**********************************************************************************
這幾篇是相關的
[研究] Suricata 1.4.6 入侵偵測系統安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/10/suricata-146-centos-64-x64.html
或
[研究] Suricata 1.4.6 快速安裝程式 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/10/suricata-146-centos-64-x64_31.html
[研究] Barnyard2 for Suricata 1.4.6 安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/11/barnyard2-for-suricata-146-centos-64-x64.html
或
[研究] Barnyard2 for Suricata 1.4.6 快速安裝程式 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/10/barnyard2-for-suricata-146-centos-64-x64.html
[研究] Suricata 1.4.6 + Barnyard + BASE 安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/11/suricata-146-barnyard-base-centos-64-x64.html
**********************************************************************************
Snort vs Suricata 比較
http://wiki.aanval.com/wiki/Snort_vs_Suricata
Suricata 最大優於 Snort 特點是支援 Multi-Threads
Quantitative Analysis of Intrusion Detection Systems: Snort and Suricata
http://people.clarkson.edu/~jmatthew/publications/SPIE_SnortSuricata_2013.pdf
(這裡有效能圖比較,為了方便辨識,小弟上了點顏色)
(下圖) 預設組態,在 2,3,4 cores 時候,Suricata 效能遠超過 Snort
(下圖) Suricata 的 CPU 使用率比 Snort 低
(下圖) CPU cores 不大於4個時,Suricata 的 RAM 用量較高,超過8個時候,Snort暴增
官方網站
http://www.openinfosecfoundation.org/index.php/download-suricata
參考
https://redmine.openinfosecfoundation.org/projects/suricata/wiki
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Quick_Start_Guide
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Installation
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_56_Installation
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Basic_Setup
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_User_Guide
安裝
su root
cd /usr/local/src
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh epel-release-6-8.noarch.rpm
yum -y install libpcap libpcap-devel libnet libnet-devel pcre pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml libyaml-devel zlib zlib-devel file-devel libcap-ng libcap-ng-devel
rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnfnetlink-1.0.0-1.x86_64.rpm
rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnfnetlink-devel-1.0.0-1.x86_64.rpm
rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnetfilter_queue-0.0.17-2.x86_64.rpm
rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnetfilter_queue-devel-0.0.17-2.x86_64.rpm
wget http://www.openinfosecfoundation.org/download/suricata-1.4.6.tar.gz
tar -xvzf suricata-1.4.6.tar.gz
cd suricata-1.4.6
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
make
make install-full
ldconfig
測試
# 測試程式可否執行
[root@localhost suricata]# /usr/bin/suricata
30/10/2013 -- 14:03:14 - <Info> - This is Suricata version 1.4.6 RELEASE
30/10/2013 -- 14:03:14 - <Info> - CPUs/cores online: 1
30/10/2013 -- 14:03:14 - <Info> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
30/10/2013 -- 14:03:14 - <Info> - preallocated 65535 defrag trackers of size 144
30/10/2013 -- 14:03:14 - <Info> - defrag memory usage: 13107056 bytes, maximum: 33554432
Suricata 1.4.6
USAGE: /usr/bin/suricata [OPTIONS] [BPF FILTER]
-c <path> : path to configuration file
-T : test configuration file (use with -c)
-i <dev or ip> : run in pcap live mode
-F <bpf filter file> : bpf filter file
-r <path> : run in pcap file/offline mode
-s <path> : path to signature file loaded in addition to suricata.yaml settings (optional)
-S <path> : path to signature file loaded exclusively (optional)
-l <dir> : default log directory
-D : run as daemon
-V : display Suricata version
--list-app-layer-protos : list supported app layer protocols
--list-keywords[=all|csv|<kword>] : list keywords implemented by the engine
--list-runmodes : list supported runmodes
--runmode <runmode_id> : specific runmode modification the engine should run. The argument
supplied should be the id for the runmode obtained by running
--list-runmodes
--engine-analysis : print reports on analysis of different sections in the engine and exit.
