Which Direction?

When looking at Suricata IDS signatures it is important to understand the directional aspects of the signature. There are a few components in the signature that make up the direction aspect:

• Source Network(s)
• Source Port(s)
• Directional Arrow(s)
• Destination Network(s)
• Destination Port(s)
• Flow Keywords

Source Network

Example Signature:

alert http $HOME_NET any → $EXTERNAL_NET any (msg:“Example HTTP GET Method Signature”; flow:established,to_server; http.method; content:“GET”; fast_pattern; classtype:misc-activity; sid:1; rev:1;)

Using our example signature, the source network is $HOME_NET, a variable that is defined in the suricata.yaml file. For each Suricata IDS instance, $HOME_NET can have a different definition. There is no one definition in terms of IP space for $HOME_NET.

$HOME_NET can be thought of as the identifiable or known IP based assets on the network space being monitored. Said another way, $HOME_NET is the IP space that is expected to be seen on the network. If your local network assigns 192.168.0.0/24 address space and nothing else, anything in the 192.168.0.0/24 space could be considered $HOME_NET.

If the local network uses 192.168.0.0/24 and 10.0.0.0/24 and the Suricata instance will see traffic from both of those IP spaces then $HOME_NET would be defined as 192.168.0.0/24 and 10.0.0.0/24.

Additional Reading: 7.1. Rules Format — Suricata 7.0.0-rc3-dev documentation

Source Port

Example Signature:

alert http $HOME_NET any → $EXTERNAL_NET any (msg:“Example HTTP GET Method Signature”; flow:established,to_server; http.method; content:“GET”; fast_pattern; classtype:misc-activity; sid:1; rev:1;)

In the example signature above the source port is the word any following $HOME_NET. In the context of the example signature this means that all HTTP traffic with a source IP address that matches the $HOME_NET variable will be evaluated.

Typically when initiating a network connection operating systems will assign a random high port, typically any number higher than 1024. However, it’s possible that an application will use a source port lower than 1024 so by using any for a source port, we avoid unintentionally limiting the signature to a specific source port range.

Additional Reading: 7.1. Rules Format — Suricata 7.0.0-rc3-dev documentation

Directional Arrow

Example Signature:

alert http $HOME_NET any → $EXTERNAL_NET any (msg:“Example HTTP GET Method Signature”; flow:established,to_server; http.method; content:“GET”; fast_pattern; classtype:misc-activity; sid:1; rev:1;)

In the example signature the directional arrow is ->. In this case Suricata will be evaluating traffic with a source network of HOME_NET, with any source port and with a destination network that matches the value(s) in $EXTERNAL_NET.

Additional Reading: 7.1. Rules Format — Suricata 7.0.0-rc3-dev documentation

Destination Network

Example Signature:

alert http $HOME_NET any → $EXTERNAL_NET any (msg:“Example HTTP GET Method Signature”; flow:established,to_server; http.method; content:“GET”; fast_pattern; classtype:misc-activity; sid:1; rev:1;)

In the example signature the destination network is defined as $EXTERNAL_NET, a variable that is defined in the suricata.yaml file. For each Suricata IDS instance, $EXTERNAL_NET can have a different definition. There is no one definition in terms of IP space for $EXTERNAL_NET.

When discussing $HOME_NET we said, “$HOME_NET is the IP space that is expected to be seen on the network”. $EXTERNAL_NET can be thought of as any IP space that is not $HOME_NET. Using our $HOME_NET network space example from above, our local network is using 192.168.0.0/24, which would mean $EXTERNAL_NET is anything that doesn’t fall in the 192.168.0.0/24 IP space.

Additional Reading: 7.1. Rules Format — Suricata 7.0.0-rc3-dev documentation

Destination Port

Example Signature:

alert http $HOME_NET any → $EXTERNAL_NET any (msg:“Example HTTP GET Method Signature”; flow:established,to_server; http.method; content:“GET”; fast_pattern; classtype:misc-activity; sid:1; rev:1;)

In the example signature above the destination port is the word any following $EXTERNAL_NET. In the context of the example signature this means that all HTTP traffic with a source IP address that matches the $HOME_NET variable, has a source port of any port, and has a destination IP that matches the definition of $EXTERNAL_NET and any destination port.

Additional Reading: 7.1. Rules Format — Suricata 7.0.0-rc3-dev documentation

Flow Keyword

Example Signature:

alert http $HOME_NET any → $EXTERNAL_NET any (msg:“Example HTTP GET Method Signature”; flow:established,to_server; http.method; content:“GET”; fast_pattern; classtype:misc-activity; sid:1; rev:1;)

Our example signature has two values for the flow keyword, established and to_server.
The value established indicates that Suricata will only evaluate traffic that has successfully completed the TCP three way handshake. The value to_server indicates that Suricata will only evaluate traffic that directionally has a destination of the server. Server in this case means any destination that matches the $EXTERNAL_NET variable.

Additional Reading: 7.11. Flow Keywords — Suricata 7.0.0-rc3-dev documentation

With all of this information we can interpret the example signature as, fire an alert on any HTTP traffic that is going from my $HOME_NET IP space on any source port to a network defined in $EXTERNAL_NET, destined for any port and that has an established connection with the destination in $EXTERNAL_NET and has a directional destination of $EXTERNAL_NET and contains the HTTP method GET.