2013年10月30日 星期三

[研究] Suricata 1.4.6 入侵偵測系統安裝 (CentOS 6.4 x64)

[研究] Suricata 1.4.6 入侵偵測系統安裝 (CentOS 6.4 x64)

**********************************************************************************

這幾篇是相關的

[研究] Suricata 1.4.6 入侵偵測系統安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/10/suricata-146-centos-64-x64.html

[研究] Suricata 1.4.6 快速安裝程式 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/10/suricata-146-centos-64-x64_31.html

[研究] Barnyard2 for Suricata 1.4.6 安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/11/barnyard2-for-suricata-146-centos-64-x64.html

[研究] Barnyard2 for Suricata 1.4.6 快速安裝程式 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/10/barnyard2-for-suricata-146-centos-64-x64.html

[研究] Suricata 1.4.6 + Barnyard + BASE 安裝 (CentOS 6.4 x64)
http://shaurong.blogspot.com/2013/11/suricata-146-barnyard-base-centos-64-x64.html

**********************************************************************************

Suricata IDS 是一種入侵偵測系統(intrusion Detection Systems, IDS)。

Snort vs Suricata 比較
http://wiki.aanval.com/wiki/Snort_vs_Suricata
Suricata 最大優於 Snort 特點是支援 Multi-Threads

Quantitative Analysis of Intrusion Detection Systems: Snort and Suricata
http://people.clarkson.edu/~jmatthew/publications/SPIE_SnortSuricata_2013.pdf
(這裡有效能圖比較,為了方便辨識,小弟上了點顏色)

(下圖) 預設組態,在 2,3,4 cores 時候,Suricata 效能遠超過 Snort


(下圖) Suricata 的 CPU 使用率比 Snort 低

(下圖) CPU cores 不大於4個時,Suricata 的 RAM 用量較高,超過8個時候,Snort暴增




官方網站
http://www.openinfosecfoundation.org/index.php/download-suricata

參考
https://redmine.openinfosecfoundation.org/projects/suricata/wiki
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Quick_Start_Guide
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Installation
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_56_Installation
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Basic_Setup
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_User_Guide

安裝

su root
cd /usr/local/src

wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh epel-release-6-8.noarch.rpm

yum -y install libpcap libpcap-devel libnet libnet-devel pcre pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml libyaml-devel zlib zlib-devel file-devel libcap-ng libcap-ng-devel

rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnfnetlink-1.0.0-1.x86_64.rpm
rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnfnetlink-devel-1.0.0-1.x86_64.rpm
rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnetfilter_queue-0.0.17-2.x86_64.rpm
rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnetfilter_queue-devel-0.0.17-2.x86_64.rpm

wget http://www.openinfosecfoundation.org/download/suricata-1.4.6.tar.gz
tar -xvzf suricata-1.4.6.tar.gz
cd suricata-1.4.6
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
make
make install-full
ldconfig

測試

# 測試程式可否執行

[root@localhost suricata]# /usr/bin/suricata
30/10/2013 -- 14:03:14 - <Info> - This is Suricata version 1.4.6 RELEASE
30/10/2013 -- 14:03:14 - <Info> - CPUs/cores online: 1
30/10/2013 -- 14:03:14 - <Info> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
30/10/2013 -- 14:03:14 - <Info> - preallocated 65535 defrag trackers of size 144
30/10/2013 -- 14:03:14 - <Info> - defrag memory usage: 13107056 bytes, maximum: 33554432
Suricata 1.4.6
USAGE: /usr/bin/suricata [OPTIONS] [BPF FILTER]

