Boosting Suricata With Next-Gen Deep Packet Inspection

Intrusion detection/intrusion prevention systems (IDS/IPS) play an essential role in cybersecurity by detecting and blocking threats that have penetrated endpoint and perimeter defenses. Open source Suricata is one of the most widely deployed IDS/IPS components commercial cybersecurity products. However, it tends to generate many false positive alerts, has limited protocol and application coverage and is blind to certain types of advanced threats–especially those using encryption to evade detection. Next-generation deep packet inspection (NG DPI) software can fill these gaps and significantly improve Suricata performance.

That’s why leading cybersecurity vendors have started to combine Suricata with NG DPI to enhance products such as cloud firewalls (FWaaS), secure web gateways (SWG), next-generation firewalls (NGFW), network detection and response (NDR) and extended threat detection and response (XDR) platforms.

In these products, embedded NG DPI enhances Suricata by:

  • Enabling rapid development of whitelists and blacklists that leverage NG DPI’s expanded protocol coverage (particularly for Cloud, SaaS, IoT and OT applications and protocols plus custom and legacy applications)
  • Significantly improving Suricata’s ability to detect anomalous and evasive traffic
  • Extending Suricata’s ability to detect threats to cover fully encrypted environments 
  • Significantly reducing the high number of false-positive alerts generated by Suricata through increased network visibility and more accurate traffic identification
  • Making threat analysis and forensics faster and easier through high-value contextual metadata (while simultaneously reducing the need for full packet capture)

Architecture Overview

Understanding How NG DPI Can Enhance Suricata Rules

When combined with NG DPI, Suricata rules and alerts are more precise and can be tailored to specific customer environments. At the simplest level, NG DPI’s greatly expanded protocol and application coverage has a huge impact on producing effective rules and alerts. Below, for example, is a look at two rules with and without this expanded protocol coverage.

 

At a deeper level, NG DPI’s unique security metadata provides valuable insights for rule development, including detection of:

  • MITM interception
  • Complex tunneling 
  • Anonymizers 
  • Non-corp VPNs
  • DGA
  • Domain fronting
  • File type mismatches
  • Non-standard use of communication channels

The last method is a popular tactic for enabling advanced persistent threats, so let’s take a look at how integrated NG DPI improves Suricata’s ability to identify and respond to attacks using this method.

Detecting Command and Control Attacks Hiding Behind Common Protocols

To remain under the radar of IDS/IPS systems like Suricata, some C2C attacks encapsulate commands inside common protocols communicating via standard assigned ports. This way, they blend in with normal traffic. This is one of the tactics identified in the MITRE ATT&CK framework of known adversary techniques (Technique ID T1071, application layer protocol). The framework suggests several means of detecting such a covert C2C attack. In each instance, Suricata complemented by NG DPI is far more effective at detecting this type of attack. Specifically, it improves Suricata’s ability to detect and respond to the three indicators of potential malware associated with C2C attacks, as detailed in the chart below.


Summary

NG DPI can add significant value for cybersecurity vendors and operators of critical networks looking to extend and adapt their Suricata IDS/IPS to new network environments and an evolving threat landscape. Integrating NG DPI technology with Suricata improves general threat detection capabilities and makes it more effective in specific network environments.

Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Sponsorships Available Unlike … Read More