Suricata入侵检测系统的搭建

0x01、安装CentOS

Suricata入侵检测系统的搭建_第1张图片
1 基于CentOS-6.8-x86_64-bin-DVD1.iso,安装时选择desktop, customiz now,databases-->>mysql*, 进行安装mysql, 这里我们要配置可以访问外网。尽量选择多的开发包,不要选择最小化安装,因为那样的话,系统会缺失很多依赖包的,在后期编译的时候会出现很多问题的。毕竟现在硬盘和内存都很大了,不必节省那么点空间。

2 设置epel源
yum install epel-release
#mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
#wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
#yum clean all
#yum makecache

3 安装依赖包
yum -y install gcc-c++ patch readline readline-devel zlib zlib-devel git-core libyaml-devel libffi-devel openssl-devel make libpcap-devel pcre-devel libyaml-devel file-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar libnetfilter_queue-devel lua-devel mysql-devel fontconfig-devel libX11-devel libXrender-devel libxml2-devel libxslt-devel qconf

0x02 安装重要的依赖包

1 ImageMagick # 成功安装, 另外打开新的一个terminal
cd /opt/
wget https://www.imagemagick.org/download/ImageMagick-6.9.6-5.tar.gz
tar xvfz ImageMagick-6.9.6-5.tar.gz && cd ImageMagick-6.9.6-5
./configure && make && make install
ldconfig /usr/local/lib

2 yaml # 成功安装, 另外打开新的一个terminal
cd /opt/
wget http://pyyaml.org/download/libyaml/yaml-0.1.4.tar.gz
tar zxvf yaml-0.1.4.tar.gz && cd yaml-0.1.4
./configure && make && make install

3 libhtp
cd /opt/
wget -O libhtp-0.5.20.tar.gz  https://codeload.github.com/OISF/libhtp/tar.gz/0.5.20 
tar zxvf libhtp-0.5.20.tar.gz && cd libhtp-0.5.20
./autogen.sh
./configure && make && make install

0x03 mysql 的配置运行

# yum install mysql mysql-devel mysql*
service mysqld start       #启动mysql服务
chkconfig mysqld on       #设置开机启动mysqld服务
mysqladmin -u root password 'youaresb!!!'

0x04 安装Ruby

curl -L get.rvm.io | bash -s stable
command curl -sSL https://rvm.io/mpapis.asc | gpg2 --import -#导入证书
source /etc/profile.d/rvm.sh
rvm install 2.0.0
# rvm use 2.0.0--default 如果有多个ruby 版本,才使用这条语句。
ruby -v

gem install bundler # 安装bundler

0x05 snorby

# https://github.com/Snorby/snorby
cd /opt/
git clone git://github.com/Snorby/snorby.git
cd snorby

# 修改文件Gemfile,把gem 'rake', '0.9.2'   改成  gem 'rake', '> 0.9.2'
sed -i 's/0.9.2/>0.9.2.2/g' Gemfile

#修改文件Gemfile.lock,把 rake (0.9.2)  改成  rake(0.9.2.2)
sed -i 's/\(0.9.2\)/0.9.2.2/g' Gemfile.lock

# 创建snorby_config.yml和database.yml两个文件
cp config/snorby_config.yml.example config/snorby_config.yml
cp config/database.yml.example config/database.yml
 
# 打开database.yml 把里面 mysql的账号密码修改成我们设置的账号密码(root/ youaresb!!!)
# 修改snorby_config.yml,把time_zone前面的注释去掉,并把UTC改为Asia/Shanghai
sed -i 's/Enter Password Here/ym2011@2011my'/g config/database.yml
# 进入snorby目录,执行如下命令开始安装:
sed -i '/dm-postgres-adapter/d' Gemfile
bundle install
rake snorby:setup
 
# 设置iptables
/etc/init.d/iptables stop #关闭防火墙,其他主机可以访问http://ip:3000
# iptables -I INPUT -p tcp --dport 3000 -mstate --state=NEW,ESTABLISHED,RELATED -j ACCEPT

# 启动服务:
rails server -e production &

# 在其他主机或者本地主机的浏览器,输入http://ip:3000
# 账号/密码:[email protected]/snorby
#######################################################################################
# 以上我们搭建完成了teamserver作为数据收集和展示。
#######################################################################################

