2016年2月22日 星期一

[研究] Suricata 3.0 入侵偵測系統安裝 (CentOS 7.2 x64)

[研究] Suricata 3.0 入侵偵測系統安裝 (CentOS 7.2 x64)

2016-02-22

官方網站
http://oisf.net/suricata/

教學
http://suricata-ids.org/docs/
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_Installation

Suricata IDS 是一種入侵偵測系統(intrusion Detection Systems, IDS)。

Snort vs Suricata 比較
http://wiki.aanval.com/wiki/Snort_vs_Suricata
Suricata 最大優於 Snort 特點是支援 Multi-Threads

Quantitative Analysis of Intrusion Detection Systems: Snort and Suricata
http://people.clarkson.edu/~jmatthew/publications/SPIE_SnortSuricata_2013.pdf
(這裡有效能圖比較,為了方便辨識,小弟上了點顏色)

(下圖) 預設組態,在 2,3,4 cores 時候,Suricata 效能遠超過 Snort


(下圖) Suricata 的 CPU 使用率比 Snort 低

(下圖) CPU cores 不大於4個時,Suricata 的 RAM 用量較高,超過8個時候,Snort暴增




安裝
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_Installation

su root

rpm -Uvh https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm

yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel \

  zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar make \
  libnetfilter_queue-devel lua-devel  wget 

cd /usr/local/src
wget http://www.openinfosecfoundation.org/download/suricata-3.0.tar.gz
tar zxvf suricata-3.0.tar.gz
cd suricata-3.0
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua

[root@centos1 suricata-3.0]# ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua
...(略)
Suricata Configuration:
  AF_PACKET support:                       yes
  PF_RING support:                         no
  NFQueue support:                         yes
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no
  DAG enabled:                             no
  Napatech enabled:                        no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  hiredis support:                         no
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             yes
  libluajit:                               no
  libgeoip:                                no
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  CUDA enabled:                            no

  Suricatasc install:                      yes

  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no
  Profiling enabled:                       no
  Profiling locks enabled:                 no
  Coccinelle / spatch:                     no

Generic build parameters:
  Installation prefix:                     /usr
  Configuration directory:                 /etc/suricata/
  Log directory:                           /var/log/suricata/

  --prefix                                 /usr
  --sysconfdir                             /etc
  --localstatedir                          /var

  Host:                                    x86_64-unknown-linux-gnu
  Compiler:                                gcc (exec name) / gcc (real)
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no
  Position Independent Executable enabled: no
  CFLAGS                                   -g -O2 -march=native
  PCAP_CFLAGS
  SECCFLAGS

To build and install run 'make' and 'make install'.

You can run 'make install-conf' if you want to install initial configuration
files to /etc/suricata/. Running 'make install-full' will install configuration
and rules and provide you a ready-to-run suricata.

To install Suricata into /usr/bin/suricata, have the config in
/etc/suricata and use /var/log/suricata as log dir, use:
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/

[root@centos1 suricata-3.0]#

make
make install-full
ldconfig

[root@localhost suricata-3.0]# make install-full

/usr/bin/wget -qO - http://rules.emergingthreats.net/open/suricata-2.0/emerging.rules.tar.gz | tar -x -z -C "/etc/suricata/" -f -

You can now start suricata by running as root something like '/usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0'.

If a library like libhtp.so is not found, you can run suricata with:
'LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0'.

While rules are installed now, it's highly recommended to use a rule manager for maintaining rules.
The two most common are Oinkmaster and Pulledpork. For a guide see:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster
[root@centos1 suricata-3.0]#


先檢查網路卡名稱是甚麼 ( 結果是  eno16777736,不是 eth0)
(CentOS 7 最小安裝時,不安裝 ifconfig 的)

[root@centos1 suricata-3.0]# ip addr sh
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:5b:fe:f1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.128.101/24 brd 192.168.128.255 scope global eno16777736
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe5b:fef1/64 scope link
       valid_lft forever preferred_lft forever
[root@centos1 suricata-3.0]#

如果少執行 ldconfig 會出現下面錯誤

[root@centos1 suricata-3.0]# /usr/bin/suricata
/usr/bin/suricata: error while loading shared libraries: libhtp-0.5.18.so.1: cannot open shared object file: No such file or directory


看有甚麼參數

[root@centos1 suricata-3.0]# /usr/bin/suricata
Suricata 3.0
USAGE: /usr/bin/suricata [OPTIONS] [BPF FILTER]

