In the realm of cybersecurity, intrusion detection and prevention systems (IDS/IPS) are paramount in safeguarding against threats that manage to slip past endpoint and perimeter defenses. Among the open source solutions available, Suricata stands out as one of the most widely deployed components in commercial cybersecurity products. However, it is not without limitations. Suricata often triggers false positive alerts, lacks comprehensive protocol and application coverage, and struggles to detect advanced threats that utilize encryption to evade detection. Enter next-generation deep packet inspection (NG DPI) software, a game-changing solution that can fill these gaps and significantly enhance Suricata’s performance.
Recognizing the potential of this powerful combination, leading cybersecurity vendors have begun integrating Suricata with NG DPI to enhance various products, including cloud firewalls (FWaaS), secure web gateways (SWG), next-generation firewalls (NGFW), network detection and response (NDR) platforms, and extended threat detection and response (XDR) platforms.
embedded NG DPI bolsters Suricata by:
- Enabling the swift creation of whitelists and blacklists that leverage NG DPI’s expansive protocol coverage, particularly for Cloud, SaaS, IoT, and OT applications and protocols, as well as custom and legacy applications.
- Significantly improving Suricata’s ability to detect anomalous and evasive traffic.
- Extending Suricata’s threat detection capabilities to encompass fully encrypted environments.
- Drastically reducing the prevalence of false-positive alerts generated by Suricata through heightened network visibility and more precise traffic identification.
- Streamlining threat analysis and forensics through high-value contextual metadata, thereby reducing the need for full packet capture.
Architecture Overview
Unlocking the Power of NG DPI in Enhancing Suricata Rules When combined with NG DPI, Suricata rules and alerts become more refined and can be tailored to specific customer environments. At a basic level, the expanded protocol and application coverage offered by NG DPI has a profound impact on the efficacy of rules and alerts. For instance, let’s take a closer look at two rules, one with and one without NG DPI’s expanded protocol coverage.
Digging deeper, NG DPI’s unique security metadata provides invaluable insights for rule development, including the detection of:
- MITM interception
- Complex tunneling
- Anonymizers
- Non-corp VPNs
- DGA
- Domain fronting
- File type mismatches
- Non-standard use of communication channels
The last method is a common tactic employed by advanced persistent threats, making it crucial to examine how integrated NG DPI enhances Suricata’s ability to identify and respond to attacks that utilize this technique.
Detecting Command and Control Attacks Concealed by Common Protocols To evade detection by IDS/IPS systems like Suricata, some command and control (C2C) attacks encapsulate commands within common protocols, communicating via standard assigned ports to blend in with normal traffic. This tactic is recognized in the MITRE ATT&CK framework as a known adversary technique (Technique ID T1071: application layer protocol). The framework suggests several methods for detecting covert C2C attacks. In each case, Suricata complemented by NG DPI proves to be far more effective in detecting this type of attack. Specifically, it enhances Suricata’s ability to detect and respond to the three indicators of potential malware associated with C2C attacks, as detailed in the chart below.
Summary NG DPI presents a significant value-add for cybersecurity vendors and operators of critical networks seeking to bolster the performance of Suricata. By harnessing the