浮雲雅築: [研究] Suricata 2.0.11 入侵偵測系統安裝 (CentOS 7.2 x64)

[研究] Suricata 2.0.11 入侵偵測系統安裝 (CentOS 7.2 x64)

2016-02-21

官方網站
http://oisf.net/suricata/

教學
http://suricata-ids.org/docs/
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_Installation

Suricata IDS 是一種入侵偵測系統(intrusion Detection Systems, IDS)。

Snort vs Suricata 比較
http://wiki.aanval.com/wiki/Snort_vs_Suricata
Suricata 最大優於 Snort 特點是支援 Multi-Threads

Quantitative Analysis of Intrusion Detection Systems: Snort and Suricata
http://people.clarkson.edu/~jmatthew/publications/SPIE_SnortSuricata_2013.pdf
(這裡有效能圖比較，為了方便辨識，小弟上了點顏色)

(下圖) 預設組態，在 2,3,4 cores 時候，Suricata 效能遠超過 Snort

(下圖) Suricata 的 CPU 使用率比 Snort 低

(下圖) CPU cores 不大於4個時，Suricata 的 RAM 用量較高，超過8個時候，Snort暴增

安裝
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_Installation

su root

rpm -Uvh https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm

yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel \
zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar make \
libnetfilter_queue-devel lua-devel

cd /usr/local/src
wget http://www.openinfosecfoundation.org/download/suricata-2.0.11.tar.gz
tar zxvf suricata-2.0.11.tar.gz
cd suricata-2.0.11
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua

[root@localhost suricata-2.0.11]# ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua
...(略)

Suricata Configuration:
AF_PACKET support: yes
PF_RING support: no
NFQueue support: yes
NFLOG support: no
IPFW support: no
DAG enabled: no
Napatech enabled: no
Unix socket enabled: yes
Detection enabled: yes

libnss support: yes
libnspr support: yes
libjansson support: yes
Prelude support: no
PCRE jit: yes
LUA support: yes
libluajit: no
libgeoip: no
Non-bundled htp: no
Old barnyard2 support: no
CUDA enabled: no

Suricatasc install: yes

Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Profiling enabled: no
Profiling locks enabled: no
Coccinelle / spatch: no

Generic build parameters:
Installation prefix (--prefix): /usr
Configuration directory (--sysconfdir): /etc/suricata/
Log directory (--localstatedir) : /var/log/suricata/

Host: x86_64-unknown-linux-gnu
GCC binary: gcc
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no

To build and install run 'make' and 'make install'.

You can run 'make install-conf' if you want to install initial configuration
files to /etc/suricata/. Running 'make install-full' will install configuration
and rules and provide you a ready-to-run suricata.

To install Suricata into /usr/bin/suricata, have the config in
/etc/suricata and use /var/log/suricata as log dir, use:
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/

[root@localhost suricata-2.0.11]#

make
make install-full
ldconfig

[root@localhost suricata-2.0.11]# make install-full

/usr/bin/wget -qO - http://rules.emergingthreats.net/open/suricata-2.0/emerging.rules.tar.gz | tar -x -z -C "/etc/suricata/" -f -

You can now start suricata by running as root something like '/usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0'.

If a library like libhtp.so is not found, you can run suricata with:
'LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0'.

While rules are installed now, it's highly recommended to use a rule manager for maintaining rules.
The two most common are Oinkmaster and Pulledpork. For a guide see:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster
[root@localhost suricata-2.0.11]#

先檢查網路卡名稱是甚麼 ( 結果是 eno16777736，不是 eth0)

[root@localhost ~]# ip addr sh
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:d2:dc:64 brd ff:ff:ff:ff:ff:ff
inet 192.168.128.51/24 brd 192.168.128.255 scope global eno16777736
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fed2:dc64/64 scope link
valid_lft forever preferred_lft forever
[root@localhost ~]#

看有甚麼參數

[root@localhost suricata-2.0.11]# /usr/bin/suricata
Suricata 2.0.11
USAGE: /usr/bin/suricata [OPTIONS] [BPF FILTER]

