2016-02-22
官方網站
http://oisf.net/suricata/
教學
http://suricata-ids.org/docs/
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_Installation
Suricata IDS 是一種入侵偵測系統(intrusion Detection Systems, IDS)。
Snort vs Suricata 比較
http://wiki.aanval.com/wiki/Snort_vs_Suricata
Suricata 最大優於 Snort 特點是支援 Multi-Threads
Quantitative Analysis of Intrusion Detection Systems: Snort and Suricata
http://people.clarkson.edu/~jmatthew/publications/SPIE_SnortSuricata_2013.pdf
(這裡有效能圖比較,為了方便辨識,小弟上了點顏色)
(下圖) 預設組態,在 2,3,4 cores 時候,Suricata 效能遠超過 Snort
(下圖) Suricata 的 CPU 使用率比 Snort 低
(下圖) CPU cores 不大於4個時,Suricata 的 RAM 用量較高,超過8個時候,Snort暴增
安裝
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_Installation
su root
rpm -Uvh https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel \
zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar make \
libnetfilter_queue-devel lua-devel wget
cd /usr/local/src
wget http://www.openinfosecfoundation.org/download/suricata-3.0.tar.gz
tar zxvf suricata-3.0.tar.gz
cd suricata-3.0
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua
[root@centos1 suricata-3.0]# ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua
...(略)
Suricata Configuration:
AF_PACKET support: yes
PF_RING support: no
NFQueue support: yes
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
Unix socket enabled: yes
Detection enabled: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
hiredis support: no
Prelude support: no
PCRE jit: yes
LUA support: yes
libluajit: no
libgeoip: no
Non-bundled htp: no
Old barnyard2 support: no
CUDA enabled: no
Suricatasc install: yes
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Profiling enabled: no
Profiling locks enabled: no
Coccinelle / spatch: no
Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/
--prefix /usr
--sysconfdir /etc
--localstatedir /var
Host: x86_64-unknown-linux-gnu
Compiler: gcc (exec name) / gcc (real)
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -g -O2 -march=native
PCAP_CFLAGS
SECCFLAGS
To build and install run 'make' and 'make install'.
You can run 'make install-conf' if you want to install initial configuration
files to /etc/suricata/. Running 'make install-full' will install configuration
and rules and provide you a ready-to-run suricata.
To install Suricata into /usr/bin/suricata, have the config in
/etc/suricata and use /var/log/suricata as log dir, use:
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/
[root@centos1 suricata-3.0]#
make
make install-full
ldconfig
[root@localhost suricata-3.0]# make install-full
/usr/bin/wget -qO - http://rules.emergingthreats.net/open/suricata-2.0/emerging.rules.tar.gz | tar -x -z -C "/etc/suricata/" -f -
You can now start suricata by running as root something like '/usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0'.
If a library like libhtp.so is not found, you can run suricata with:
'LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata//suricata.yaml -i eth0'.
While rules are installed now, it's highly recommended to use a rule manager for maintaining rules.
The two most common are Oinkmaster and Pulledpork. For a guide see:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster
[root@centos1 suricata-3.0]#
先檢查網路卡名稱是甚麼 ( 結果是 eno16777736,不是 eth0)
(CentOS 7 最小安裝時,不安裝 ifconfig 的)
(CentOS 7 最小安裝時,不安裝 ifconfig 的)
[root@centos1 suricata-3.0]# ip addr sh
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:5b:fe:f1 brd ff:ff:ff:ff:ff:ff
inet 192.168.128.101/24 brd 192.168.128.255 scope global eno16777736
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe5b:fef1/64 scope link
valid_lft forever preferred_lft forever
[root@centos1 suricata-3.0]#
如果少執行 ldconfig 會出現下面錯誤
[root@centos1 suricata-3.0]# /usr/bin/suricata
/usr/bin/suricata: error while loading shared libraries: libhtp-0.5.18.so.1: cannot open shared object file: No such file or directory
看有甚麼參數
[root@centos1 suricata-3.0]# /usr/bin/suricata
Suricata 3.0
USAGE: /usr/bin/suricata [OPTIONS] [BPF FILTER]
-c <path> : path to configuration file
-T : test configuration file (use with -c)
-i <dev or ip> : run in pcap live mode
-F <bpf filter file> : bpf filter file
-r <path> : run in pcap file/offline mode
-q <qid> : run in inline nfqueue mode
-s <path> : path to signature file loaded in addition to suricata.yaml settings (optional)
-S <path> : path to signature file loaded exclusively (optional)
-l <dir> : default log directory
-D : run as daemon
-k [all|none] : force checksum check (all) or disabled it (none)
-V : display Suricata version
-v[v] : increase default Suricata verbosity
--list-app-layer-protos : list supported app layer protocols
--list-keywords[=all|csv|<kword>] : list keywords implemented by the engine
--list-runmodes : list supported runmodes
--runmode <runmode_id> : specific runmode modification the engine should run. The argument
supplied should be the id for the runmode obtained by running
--list-runmodes
--engine-analysis : print reports on analysis of different sections in the engine and exit.