Please have a look at the conf parameter engine-analysis on what reports
can be printed
--pidfile <file> : write pid to this file (only for daemon mode)
--init-errors-fatal : enable fatal failure on signature init error
--dump-config : show the running configuration
--build-info : display build information
--pcap[=<dev>] : run in pcap mode, no value select interfaces from suricata.yaml
--pcap-buffer-size : size of the pcap buffer value from 0 - 2147483647
--af-packet[=<dev>] : run in af-packet mode, no value select interfaces from suricata.yaml
--user <user> : run suricata as this user after init
--group <group> : run suricata as this group after init
--erf-in <path> : process an ERF file
To run the engine with default configuration on interface eth0 with signature file "signatures.rules", run the command as:
/usr/bin/suricata -c suricata.yaml -s signatures.rules -i eth0
[root@localhost suricata]#
# 顯示版本
[root@localhost suricata-1.4.6]# /usr/bin/suricata -V
This is Suricata version 1.4.6 RELEASE
# 測試設定檔案 /etc/suricata//suricata.yaml
/usr/bin/suricata -T -c /etc/suricata//suricata.yaml -i eth0
如果看到這個 Warning 可不理會,這是因為 /etc/suricata/rules/emerging-icmp.rules 中每條 rule 都關閉了
30/10/2013 -- 14:09:27 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/emerging-icmp.rules
The two most common are Oinkmaster and Pulledpork. For a guide see:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster
# 測試輸出到檔案
vi /etc/suricata//suricata.yaml
找到這些敘述,預設只會輸出結果到 console 畫面,可把 file 的 enabled 從 no 改為 yes,就會輸出到 /var/log/suricata.log
outputs:
- console:
enabled: yes
- file:
enabled: yes
filename: /var/log/suricata.log
- syslog:
enabled: no
facility: local5
format: "[%i] <%d> -- "
# 以前景方式執行 (要結束就 Ctrl-C 中斷)
/usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0
# 以背景 (daemon) 方式執行 (多 -D 參數)
/usr/bin/suricata -D -c /etc/suricata//suricata.yaml -i eth0
背景方式執行的中斷比較麻煩,先用找出 PID 再用 kill 砍掉
[root@localhost suricata]# ps aux | grep suricata
root 36436 87.5 9.4 120508 96036 ? Rs 14:40 0:07 /usr/bin/suricata -D -c /etc/suricata//suricata.yaml -i eth0
root 36438 0.0 0.0 103244 828 pts/1 S+ 14:40 0:00 grep sur
[root@localhost suricata]# kill -9 36436
[root@localhost suricata]# ps aux | | grep suricata
root 36440 0.0 0.0 103244 828 pts/1 S+ 14:40 0:00 grep sur
[root@localhost suricata]#
目前 suricata 電腦上情況
[root@localhost ~]# ls -al /var/log/suricata
total 88
drwxr-xr-x. 3 root root 4096 Oct 30 14:09 .
drwxr-xr-x. 14 root root 4096 Oct 30 14:09 ..
-rw-r-----. 1 root root 17805 Oct 30 14:08 fast.log
drwxr-xr-x. 2 root root 4096 Oct 30 13:57 files
-rw-r-----. 1 root root 0 Oct 30 14:07 http.log
-rw-r--r--. 1 root root 30867 Oct 30 14:08 stats.log
-rw-r-----. 1 root root 24044 Oct 30 14:08 unified2.alert.1383113238
另外找一台主機來攻擊 ( nikto 好像無法對自己攻擊,所以必須另外找一台)
[root@localhost ~]# wget http://www.cirt.net/nikto/nikto-current.tar.gz
[root@localhost ~]# tar zxvf nikto-current.tar.gz
[root@localhost ~]# cd nikto-*
[root@localhost nikto-2.1.5]# chmod +x nikto.pl
[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.102
- Nikto v2.1.5
---------------------------------------------------------------------------
+ No web server found on 192.168.128.102:80
---------------------------------------------------------------------------
+ 0 host(s) tested
[root@localhost nikto-2.1.5]#
現在 suricata 電腦上情況
[root@localhost ~]# ls -al /var/log/suricata
total 132
drwxr-xr-x. 3 root root 4096 Oct 30 14:13 .
drwxr-xr-x. 14 root root 4096 Oct 30 14:09 ..
