advertisement

As robots become more deeply integrated into logistics, healthcare, research and everyday life, they also become more attractive targets for cyber threats. Network security in robotics is no longer optional, especially when those systems rely on distributed middleware like ROS 2 (Robot Operating System 2). In this article, part of our larger series on hardening ROS 2 robots, we focus on using Suricata, a high-performance open source intrusion detection system (IDS), to monitor and alert on suspicious network traffic in real time. 🔎 This guide covers installing Suricata on a ROS 2 robot based on Ubuntu 24.04, integrating it into an automated system. main.sh install the script and validate the configuration. 📚 Table of contents Why use Suricata for robotic network security? Suricata provides deep packet inspection and real-time alerts on potentially malicious activities in: - Ethernet, IP, TCP/UDP and application layer protocols - ROS 2 DDS traffic, which typically operates through UDP ports 7400–7600 - Common attack patterns, detected using customizable rule signatures By adding Suricata to a robotic system, you get: - ✅ Visibility of all traffic flows (including internal ROS 2 communication) - ✅ Early alerts for unauthorized access or malformed packages - ✅ A foundation for Zero Trust network security, even on public or mobile connections Suricata deployment modes for robots Suricata supports multiple deployment models depending on your network architecture: ✅ Host-based monitoring It runs directly on the robot and inspects packets over the system's network interface. 🧰 Ideal for: isolated devices, portable robots and standalone systems. ✅ Online IPS mode It is placed between network segments to actively block malicious traffic (intrusion prevention system mode). 🧰 Ideal for: Robots behind dedicated gateways or firewalls. ✅ Passive mode with SPAN/TAP It connects to a mirror or SPAN port on a switch to passively monitor all traffic on the subnet. 🧰 Ideal for: laboratories, testing environments and security operations centers. Installing Suricata via main.sh Integration In this series, we use a modular approach to protect ROS 2 systems. Suricata is installed via suricata_setup function, called by the centralized main.sh installer. This makes security settings consistent and programmable across robot deployments. 🔧 meerkat_setup Function #!/bin/bash source ./common.sh meerkat_setup() { proper update && proper update apt install -y meerkat # Add basic detection rules echo 'udp alert any any -> any 7400:7600 (msg:"UDP ROS2 DDS traffic detected"; sid:100001;)' | sudo tee -a /etc/suricata/rules/local.rules echo 'icmp alert any any -> any any (msg:"ICMP test detected"; sid:1000001; rev:1;)' | sudo tee -a /etc/suricata/rules/local.rules # Make sure Suricata loads the custom rules file echo 'includes: local.rules' >> /etc/suricata/suricata.yaml systemctl enable --now meerkat } You can connect this function directly to your main.sh or call it a modular step in a larger installation sequence. 🔄 Suricata configuration for your network interface Suricata needs to monitor the correct network interface. Identify yours: ip a | grep UP Sample result: 2: ens3: ... Update /etc/suricata/suricata.yaml : af package: - interface: ens3 # Replace 'ens3' with your active network interface Update the rule route configuration: default-rule-path: /etc/suricata/rules rules files: - local.rules Make sure there are no conflicts between them: # Comment by default includes if necessary #include: # - include1.yaml # - include2.yaml # include: local.rules Restart Suricata to apply the changes: sudo systemctl restart suricata 🧪 Meerkat test with ICMP traffic You can validate your configuration with a basic ping test: Terminal 1: ping 8.8.8.8 Terminal 2: sudo tail -f /var/log/suricata/fast.log Exp.

advertisement

advertisement