-c <path> : path to configuration file
-T : test configuration file (use with -c)
-i <dev or ip> : run in pcap live mode
-F <bpf filter file> : bpf filter file
-r <path> : run in pcap file/offline mode
-q <qid> : run in inline nfqueue mode
-s <path> : path to signature file loaded in addition to suricata.yaml settings (optional)
-S <path> : path to signature file loaded exclusively (optional)
-l <dir> : default log directory
-D : run as daemon
-k [all|none] : force checksum check (all) or disabled it (none)
-V : display Suricata version
-v[v] : increase default Suricata verbosity
--list-app-layer-protos : list supported app layer protocols
--list-keywords[=all|csv|<kword>] : list keywords implemented by the engine
--list-runmodes : list supported runmodes
--runmode <runmode_id> : specific runmode modification the engine should run. The argument
supplied should be the id for the runmode obtained by running
--list-runmodes
--engine-analysis : print reports on analysis of different sections in the engine and exit.
Please have a look at the conf parameter engine-analysis on what reports
can be printed
--pidfile <file> : write pid to this file
--init-errors-fatal : enable fatal failure on signature init error
--disable-detection : disable detection engine
--dump-config : show the running configuration
--build-info : display build information
--pcap[=<dev>] : run in pcap mode, no value select interfaces from suricata.yaml
--pcap-buffer-size : size of the pcap buffer value from 0 - 2147483647
--af-packet[=<dev>] : run in af-packet mode, no value select interfaces from suricata.yaml
--user <user> : run suricata as this user after init
--group <group> : run suricata as this group after init
--erf-in <path> : process an ERF file
--unix-socket[=<file>] : use unix socket to control suricata work
--set name=value : set a configuration value

To run the engine with default configuration on interface eth0 with signature file "signatures.rules", run the command as:

/usr/bin/suricata -c suricata.yaml -s signatures.rules -i eth0

[root@localhost suricata-2.0.11]#

# 顯示版本

[root@localhost suricata-2.0.11]# /usr/bin/suricata -V
This is Suricata version 2.0.11 RELEASE

# 測試設定檔案 /etc/suricata//suricata.yaml

[root@localhost suricata-2.0.11]# /usr/bin/suricata -T -c /etc/suricata//suricata.yaml -i eno16777736
22/2/2016 -- 07:38:16 - <Info> - Running suricata under test mode
22/2/2016 -- 07:38:16 - <Notice> - This is Suricata version 2.0.11 RELEASE
[root@localhost suricata-2.0.11]#

# 測試輸出到檔案

vi /etc/suricata//suricata.yaml

找到這些敘述，預設只會輸出結果到 console 畫面，可把 file 的 enabled 從 no 改為 yes，就會輸出到 /var/log/suricata.log

outputs:
- console:
enabled: yes
- file:
enabled: yes
filename: /var/log/suricata.log
- syslog:
enabled: no
facility: local5
format: "[%i] <%d> -- "

# 以前景方式執行 (要結束就 Ctrl-C 中斷)

[root@localhost suricata-2.0.11]# /usr/bin/suricata -c /etc/suricata//suricata.yaml -i eno16777736

22/2/2016 -- 07:27:42 - <Notice> - This is Suricata version 2.0.11 RELEASE
22/2/2016 -- 07:27:49 - <Warning> - [ERRCODE: SC_ERR_PCAP_CREATE(21)] - Using Pcap capture with GRO or LRO activated can lead to capture problems.
22/2/2016 -- 07:27:49 - <Notice> - all 2 packet processing threads, 3 management threads initialized, engine started.

(按下 Ctrl-C 中斷)

22/2/2016 -- 07:32:09 - <Notice> - Signal Received. Stopping engine.
22/2/2016 -- 07:32:10 - <Notice> - Stats for 'eno16777736': pkts: 14, drop: 0 (0.00%), invalid chksum: 4
[root@localhost suricata-2.0.11]#

# 以背景 (daemon) 方式執行 (多 -D 參數)

/usr/bin/suricata -D -c /etc/suricata//suricata.yaml -i eno16777736

背景方式( -D 參數) 執行的中斷比較麻煩，先用找出 PID 再用 kill 砍掉

[root@localhost suricata-2.0.11]# /usr/bin/suricata -D -c /etc/suricata//suricata.yaml -i eno16777736

22/2/2016 -- 07:40:04 - <Error> - [ERRCODE: SC_ERR_MISSING_CONFIG_PARAM(118)] - NO logging compatible with daemon mode selected, suricata won't be able to log. Please update 'logging.outputs' in the YAML.
22/2/2016 -- 07:40:04 - <Notice> - This is Suricata version 2.0.11 RELEASE

[root@localhost suricata-2.0.11]# ps aux | grep suricata
root 16748 41.0 19.8 764912 402760 ? Ssl 07:40 0:05 /usr/bin/suricata -D -c /etc/suricata//suricata.yaml -i eno16777736
root 16755 0.0 0.0 112644 960 pts/0 S+ 07:40 0:00 grep --color=auto suricata