Please have a look at the conf parameter engine-analysis on what reports
can be printed
--pidfile <file> : write pid to this file
--init-errors-fatal : enable fatal failure on signature init error
--disable-detection : disable detection engine
--dump-config : show the running configuration
--build-info : display build information
--pcap[=<dev>] : run in pcap mode, no value select interfaces from suricata.yaml
--pcap-buffer-size : size of the pcap buffer value from 0 - 2147483647
--af-packet[=<dev>] : run in af-packet mode, no value select interfaces from suricata.yaml
--user <user> : run suricata as this user after init
--group <group> : run suricata as this group after init
--erf-in <path> : process an ERF file
--unix-socket[=<file>] : use unix socket to control suricata work
--set name=value : set a configuration value
To run the engine with default configuration on interface eth0 with signature file "signatures.rules", run the command as:
/usr/bin/suricata -c suricata.yaml -s signatures.rules -i eth0
[root@centos1 suricata-3.0]#
# 顯示版本
[root@centos1 ~]# /usr/bin/suricata -V
This is Suricata version 3.0 RELEASE
[root@centos1 ~]#
[root@centos1 ~]# /usr/bin/suricata -T -c /etc/suricata//suricata.yaml -i eno16777736
22/2/2016 -- 16:44:29 - <Info> - Running suricata under test mode
22/2/2016 -- 16:44:29 - <Notice> - This is Suricata version 3.0 RELEASE
22/2/2016 -- 16:44:33 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/app-layer-events.rules
[root@centos1 ~]#
Warning,不理會。
# 測試輸出到檔案vi /etc/suricata//suricata.yaml
找到這些敘述,預設只會輸出結果到 console 畫面,可把 file 的 enabled 從 no 改為 yes,就會輸出到 /var/log/suricata.log
outputs:
- console:
enabled: yes
# type: json
- file:
enabled: yes
filename: /var/log/suricata/suricata.log
# type: json
- syslog:
enabled: no
facility: local5
format: "[%i] <%d> -- "
# type: json
# 以前景方式執行 (要結束就 Ctrl-C 中斷)
[root@localhost ~]# /usr/bin/suricata -c /etc/suricata//suricata.yaml -i eno16777736
22/2/2016 -- 16:46:28 - <Notice> - This is Suricata version 3.0 RELEASE
22/2/2016 -- 16:46:31 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/app-layer-events.rules
22/2/2016 -- 16:46:34 - <Warning> - [ERRCODE: SC_ERR_PCAP_CREATE(21)] - Using Pcap capture with GRO or LRO activated can lead to capture problems.
22/2/2016 -- 16:46:34 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
(按下 Ctrl-C 中斷)
22/2/2016 -- 16:46:38 - <Notice> - Signal Received. Stopping engine.
22/2/2016 -- 16:46:38 - <Notice> - Stats for 'eno16777736': pkts: 6, drop: 0 (0.00%), invalid chksum: 4
/usr/bin/suricata -D -c /etc/suricata//suricata.yaml -i eno16777736
背景方式( -D 參數) 執行的中斷比較麻煩,先用找出 PID 再用 kill 砍掉
[root@centos1 ~]# /usr/bin/suricata -D -c /etc/suricata//suricata.yaml -i eno16777736
22/2/2016 -- 16:47:39 - <Error> - [ERRCODE: SC_ERR_MISSING_CONFIG_PARAM(118)] - NO logging compatible with daemon mode selected, suricata won't be able to log. Please update 'logging.outputs' in the YAML.