-rw-r-----. 1 root root 31143 Oct 30 14:14 fast.log
drwxr-xr-x. 2 root root 4096 Oct 30 13:57 files
-rw-r-----. 1 root root 0 Oct 30 14:07 http.log
-rw-r--r--. 1 root root 41152 Oct 30 14:13 stats.log
-rw-r-----. 1 root root 24044 Oct 30 14:08 unified2.alert.1383113238
-rw-r--r--. 1 root root 19113 Oct 30 14:14 unified2.alert.1383113613
[root@localhost suricata]#
rule 管理可考慮 Oinkmaster and Pulledpork
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster
建立一個方便執行/停止的程式
#!/bin/bash
echo -e "\033[31m"
echo -e "Program : Suricata_Manager.sh "
echo -e "Suricata Daemon Runtime Manager Maker Shell Script (CentOS 6.4 x86_64) "
echo -e "by Shau-Rong Lu 2013/10/30 "
echo -e "\033[0m"
rm -fr /etc/init.d/suricatad
echo "" > /etc/init.d/suricatad
echo "" >> /etc/init.d/suricatad
echo ". /etc/rc.d/init.d/functions " >> /etc/init.d/suricatad
echo "" >> /etc/init.d/suricatad
echo "case \"\$1\" in " >> /etc/init.d/suricatad
echo "start)" >> /etc/init.d/suricatad
echo " echo -n \"Starting Suricata: \"" >> /etc/init.d/suricatad
echo " daemon PCAP_FRAMES=max /usr/bin/suricata -D -c /etc/suricata//suricata.yaml -i eth0" >> /etc/init.d/suricatad
echo " echo" >> /etc/init.d/suricatad
echo " ;;" >> /etc/init.d/suricatad
echo "" >> /etc/init.d/suricatad
echo "stop)" >> /etc/init.d/suricatad
echo " echo -n \"Stopping Suricata: \"" >> /etc/init.d/suricatad
echo " killproc suricata" >> /etc/init.d/suricatad
echo " echo" >> /etc/init.d/suricatad
echo " ;;" >> /etc/init.d/suricatad
echo "" >> /etc/init.d/suricatad
echo "restart)" >> /etc/init.d/suricatad
echo " \$0 stop" >> /etc/init.d/suricatad
echo " \$0 start" >> /etc/init.d/suricatad
echo " ;;" >> /etc/init.d/suricatad
echo "status)" >> /etc/init.d/suricatad
echo " status suricata" >> /etc/init.d/suricatad
echo " ;;" >> /etc/init.d/suricatad
echo "*)" >> /etc/init.d/suricatad
echo " echo \"Usage: service suricatad {start|stop|restart|status}\"" >> /etc/init.d/suricatad
echo " exit 1" >> /etc/init.d/suricatad
echo " esac" >> /etc/init.d/suricatad
echo " exit 0" >> /etc/init.d/suricatad
chmod +x /etc/init.d/suricatad
以後 ...
啟動程式
service suricatad start
停止程式
service suricatad stop
重新啟動程式
service suricatad restart
service suricatad restart
service suricatad status
(完)
相關
[研究] snort-2.9.5.5.tar.gz (CentOS 6.4 x64) 快速安裝程式
http://shaurong.blogspot.tw/2013/10/snort-2955targz-centos-64-x64.html
今天(2013/10/31)稍晚就來實做您這篇suricatad,希望一切順利
回覆刪除這篇實做成功,可惜沒有像BASE那種套件可以圖型化,不然這個安裝的難度比SNORT低多了
回覆刪除或是suricatad 其實也可以和BASE結合在一起?
感謝您的辛苦研究文章囉
一樣可以用 BASE 去看,情況和 Snort 相同,要用 barnyard2 把 Suricata 的輸出寫入 mysql 資料庫,用 ADODB 才能讓 BASE 顯示 mysql 中存放的資訊。
刪除您好,目前我以Ubuntu MATE 16.04.5安裝suricata-4.1.0完成,接著我想裝barnyard2和base才能有web 前端展示還是用更好的替代web展示畫面呢?請版主賜教~(真心佩服版主在5年前就開始接觸NIDS)
刪除