[root@localhost suricata-2.0.11]# kill -9 16748

[root@localhost suricata-2.0.11]# ps aux | grep suricata
root 16757 0.0 0.0 112644 960 pts/0 R+ 07:40 0:00 grep --color=auto suricata
[root@localhost suricata-2.0.11]#

# 攻擊測試

目前 suricata 電腦 (192.168.128.51) 上情況

[root@localhost suricata-2.0.11]# ls -al /var/log/suricata
total 204
drwxr-xr-x. 4 root root 4096 Feb 22 07:40 .
drwxr-xr-x. 7 root root 4096 Feb 22 07:22 ..
drwxr-xr-x. 2 root root 6 Feb 22 07:22 certs
-rw-r--r--. 1 root root 12382 Feb 22 07:40 eve.json
-rw-r--r--. 1 root root 6929 Feb 22 07:40 fast.log
drwxr-xr-x. 2 root root 6 Feb 22 07:22 files
-rw-r--r--. 1 root root 0 Feb 22 07:27 http.log
-rw-r--r--. 1 root root 158100 Feb 22 07:40 stats.log
-rw-r--r--. 1 root root 1176 Feb 22 07:32 unified2.alert.1456097269
-rw-r--r--. 1 root root 0 Feb 22 07:38 unified2.alert.1456097901
-rw-r-----. 1 root root 8286 Feb 22 07:40 unified2.alert.1456098009
[root@localhost suricata-2.0.11]#

安裝 Web Server ，並關閉防火牆

yum -y install httpd

service httpd start

service firewalld stop

另外找一台主機來攻擊 ( nikto 好像無法對自己攻擊，所以必須另外找一台)

cd /usr/local

wget http://www.cirt.net/nikto/nikto-current.tar.gz

tar zxvf nikto-current.tar.gz

cd nikto-*

chmod +x nikto.pl

./nikto.pl -h 192.168.128.51

[root@localhost nikto-2.1.5]# ./nikto.pl -h 192.168.128.51
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.128.51
+ Target Hostname: 192.168.128.51
+ Target Port: 80
+ Start Time: 2016-02-21 23:44:35 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.6 (CentOS)
+ Server leaks inodes via ETags, header found with file /, fields: 0x1321 0x5058a1e728280
+ The anti-clickjacking X-Frame-Options header is not present.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2016-02-21 23:44:43 (GMT8) (8 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
[root@localhost nikto-2.1.5]#

現在 suricata 電腦上情況

[root@localhost suricata-2.0.11]# ls -al /var/log/suricata total 10968
drwxr-xr-x. 4 root root 4096 Feb 22 07:51 .
drwxr-xr-x. 8 root root 4096 Feb 22 07:43 ..
drwxr-xr-x. 2 root root 6 Feb 22 07:22 certs
-rw-r--r--. 1 root root 5349804 Feb 22 07:51 eve.json
-rw-r--r--. 1 root root 106500 Feb 22 07:51 fast.log
drwxr-xr-x. 2 root root 6 Feb 22 07:22 files
-rw-r--r--. 1 root root 1222131 Feb 22 07:51 http.log
-rw-r--r--. 1 root root 166258 Feb 22 07:51 stats.log
-rw-r--r--. 1 root root 1176 Feb 22 07:32 unified2.alert.1456097269
-rw-r--r--. 1 root root 0 Feb 22 07:38 unified2.alert.1456097901
-rw-r-----. 1 root root 8286 Feb 22 07:40 unified2.alert.1456098009
-rw-r-----. 1 root root 267364 Feb 22 07:51 unified2.alert.1456098674
[root@localhost suricata-2.0.11]#

可以看到多了一個檔案，表示成功了。

rule 管理可考慮 Oinkmaster and Pulledpork
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster

(完)

相關

[研究] Suricata 2.0.11 入侵偵測系統安裝 (CentOS 7.2 x64)

http://shaurong.blogspot.com/2016/02/suricata-2011-centos-72-x64.html

[研究] snort-2.9.5.5.tar.gz (CentOS 6.4 x64) 快速安裝程式

http://shaurong.blogspot.tw/2013/10/snort-2955targz-centos-64-x64.html

*********************************************************************************

這幾篇是相關的

[研究] Suricata 1.4.6 入侵偵測系統安裝 (CentOS 6.4 x64)

http://shaurong.blogspot.com/2013/10/suricata-146-centos-64-x64.html