        -c <path>                            : path to configuration file
        -T                                   : test configuration file (use with -c)
        -i <dev or ip>                       : run in pcap live mode
        -F <bpf filter file>                 : bpf filter file
        -r <path>                            : run in pcap file/offline mode
        -s <path>                            : path to signature file loaded in addition to suricata.yaml settings (optional)
        -S <path>                            : path to signature file loaded exclusively (optional)
        -l <dir>                             : default log directory
        -D                                   : run as daemon
        -V                                   : display Suricata version
        --list-app-layer-protos              : list supported app layer protocols
        --list-keywords[=all|csv|<kword>]    : list keywords implemented by the engine
        --list-runmodes                      : list supported runmodes
        --runmode <runmode_id>               : specific runmode modification the engine should run.  The argument
                                               supplied should be the id for the runmode obtained by running
                                               --list-runmodes
        --engine-analysis                    : print reports on analysis of different sections in the engine and exit.
                                               Please have a look at the conf parameter engine-analysis on what reports
                                               can be printed
        --pidfile <file>                     : write pid to this file (only for daemon mode)
        --init-errors-fatal                  : enable fatal failure on signature init error
        --dump-config                        : show the running configuration
        --build-info                         : display build information
        --pcap[=<dev>]                       : run in pcap mode, no value select interfaces from suricata.yaml
        --pcap-buffer-size                   : size of the pcap buffer value from 0 - 2147483647
        --af-packet[=<dev>]                  : run in af-packet mode, no value select interfaces from suricata.yaml
        --user <user>                        : run suricata as this user after init
        --group <group>                      : run suricata as this group after init
        --erf-in <path>                      : process an ERF file


To run the engine with default configuration on interface eth0 with signature file "signatures.rules", run the command as:

/usr/bin/suricata -c suricata.yaml -s signatures.rules -i eth0

[root@localhost suricata]#

# 顯示版本

[root@localhost suricata-1.4.6]# /usr/bin/suricata -V
This is Suricata version 1.4.6 RELEASE

# 測試設定檔案  /etc/suricata//suricata.yaml

/usr/bin/suricata -T -c /etc/suricata//suricata.yaml -i eth0

如果看到這個 Warning 可不理會,這是因為 /etc/suricata/rules/emerging-icmp.rules 中每條 rule 都關閉了
30/10/2013 -- 14:09:27 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/emerging-icmp.rules

The two most common are Oinkmaster and Pulledpork. For a guide see:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster

# 測試輸出到檔案

vi  /etc/suricata//suricata.yaml

找到這些敘述,預設只會輸出結果到 console 畫面,可把 file 的 enabled 從 no 改為 yes,就會輸出到 /var/log/suricata.log

  outputs:
  - console:
      enabled: yes
  - file:
      enabled: yes
      filename: /var/log/suricata.log
  - syslog:
      enabled: no
      facility: local5
      format: "[%i] <%d> -- "

# 以前景方式執行 (要結束就 Ctrl-C 中斷)

/usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0

# 以背景 (daemon) 方式執行 (多 -D 參數)

/usr/bin/suricata -D -c /etc/suricata//suricata.yaml -i eth0

背景方式執行的中斷比較麻煩,先用找出 PID 再用 kill 砍掉

[root@localhost suricata]# ps aux | grep suricata
root     36436 87.5  9.4 120508 96036 ?        Rs   14:40   0:07 /usr/bin/suricata -D -c /etc/suricata//suricata.yaml -i eth0
root     36438  0.0  0.0 103244   828 pts/1    S+   14:40   0:00 grep sur
[root@localhost suricata]# kill -9 36436
[root@localhost suricata]# ps aux |  | grep suricata
root     36440  0.0  0.0 103244   828 pts/1    S+   14:40   0:00 grep sur
[root@localhost suricata]#


# 攻擊測試

目前 suricata 電腦上情況

[root@localhost ~]# ls  -al  /var/log/suricata
total 88
drwxr-xr-x.  3 root root  4096 Oct 30 14:09 .
drwxr-xr-x. 14 root root  4096 Oct 30 14:09 ..
-rw-r-----.  1 root root 17805 Oct 30 14:08 fast.log
drwxr-xr-x.  2 root root  4096 Oct 30 13:57 files
-rw-r-----.  1 root root     0 Oct 30 14:07 http.log
-rw-r--r--.  1 root root 30867 Oct 30 14:08 stats.log
-rw-r-----.  1 root root 24044 Oct 30 14:08 unified2.alert.1383113238

另外找一台主機來攻擊 ( nikto 好像無法對自己攻擊,所以必須另外找一台)

[root@localhost ~]# wget  http://www.cirt.net/nikto/nikto-current.tar.gz
[root@localhost ~]# tar zxvf nikto-current.tar.gz
[root@localhost ~]# cd nikto-*
[root@localhost nikto-2.1.5]# chmod +x nikto.pl
[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.102
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
+ No web server found on 192.168.128.102:80
---------------------------------------------------------------------------
+ 0 host(s) tested
[root@localhost nikto-2.1.5]#