0x06、Barnyard2的安装

cd /opt/
wget https://codeload.github.com/firnsy/barnyard2/tar.gz/v2-1.13
tar xvfz barnyard2-2-1.13.tar.gz && cd barnyard2-2-1.13/
./autogen.sh
./configure --with-mysql-libraries=/usr/lib64/mysql/ --with-mysql=/usr/bin/mysql
make && make install

0x07 Suricata 的安装

#方式一:
cd /opt/
wget http://www.openinfosecfoundation.org/download/suricata-3.1.tar.gz
tar -xvzf suricata-3.1.tar.gz && cd suricata-3.1
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua
make && make install-full

#方式二:yum install suricata

0x08 配置Suricata、Barnyard 2

1 配置Barnyard 2
#把Barnyard 2安装源文件中的etc/barnyard2.conf文件拷贝到Suricata的配置目录下
cd /opt/barnyard2-2-1.13
cp ./etc/barnyard2.conf /etc/suricata/
 
#创建barnyard2日志目录/var/log/barnyard2
mkdir /var/log/barnyard2

# 修改barnyard2.conf
# 把 默认的snort文件配置改成 suricata
sed -i 's/snort/suricata/g' /etc/suricata/barnyard2.conf
sed -i 's/gen-msg.map/\/rules\/gen-msg.map/g' /etc/suricata/barnyard2.conf
sed -i 's/sid-msg.map/\/rules\/sid-msg.map/g' /etc/suricata/barnyard2.conf

# 把数据信息添加到barnyard2.conf  //已完成
sed -i '$a output database: log, mysql, user=root password=ym2011@2011my dbname=snorby host=localhost' /etc/suricata/barnyard2.conf

#找到“config hostname”和“config interface”,eth0是镜像端口所在的网卡,按照你的实际情况修改.(unfinished)
sed -i -e '/#config hostname:   thor/\a/config hostname:   ym/' /etc/suricata/barnyard2.conf
sed -i -e '/#config interface:  eth0/\a/config interface:  eth0/' /etc/suricata/barnyard2.conf
sed -i -e '/config waldo_file/a\config waldo_file: /var/log/suricata/suricata.waldo' /etc/suricata/barnyard2.conf

2 编辑suricata.yaml文件
touch /var/log/suricata/suricata.waldo

修改日志格式文件:
sed -i -e '/default-log-format/a\  default-log-format: "[%i] %t -(%f:%l) <%d> (%n) -- "' /etc/suricata/suricata.yaml

# 开启syslog 功能, 在/etc/suricata/suricata.yaml , 找到:
sed -i -e '\/var\/log\/suricata\/suricata.log/,/Step 4/s/no/yes/g' /etc/suricata/suricata.yaml

# 开启unified2 logging in the suricata yaml:
sed -i -e '/unified2-alert/,/unified2.alert/s/no/yes/g' /etc/suricata/suricata.yaml

找到#pid-file: /var/run/suricata.pid把前面的#号去掉
sed -i -e '/pid-file/a\pid-file: /var/run/suricata.pid' /etc/suricata/suricata.yaml

# 找到rule-files,把下面的emerging-icmp.rules 和emerging-virus.rules删除掉。(unfinished)
 
启用 threshold,找到#threshold-file: /etc/suricata/threshold.config
sed -i -e '/threshold-file/a\threshold-file: /etc/suricata/threshold.config' /etc/suricata/suricata.yaml
 
启动Suricata、Barnyard 2
sudo /usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo –D

LD_LIBRARY_PATH=/usr/local/lib /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0
# sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 -D
# 启动suricata的-i参数是镜像流量的网卡

0x09 官方网站
官方网站:https://suricata-ids.org/

Step  one:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_Installation

Step two:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Basic_Setup
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_User_Guide
Step three:

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Snorby_and_Barnyard2_set_up_guide
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Rules

完整的脚本下载:

https://github.com/ym2011/penetration/tree/master/scripts/Snorby


欢迎大家分享更好的思路,热切期待^^_^^ !

你可能感兴趣的:(系统安全)