        -c <path>                            : path to configuration file
        -T                                   : test configuration file (use with -c)
        -i <dev or ip>                       : run in pcap live mode
        -F <bpf filter file>                 : bpf filter file
        -r <path>                            : run in pcap file/offline mode
        -q <qid>                             : run in inline nfqueue mode
        -s <path>                            : path to signature file loaded in addition to suricata.yaml settings (optional)
        -S <path>                            : path to signature file loaded exclusively (optional)
        -l <dir>                             : default log directory
        -D                                   : run as daemon
        -k [all|none]                        : force checksum check (all) or disabled it (none)
        -V                                   : display Suricata version
        -v[v]                                : increase default Suricata verbosity
        --list-app-layer-protos              : list supported app layer protocols
        --list-keywords[=all|csv|<kword>]    : list keywords implemented by the engine
        --list-runmodes                      : list supported runmodes
        --runmode <runmode_id>               : specific runmode modification the engine should run.  The argument
                                               supplied should be the id for the runmode obtained by running
                                               --list-runmodes
        --engine-analysis                    : print reports on analysis of different sections in the engine and exit.
                                               Please have a look at the conf parameter engine-analysis on what reports
                                               can be printed
        --pidfile <file>                     : write pid to this file
        --init-errors-fatal                  : enable fatal failure on signature init error
        --disable-detection                  : disable detection engine
        --dump-config                        : show the running configuration
        --build-info                         : display build information
        --pcap[=<dev>]                       : run in pcap mode, no value select interfaces from suricata.yaml
        --pcap-buffer-size                   : size of the pcap buffer value from 0 - 2147483647
        --af-packet[=<dev>]                  : run in af-packet mode, no value select interfaces from suricata.yaml
        --user <user>                        : run suricata as this user after init
        --group <group>                      : run suricata as this group after init
        --erf-in <path>                      : process an ERF file
        --unix-socket[=<file>]               : use unix socket to control suricata work
        --set name=value                     : set a configuration value


To run the engine with default configuration on interface eth0 with signature file "signatures.rules", run the command as:

/usr/bin/suricata -c suricata.yaml -s signatures.rules -i eth0

[root@centos1 suricata-3.0]#


# 顯示版本

[root@centos1 ~]# /usr/bin/suricata -V
This is Suricata version 3.0 RELEASE
[root@centos1 ~]#

# 測試設定檔案  /etc/suricata//suricata.yaml

[root@centos1 ~]# /usr/bin/suricata -T -c /etc/suricata//suricata.yaml -i  eno16777736
22/2/2016 -- 16:44:29 - <Info> - Running suricata under test mode
22/2/2016 -- 16:44:29 - <Notice> - This is Suricata version 3.0 RELEASE
22/2/2016 -- 16:44:33 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/app-layer-events.rules
[root@centos1 ~]#

Warning,不理會。

# 測試輸出到檔案

vi  /etc/suricata//suricata.yaml

找到這些敘述,預設只會輸出結果到 console 畫面,可把 file 的 enabled 從 no 改為 yes,就會輸出到 /var/log/suricata.log

  outputs:
  - console:
      enabled: yes
      # type: json
  - file:
      enabled: yes
      filename: /var/log/suricata/suricata.log
      # type: json
  - syslog:
      enabled: no
      facility: local5
      format: "[%i] <%d> -- "
      # type: json


# 以前景方式執行 (要結束就 Ctrl-C 中斷)

[root@localhost ~]# /usr/bin/suricata -c /etc/suricata//suricata.yaml -i eno16777736

22/2/2016 -- 16:46:28 - <Notice> - This is Suricata version 3.0 RELEASE
22/2/2016 -- 16:46:31 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/app-layer-events.rules
22/2/2016 -- 16:46:34 - <Warning> - [ERRCODE: SC_ERR_PCAP_CREATE(21)] - Using Pcap capture with GRO or LRO activated can lead to capture problems.
22/2/2016 -- 16:46:34 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.

(按下 Ctrl-C 中斷)

22/2/2016 -- 16:46:38 - <Notice> - Signal Received.  Stopping engine.
22/2/2016 -- 16:46:38 - <Notice> - Stats for 'eno16777736':  pkts: 6, drop: 0 (0.00%), invalid chksum: 4



# 以背景 (daemon) 方式執行 (多 -D 參數)

/usr/bin/suricata -D -c /etc/suricata//suricata.yaml -i eno16777736

背景方式( -D 參數) 執行的中斷比較麻煩,先用找出 PID 再用 kill 砍掉

[root@centos1 ~]# /usr/bin/suricata -D -c /etc/suricata//suricata.yaml -i eno16777736
22/2/2016 -- 16:47:39 - <Error> - [ERRCODE: SC_ERR_MISSING_CONFIG_PARAM(118)] - NO logging compatible with daemon mode selected, suricata won't be able to log. Please update  'logging.outputs' in the YAML.
22/2/2016 -- 16:47:39 - <Notice> - This is Suricata version 3.0 RELEASE

