Suricata 是一个网络入侵检测和阻止引擎,由开放信息安全基金会以及它所支持的提供商说开发。该引擎是多线程的,内置 IPv6 的支持,可加载预设规则,支持 Barnyard 和 Barnyard2 工具。项目主页位于:https://suricata-ids.org/。
本文将讲述如何在 Ubuntu 16.04 下安装并运行 Suricata。如果你需要在其他 Linux 发行版上安装 Suricata,请参考官方教程。
安装前准备
安装依赖项
首先需要安装如下依赖项:
sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \
build-essential autoconf automake libtool libpcap-dev libnet1-dev \
libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \
make libmagic-dev libjansson-dev libjansson4 pkg-config
HTP
如果你需要安装 HTP 库,可以使用如下命令:
wget https://github.com/OISF/libhtp/releases/download/0.5.17/htp-0.5.17.tar.gz
tar -xzvf libhtp-0.5.17.tar.gz
cd libhtp-0.5.17
./configure
make
make install
IPS
默认模式下,Suricata 运行为 IDS,如果你需要 Suricata 同时运行 IDS 和 IPS,需要安装如下依赖:
sudo apt-get -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0
IDS(Intrusion Detection Systems)入侵检测系统,是一种网络安全设备或应用软件,可以对网络传输进行即时监视,在发现可疑传输时发出警报或者采取主动反应措施。
IPS(Intrusion Prevention System)入侵防御系统,是一部能够监视网络或网络设备的网络数据传输行为的计算机网络安全设备,能够即时的中断、调整或隔离一些不正常或是具有伤害性的网络数据传输行为。
简单的区别:IDS 只监控不控制;IPS 既监控也控制。
Suricata 安装
首先使用如下命令,下载并构建 Suricata:
VER=3.1
wget "http://www.openinfosecfoundation.org/download/suricata-$VER.tar.gz"
tar -xvzf "suricata-$VER.tar.gz"
cd "suricata-$VER"
编译并安装引擎
如果想构建带有 IPS 功能的 Suricata ,使用如下命令:
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var
如果不想带有 IPS 功能,使用如下命令:
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
随后使用如下命令:
make
sudo make install
sudo make install-conf # 安装默认配置
sudo make install-rules # 安装默认规则
sudo ldconfig # 让系统共享动态链接库
基本配置
设置变量
Suricata 的配置文件默认在 /etc/suricata/suricata.yaml,在启动前我们需要先配置好一些重要的变量,其中变量分为两组,一个是地址组(address-groups),另一个是端口组(port-groups)。示例配置文件如下:
vars:
# more specifc is better for alert accuracy and performance
address-groups:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
EXTERNAL_NET: "!$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
SMTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
AIM_SERVERS: "$EXTERNAL_NET"
DNP3_SERVER: "$HOME_NET"
DNP3_CLIENT: "$HOME_NET"
MODBUS_CLIENT: "$HOME_NET"
MODBUS_SERVER: "$HOME_NET"
ENIP_CLIENT: "$HOME_NET"
ENIP_SERVER: "$HOME_NET"
port-groups:
HTTP_PORTS: "80"
SHELLCODE_PORTS: "!80"
ORACLE_PORTS: 1521
SSH_PORTS: 22
DNP3_PORTS: 20000
MODBUS_PORTS: 502
其中,HOME_NET 要设置为我们本地网络的的 IP 地址,EXTERNAL_NET 推荐为 !$HOME_NET,即除我们本地网络以外的。而端口组中的所有端口也要和实际使用的端口号相对应。
规则
Suricata 无论是运行在 IDS 或者 IPS 模式下肯定要基于一定的规则,具体包含哪些规则同样是在 suricata.yaml 配置文件中指定,例如如下样式:
## Step 2: select the rules to enable or disable
##
default-rule-path: /etc/suricata/rules
rule-files:
- botcc.rules
- ciarmy.rules
- compromised.rules
- drop.rules
# - dshield.rules
# - emerging-activex.rules
...
