1 Overview

1.1 Configuring Suricata to log to disk

# editor /etc/suricata/suricata.yaml 
  # Define your logging outputs.  If none are defined, or they are all
  # disabled you will get the default - console output.
  outputs:
  - console:
      enabled: yes
  - file:
      enabled: yes
      filename: /var/log/suricata.log
  - syslog:
      enabled: no
      facility: local5
      format: "[%i] <%d> -- "

1.2 Configuring Suricata to enable DNS and TLS logging

# editor /etc/suricata/suricata.yaml
  - http-log:
      enabled: yes
      filename: http.log
      append: yes
      #extended: yes     # enable this for extended logging information
      #custom: yes       # enabled the custom logging format (defined by customformat)
      #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

  # a line based log of TLS handshake parameters (no alerts)
  - tls-log:
      enabled: yes  # Log TLS connections.
      filename: tls.log # File to store TLS logs.
      append: yes
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
      #extended: yes # Log extended information like fingerprint
      certs-log-dir: certs # directory to store the certificates files

  # a line based log of DNS requests and/or replies (no alerts)
  - dns-log:
      enabled: yes
      filename: dns.log
      append: yes

1.3 Restart Suricata to apply changes

# service suricata restart

1.4 Verifying that Suricata is logging protocol metadata

# apt-get install dnsutils
# host nsrc.org
# tail -f /var/log/suricata/dns.log
07/16/2015-01:18:52.555394 [**] Query TX 54ab [**] nsrc.org [**] A [**] 10.0.2.15:37770 -> 10.0.2.3:53
07/16/2015-01:18:52.555394 [**] Response TX 54ab [**] Recursion Desired [**] 10.0.2.3:53 -> 10.0.2.15:37770
07/16/2015-01:18:52.555394 [**] Response TX 54ab [**] nsrc.org [**] A [**] TTL 300 [**] 128.223.157.25 [**] 10.0.2.3:53 -> 10.0.2.15:37770
07/16/2015-01:18:52.672384 [**] Query TX f870 [**] nsrc.org [**] AAAA [**] 10.0.2.15:33718 -> 10.0.2.3:53
07/16/2015-01:18:52.672384 [**] Response TX f870 [**] Recursion Desired [**] 10.0.2.3:53 -> 10.0.2.15:33718
07/16/2015-01:18:52.672384 [**] Response TX f870 [**] nsrc.org [**] AAAA [**] TTL 300 [**] 2607:8400:2880:0004:0000:0000:80df:9d1c [**] 10.0.2.3:53 -> 10.0.2.15:33718
07/16/2015-01:18:52.854448 [**] Query TX fa53 [**] nsrc.org [**] MX [**] 10.0.2.15:37918 -> 10.0.2.3:53
07/16/2015-01:18:52.854448 [**] Response TX fa53 [**] Recursion Desired [**] 10.0.2.3:53 -> 10.0.2.15:37918
07/16/2015-01:18:52.854448 [**] Response TX fa53 [**] nsrc.org [**] MX [**] TTL 10 [**] smtp.nsrc.org [**] 10.0.2.3:53 -> 10.0.2.15:37918

1.5 Verifying that Suricata is logging signature matches

# less /etc/suricata/rules/emerging-user_agents.rules
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (BlackSun)"; flow:to_server,established; content:"User-Agent|3a| BlackSun"; nocase; http_header; reference:url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008983; classtype:trojan-activity; sid:2008983; rev:6;)
# apt-get install curl
# curl -A "BlackSun" www.google.com
07/16/2015-01:32:12.275324  [**] [1:2008983:6] ET USER_AGENTS Suspicious User Agent (BlackSun) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.2.15:49779 -> 74.125.28.99:80

2 Summary

In this exercise we learn to enable the DNS and TLS parsers for Suricata, check the logs for the protocol parsers and test out signatures from emerging threats that indicate malwares presence on a system. Suricata logs are located in: '/var/log/suricata'. The 'dns.log' and 'tls.log' are used to keep metadata extracted from network protocols, the 'fast.log' is used to keep alerts that arise from integrating and matcing against threat intelligence with Suricata.