[root@centos1 ~]# ps aux | grep suricata
root      19429 73.4 33.4 781228 334968 ?       Ssl  16:47   0:06 /usr/bin/suricata -D -c /etc/suricata//suricata.yaml -i eno16777736
root      19437  0.0  0.0 112644   960 pts/0    S+   16:47   0:00 grep --color=auto suricata

[root@centos1 ~]# kill -9 19429

[root@centos1 ~]# ps aux | grep suricata
root      19439  0.0  0.0 112644   956 pts/0    R+   16:48   0:00 grep --color=auto suricata
[root@centos1 ~]#


# 攻擊測試

目前 suricata 電腦 (192.168.128.51) 上情況

[root@localhost ~]# ls  -al  /var/log/suricata
total 44
drwxr-xr-x. 4 root root    91 Feb 22 16:46 .
drwxr-xr-x. 7 root root  4096 Feb 22 16:41 ..
drwxr-xr-x. 2 root root     6 Feb 22 16:41 certs
-rw-r--r--. 1 root root 20773 Feb 22 16:47 eve.json
-rw-r--r--. 1 root root  9602 Feb 22 16:47 fast.log
drwxr-xr-x. 2 root root     6 Feb 22 16:41 files
-rw-r--r--. 1 root root     0 Feb 22 16:46 http.log
-rw-r--r--. 1 root root  2507 Feb 22 16:47 stats.log

[root@localhost ~]#

安裝 Web Server ,並 關閉防火牆
yum  -y  install  httpd
service  httpd  start
service  firewalld  stop

另外找一台主機來攻擊 ( nikto 好像無法對自己攻擊,所以必須另外找一台)
192.168.128.101 是安裝 Suricata 的主機

cd   /usr/local
yum -y install wget  perl
wget  http://www.cirt.net/nikto/nikto-current.tar.gz
tar zxvf nikto-current.tar.gz
cd nikto-*
chmod +x nikto.pl
./nikto.pl -h 192.168.128.101

[root@centos2 nikto-2.1.5]# ./nikto.pl -h 192.168.128.101
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.128.101
+ Target Hostname:    192.168.128.101
+ Target Port:        80
+ Start Time:         2016-02-22 16:51:25 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.6 (CentOS)
+ Server leaks inodes via ETags, header found with file /, fields: 0x1321 0x5058a1e728280
+ The anti-clickjacking X-Frame-Options header is not present.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2016-02-22 16:51:33 (GMT8) (8 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
[root@centos2 nikto-2.1.5]#

現在 suricata 電腦上情況

[root@centos1 ~]# ls  -al  /var/log/suricata
total 10316
drwxr-xr-x. 4 root root      91 Feb 22 16:46 .
drwxr-xr-x. 8 root root    4096 Feb 22 16:49 ..
drwxr-xr-x. 2 root root       6 Feb 22 16:41 certs
-rw-r--r--. 1 root root 6806272 Feb 22 16:52 eve.json
-rw-r--r--. 1 root root   91897 Feb 22 16:52 fast.log
drwxr-xr-x. 2 root root       6 Feb 22 16:41 files
-rw-r--r--. 1 root root 1236665 Feb 22 16:52 http.log
-rw-r--r--. 1 root root    4225 Feb 22 16:52 stats.log

可以看到某些 log 檔案大小變大了。

rule 管理可考慮 Oinkmaster and Pulledpork
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster

(完)

相關

[研究] Suricata 3.0 入侵偵測系統安裝 (CentOS 7.2 x64)
http://shaurong.blogspot.com/2016/02/suricata-30-centos-72-x64_22.html


[研究] Suricata 2.0.11 入侵偵測系統安裝 (CentOS 7.2 x64)
[研究] snort-2.9.5.5.tar.gz (CentOS 6.4 x64) 快速安裝程式

*********************************************************************************

這幾篇是相關的

[研究] Suricata 1.4.6 入侵偵測系統安裝 (CentOS 6.4 x64)
[研究] Suricata 1.4.6 快速安裝程式 (CentOS 6.4 x64)

[研究] Barnyard2 for Suricata 1.4.6 安裝 (CentOS 6.4 x64)
[研究] Barnyard2 for Suricata 1.4.6 快速安裝程式 (CentOS 6.4 x64)

[研究] Suricata 1.4.6 + Barnyard + BASE 安裝 (CentOS 6.4 x64)

*********************************************************************************

沒有留言:

張貼留言