHCP you’ll want DHCP on that switch port so it can get itself an address.

No, your file server still gets an IP address from your bridge. All Suricata is doing here is taking packets recevied on eth1 and copying them to eth2, and taking packets received on eth1 and copying them to eth2. Almost as if you use a network coupler or switch, or hand twisted the wireless together. This is also why you don’t want these ports to have IP addresses. Suricata will blindly copy packets destined for the machine itself out to the other side of the network.

Possibly, you’ll have to become very familiar with the different types of networks in VirtualBox to create this scenario. Its actually much easier to to with 3 computers and physical wire.

As mentioned, its an advanced deployment. You’ll need to brush up on networking, routing, vs bridge, bump-in-the-wire type deployments and configuration of your network devices.

Of course there could be other options, this is just the one I know.

1 Like

Its only a draft, but here is a guide to the basic setup on an RHEL 9 system. It uses nmcli so may be portable to other distributions as well.

1 Like

Hello,
Thanks again.
I would like to implement this scenario in a virtual environment first. In this link, you can see different types of networks that VirtualBox supports.
Assuming that I have three virtual machines as follows:

VM1: Client that has one NIC
VM2: Suricata-IDS server that has two NICs
VM3: File server that has one NIC

I guess that I can’t use the NAT type, because this type of network uses the DHCP protocol and gives IP addresses to virtual machines automatically in range 10.0.2.X.

The NAT Network type is similar to NAT, but with the difference that you can choose the IP address range manually and enable or disable the DHCP service. The virtual machines can see each other and other hosts on the physical network.

The Bridged Adapter type uses the physical network card of the host and since my network has DHCP service, the virtual machines automatically receive the IP address.

The Internal Network type has no DHCP service and IP addresses must be added manually to network cards. In this type of network, virtual machines only see each other, not the host.

In the Host-only Adapter type, virtual machines see each other and the host. In this type of network, like the NAT Network, you can define the range of IP addresses manually and enable or disable the DHCP service.

Which type of network do you choose for each virtual machine?

This is harder than it might seem, I’ve tried various fully virtualized AF_PACKET IPS test setups without much luck, meanwhile if you have physical gear you can just drop it in place and it works. I’m not kidding when I saw AF_PACKET IPS with Suricata is pretty close to just directly twisting the ends of the ethernet cable together… Virtualization just gets in the way of this pure physical aspect of networking.

But it would go something like this:

  • VM1 (Client)
    • One network adapter, “Internal Network” with name “client”
  • VM3 (Server)
    • One network adapter, “Internal Network” with name “server”
  • VM2 (IPS)
    • One network adapter, “Internal Network” with name “server”
    • One network adapter, “Internal Network” with name “client”

Note, there will be no external network access here. So you might want to get all the tools you need installed first, then setup the network.

Assign the interface on VM1 an address like 192.168.1.1/24.
Assign the interface on VM3 an address like 192.168.1.2/24.

Create your AF_PACKET IPS on VM2, now your client and server machines should be able to ping each other, but I can’t confirm or help much with this setup.

I only know this part as its as far as I’ve gotten before things failed, and a physical setup just works.

1 Like

Hello,
Thank you much again.
I think both you and I forgot that Suricata-IDS must have three NICs. Right? Does the third NIC have to be an Internal Network type?
I think it can be NAT type, because I can SSH to it through the port forwarding technique and also access the Internet to install packages. Am I right?