現在 suricata 電腦上情況

[root@localhost ~]# ls  -al  /var/log/suricata
total 132
drwxr-xr-x.  3 root root  4096 Oct 30 14:13 .
drwxr-xr-x. 14 root root  4096 Oct 30 14:09 ..
-rw-r-----.  1 root root 31143 Oct 30 14:14 fast.log
drwxr-xr-x.  2 root root  4096 Oct 30 13:57 files
-rw-r-----.  1 root root     0 Oct 30 14:07 http.log
-rw-r--r--.  1 root root 41152 Oct 30 14:13 stats.log
-rw-r-----.  1 root root 24044 Oct 30 14:08 unified2.alert.1383113238
-rw-r--r--.  1 root root 19113 Oct 30 14:14 unified2.alert.1383113613
[root@localhost suricata]#

rule 管理可考慮 Oinkmaster and Pulledpork
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster


建立一個方便執行/停止的程式

#!/bin/bash

echo -e "\033[31m"
echo -e "Program : Suricata_Manager.sh "
echo -e "Suricata Daemon Runtime Manager Maker Shell Script (CentOS 6.4 x86_64) "
echo -e "by Shau-Rong Lu 2013/10/30 "
echo -e "\033[0m"

rm -fr /etc/init.d/suricatad

echo ""  > /etc/init.d/suricatad
echo "" >> /etc/init.d/suricatad
echo ". /etc/rc.d/init.d/functions "  >> /etc/init.d/suricatad
echo "" >> /etc/init.d/suricatad
echo "case \"\$1\" in " >> /etc/init.d/suricatad
echo "start)" >> /etc/init.d/suricatad
echo "  echo -n \"Starting Suricata: \"" >> /etc/init.d/suricatad
echo "  daemon PCAP_FRAMES=max /usr/bin/suricata -D -c /etc/suricata//suricata.yaml -i eth0" >> /etc/init.d/suricatad
echo "  echo" >> /etc/init.d/suricatad
echo "  ;;" >> /etc/init.d/suricatad
echo "" >> /etc/init.d/suricatad
echo "stop)" >> /etc/init.d/suricatad
echo "  echo -n \"Stopping Suricata: \"" >> /etc/init.d/suricatad
echo "  killproc suricata" >> /etc/init.d/suricatad
echo "  echo" >> /etc/init.d/suricatad
echo "  ;;" >> /etc/init.d/suricatad
echo "" >> /etc/init.d/suricatad
echo "restart)" >> /etc/init.d/suricatad
echo "  \$0 stop" >> /etc/init.d/suricatad
echo "  \$0 start" >> /etc/init.d/suricatad
echo "  ;;" >> /etc/init.d/suricatad
echo "status)" >> /etc/init.d/suricatad
echo "  status suricata" >> /etc/init.d/suricatad
echo "  ;;" >> /etc/init.d/suricatad
echo "*)" >> /etc/init.d/suricatad
echo "  echo \"Usage: service suricatad {start|stop|restart|status}\"" >> /etc/init.d/suricatad
echo "  exit 1" >> /etc/init.d/suricatad
echo "  esac" >> /etc/init.d/suricatad
echo "  exit 0" >> /etc/init.d/suricatad

chmod +x /etc/init.d/suricatad

以後 ...

啟動程式

service  suricatad start

停止程式

service  suricatad stop

重新啟動程式

service  suricatad restart

顯示狀態

service  suricatad status

(完)

相關

[研究] snort-2.9.5.5.tar.gz (CentOS 6.4 x64) 快速安裝程式
http://shaurong.blogspot.tw/2013/10/snort-2955targz-centos-64-x64.html

3 則留言:

  1. 今天(2013/10/31)稍晚就來實做您這篇suricatad,希望一切順利

    回覆刪除
  2. 這篇實做成功,可惜沒有像BASE那種套件可以圖型化,不然這個安裝的難度比SNORT低多了

    或是suricatad 其實也可以和BASE結合在一起?

    感謝您的辛苦研究文章囉

    回覆刪除
    回覆
    1. 一樣可以用 BASE 去看,情況和 Snort 相同,要用 barnyard2 把 Suricata 的輸出寫入 mysql 資料庫,用 ADODB 才能讓 BASE 顯示 mysql 中存放的資訊。

      刪除