22/2/2016 -- 16:47:39 - <Notice> - This is Suricata version 3.0 RELEASE
[root@centos1 ~]# ps aux | grep suricata
root 19429 73.4 33.4 781228 334968 ? Ssl 16:47 0:06 /usr/bin/suricata -D -c /etc/suricata//suricata.yaml -i eno16777736
root 19437 0.0 0.0 112644 960 pts/0 S+ 16:47 0:00 grep --color=auto suricata
[root@centos1 ~]# kill -9 19429
[root@centos1 ~]# ps aux | grep suricata
root 19439 0.0 0.0 112644 956 pts/0 R+ 16:48 0:00 grep --color=auto suricata
[root@centos1 ~]#
# 攻擊測試
目前 suricata 電腦 (192.168.128.51) 上情況
[root@localhost ~]# ls -al /var/log/suricata
total 44
drwxr-xr-x. 4 root root 91 Feb 22 16:46 .
drwxr-xr-x. 7 root root 4096 Feb 22 16:41 ..
drwxr-xr-x. 2 root root 6 Feb 22 16:41 certs
-rw-r--r--. 1 root root 20773 Feb 22 16:47 eve.json
-rw-r--r--. 1 root root 9602 Feb 22 16:47 fast.log
drwxr-xr-x. 2 root root 6 Feb 22 16:41 files
-rw-r--r--. 1 root root 0 Feb 22 16:46 http.log
-rw-r--r--. 1 root root 2507 Feb 22 16:47 stats.log
安裝 Web Server ,並 關閉防火牆
yum -y install httpd
service httpd start
service firewalld stop
另外找一台主機來攻擊 ( nikto 好像無法對自己攻擊,所以必須另外找一台)
192.168.128.101 是安裝 Suricata 的主機
192.168.128.101 是安裝 Suricata 的主機
cd /usr/local
yum -y install wget perl
yum -y install wget perl
wget http://www.cirt.net/nikto/nikto-current.tar.gz
tar zxvf nikto-current.tar.gz
cd nikto-*
chmod +x nikto.pl
./nikto.pl -h 192.168.128.101
[root@centos2 nikto-2.1.5]# ./nikto.pl -h 192.168.128.101
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.128.101
+ Target Hostname: 192.168.128.101
+ Target Port: 80
+ Start Time: 2016-02-22 16:51:25 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.6 (CentOS)
+ Server leaks inodes via ETags, header found with file /, fields: 0x1321 0x5058a1e728280
+ The anti-clickjacking X-Frame-Options header is not present.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2016-02-22 16:51:33 (GMT8) (8 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
[root@centos2 nikto-2.1.5]#
[root@centos1 ~]# ls -al /var/log/suricata
total 10316
drwxr-xr-x. 4 root root 91 Feb 22 16:46 .
drwxr-xr-x. 8 root root 4096 Feb 22 16:49 ..
drwxr-xr-x. 2 root root 6 Feb 22 16:41 certs
-rw-r--r--. 1 root root 6806272 Feb 22 16:52 eve.json
-rw-r--r--. 1 root root 91897 Feb 22 16:52 fast.log
drwxr-xr-x. 2 root root 6 Feb 22 16:41 files
-rw-r--r--. 1 root root 1236665 Feb 22 16:52 http.log
-rw-r--r--. 1 root root 4225 Feb 22 16:52 stats.log
可以看到某些 log 檔案大小變大了。
rule 管理可考慮 Oinkmaster and Pulledpork
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster(完)
相關
http://shaurong.blogspot.com/2016/02/suricata-30-centos-72-x64_22.html
[研究] Suricata 2.0.11 入侵偵測系統安裝 (CentOS 7.2 x64)
[研究] snort-2.9.5.5.tar.gz (CentOS 6.4 x64) 快速安裝程式
*********************************************************************************
這幾篇是相關的
[研究] Suricata 1.4.6 入侵偵測系統安裝 (CentOS 6.4 x64)
或
[研究] Suricata 1.4.6 快速安裝程式 (CentOS 6.4 x64)
[研究] Barnyard2 for Suricata 1.4.6 安裝 (CentOS 6.4 x64)
或
[研究] Barnyard2 for Suricata 1.4.6 快速安裝程式 (CentOS 6.4 x64)
[研究] Suricata 1.4.6 + Barnyard + BASE 安裝 (CentOS 6.4 x64)
*********************************************************************************
沒有留言:
張貼留言