其中,default-rule-path 用于指定存放规则的文件夹,而后续 rule-files 参数则是用来指定具体好吧哪些规则文件,规则文件前面的 # 是注释代表不启用这条规则。
如果先前使用 sudo make install-rules 命令,则这样会从 EmergingThreats.net 上下载可用的社区规则集快照。如果不使用社区规则的话,就需要自己编写规则,后续我会单独写文章讲述具体如何编写 Suricata 规则。
运行
好了是时候让 Suricata 跑起来了。
但在运行前需要注意一点,最好关闭 Suricata 监听网卡上的任何的包卸载(例如 LRO/GRO)功能,因为这些功能会干扰包的实时捕获行为。而关闭的命令如下(以 eth0 接口为例):
sudo ethtool -K eth0 gro off lro off
如果提示 Cannot change large-receive-offload,那就不用管他了,这说明你的网卡本来就不支持 LRO 功能。
IDS
现在我们来让 Suricata 以 IDS 模式启动:
sudo suricata -c etc/suricata/suricata.yaml -i eth0
其中:
-
-c用来指定配置文件 -
-i说明以 IDS 模式运行 -
eth0说明让 Suricata 监听 eth0 端口
IPS
Suricata 本身是不具有拦截功能的,想要让它拦截包需要配合 iptables 使用。首先,需要设置 iptables 的 NFQUEUE,以让 Suricata 能访问到相应的数据包,可以使用如下命令:
sudo iptables -I INPUT -p tcp -j NFQUEUE
sudo iptables -I OUTPUT -p tcp -j NFQUEUE
随后使用如下命令让 Suricata 以 IPS 模式运行:
sudo suricata -c etc/suricata/suricata.yaml -q 0
其中,-q 说明以 IPS 模式运行。
哦对,在不使用 Suricata 的时候,记得要 sudo iptables -F 清除配置,不然机器就没法使用 tcp 了。
日志
Suricata 日志默认存放位置在 /var/log/suricata。其中检测日志默认为 fast.log,这个文件可以在 suricata.yaml 中自己指定。
tail fast.log
08/03/2016-16:57:51.126114 [Drop] [**] [1201:12010068:1] 阻止sql注入攻击 [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.213.1:57150 -> 192.168.213.133:80
08/03/2016-16:58:04.846596 [Drop] [**] [1201:12010074:1] 阻止sql注入攻击 [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.213.1:57152 -> 192.168.213.133:80
当然,Suricata 也提供了Json 格式的日志 eve.json 方便导出:
tail eve.json
{"timestamp":"2016-08-04T16:42:03.001873+0800","event_type":"stats","stats":{"uptime":3196,"decoder":{"pkts":3700,"bytes":557383,"invalid":0,"ipv4":3700,"ipv6":0,"ethernet":0,"raw":0,"null":0,"sll":0,"tcp":3700,"udp":0,"sctp":0,"icmpv4":0,"icmpv6":0,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":150,"max_pkt_size":1500,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":6274512},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"stream":{"3whs_ack_in_wrong_dir":0,"3whs_async_wrong_seq":0,"3whs_right_seq_wrong_ack_evasion":0},"tcp":{"sessions":6,"ssn_memcap_drop":0,"pseudo":2,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":6,"synack":6,"rst":2,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":0,"memuse":286720,"reassembly_memuse":12244864},"detect":{"alert":1},"ips":{"accepted":3699,"blocked":17,"rejected":0,"replaced":0},"flow_mgr":{"closed_pruned":5,"new_pruned":0,"est_pruned":1},"dns":{"memuse":0,"memcap_state":0,"memcap_global":0},"http":{"memuse":0,"memcap":0}}}
{"timestamp":"2016-08-04T16:42:10.001312+0800","event_type":"stats","stats":{"uptime":3203,"decoder":{"pkts":3700,"bytes":557383,"invalid":0,"ipv4":3700,"ipv6":0,"ethernet":0,"raw":0,"null":0,"sll":0,"tcp":3700,"udp":0,"sctp":0,"icmpv4":0,"icmpv6":0,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":150,"max_pkt_size":1500,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":6274512},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"stream":{"3whs_ack_in_wrong_dir":0,"3whs_async_wrong_seq":0,"3whs_right_seq_wrong_ack_evasion":0},"tcp":{"sessions":6,"ssn_memcap_drop":0,"pseudo":2,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":6,"synack":6,"rst":2,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":0,"memuse":286720,"reassembly_memuse":12244864},"detect":{"alert":1},"ips":{"accepted":3699,"blocked":17,"rejected":0,"replaced":0},"flow_mgr":{"closed_pruned":5,"new_pruned":0,"est_pruned":1},"dns":{"memuse":0,"memcap_state":0,"memcap_global":0},"http":{"memuse":0,"memcap":0}}}
当然,如果你像我一样写规则时使用的操作是 drop,那么还有一个日志 drop.log:
tail drop.log
08/04/2016-15:49:07.016199: IN= OUT= SRC=192.168.213.1 DST=192.168.213.133 LEN=513 TOS=0x00 TTL=64 ID=11633 PROTO=TCP SPT=25948 DPT=80 SEQ=4258873955 ACK=174435259 WINDOW=252 ACK PSH RES=0x00 URGP=0
08/04/2016-15:49:09.113461: IN= OUT= SRC=192.168.213.133 DST=192.168.213.1 LEN=40 TOS=0x00 TTL=64 ID=18367 PROTO=TCP SPT=80 DPT=25948 SEQ=174435259 ACK=4258873955 WINDOW=245 ACK FIN RES=0x00 URGP=0
我这里的日志都是基于我自己写的规则匹配产生的,具体规则如下:
drop http $HOME_NET any <> $EXTERNAL_NET any (msg:"阻止sql注入攻击"; content:"select"; nocase; content:"from"; nocase;pcre:"/\bselect\b.{1,100}?\bfrom\b/ism"; classtype:web-application-attack; sid:1; rev:1;)
总结
本文主要讲述了如何安装、配置和运行 Suricata。希望对你有所帮助,后面我还会在写博文详细讲述如何编写 Suricata 规则。