使用 Suricata 进行入侵监控(一个简单小例子访问百度)

 

 

  前期博客

基于CentOS6.5下Suricata(一款高性能的网络IDS、IPS和网络安全监控引擎)的搭建(图文详解)(博主推荐)

 

 

 

 

 

 

1、自己编写一条规则,规则书写参考snort规则(suricata完全兼容snort规则)
   例如以百度网站为例:
   [root@suricata rules]# cat test.rules 
使用 Suricata 进行入侵监控(一个简单小例子访问百度)_第1张图片
[root@suricata rules]# pwd
/etc/suricata/rules
[root@suricata rules]# ls
app-layer-events.rules   emerging-activex.rules          emerging-icmp.rules            emerging-scada.rules        emerging-web_server.rules         smtp-events.rules
botcc.portgrouped.rules  emerging-attack_response.rules  emerging-imap.rules            emerging-scan.rules         emerging-web_specific_apps.rules  stream-events.rules
botcc.rules              emerging-chat.rules             emerging-inappropriate.rules   emerging-shellcode.rules    emerging-worm.rules               suricata-1.2-prior-open.yaml
BSD-License.txt          emerging.conf                   emerging-info.rules            emerging-smtp.rules         gen-msg.map                       suricata-1.3-enhanced-open.txt
ciarmy.rules             emerging-current_events.rules   emerging-malware.rules         emerging-snmp.rules         gpl-2.0.txt                       suricata-1.3-etpro-etnamed.yaml
classification.config    emerging-deleted.rules          emerging-misc.rules            emerging-sql.rules          http-events.rules                 suricata-1.3-open.yaml
compromised-ips.txt      emerging-dns.rules              emerging-mobile_malware.rules  emerging-telnet.rules       LICENSE                           tor.rules
compromised.rules        emerging-dos.rules              emerging-netbios.rules         emerging-tftp.rules         modbus-events.rules               unicode.map
decoder-events.rules     emerging-exploit.rules          emerging-p2p.rules             emerging-trojan.rules       rbn-malvertisers.rules
dns-events.rules         emerging-ftp.rules              emerging-policy.rules          emerging-user_agents.rules  rbn.rules
drop.rules               emerging-games.rules            emerging-pop3.rules            emerging-voip.rules         reference.config
dshield.rules            emerging-icmp_info.rules        emerging-rpc.rules             emerging-web_client.rules   sid-msg.map
[root@suricata rules]# vim test-baidu.rules

 

 
[root@suricata rules]# cat test-baidu.rules 
alert http any any -> any any (msg:"hit baidu.com...";content:"baidu"; reference:url, www.baidu.com;)
   将文件命名为test.rules,存放在目录/etc/suricata/rules下(直接存放在该目录下rules里面)。
 
 
 
  同时,还要把这个自定义配置文件(如我这里已经改名了,为local.rules)放到配置文件里,才可以生效。
 
使用 Suricata 进行入侵监控(一个简单小例子访问百度)_第2张图片

 

 

 

 

 
 
2、启动suricata 
[root@suricata ~]# sudo /usr/local/bin/suricata -c /etc/suricata/suricata.yaml    -i eth0   -s /etc/suricata/rules/test.rules

 

 
 
 
 
 
3、打开虚拟机中火狐浏览器,访问www.baidu.com
使用 Suricata 进行入侵监控(一个简单小例子访问百度)_第3张图片

 

 
 
 
 
     此时,查看log文件/var/log/suricata目录下

使用 Suricata 进行入侵监控(一个简单小例子访问百度)_第4张图片

[root@suricata ~]# cd /var/log/suricata
[root@suricata suricata]# pwd
/var/log/suricata
[root@suricata suricata]# ls
certs  eve.json  fast.log  files  stats.log  suricata.log
[root@suricata suricata]# 

 

 

 

 

   fast.log显示数据包匹配的条数
使用 Suricata 进行入侵监控(一个简单小例子访问百度)_第5张图片
[root@suricata suricata]# cat fast.log 
08/09/2017-21:15:51.526950  [**] [1:2240002:1] SURICATA DNS malformed request data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.80.2:53 -> 192.168.80.86:52492
08/09/2017-21:16:00.603193  [**] [1:2240002:1] SURICATA DNS malformed request data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.80.2:53 -> 192.168.80.86:44808
08/09/2017-21:16:00.641131  [**] [1:2240002:1] SURICATA DNS malformed request data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.80.2:53 -> 192.168.80.86:37705
08/09/2017-21:16:00.860060  [**] [1:2240002:1] SURICATA DNS malformed request data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.80.2:53 -> 192.168.80.86:36831
08/09/2017-21:16:56.624866  [**] [1:2240002:1] SURICATA DNS malformed request data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.80.2:53 -> 192.168.80.86:52630
08/09/2017-21:17:00.111989  [**] [1:2240002:1] SURICATA DNS malformed request data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.80.2:53 -> 192.168.80.86:44013

   192.168.80.2是我192.168.80.86(即suricata主机的网关)




 
 
 
 
使用 Suricata 进行入侵监控(一个简单小例子访问百度)_第6张图片
[root@suricata suricata]# ls
certs  eve.json  fast.log  files  stats.log  suricata.log
[root@suricata suricata]# cat suricata.log 
9/8/2017 -- 21:13:33 -  - This is Suricata version 3.1 RELEASE
9/8/2017 -- 21:13:42 -  - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/tls-events.rules
9/8/2017 -- 21:13:42 -  - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/test.rules
9/8/2017 -- 21:13:42 -  - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/test.rules
9/8/2017 -- 21:13:49 -  - all 1 packet processing threads, 4 management threads initialized, engine started.
9/8/2017 -- 21:19:41 -  - Signal Received.  Stopping engine.
9/8/2017 -- 21:19:41 -  - Stats for 'eth0':  pkts: 11525, drop: 0 (0.00%), invalid chksum: 0
[root@suricata suricata]# pwd
/var/log/suricata
[root@suricata suricata]# 

 

   
  其生产的报警日志文件,就是fast.log。
 
 
 
 

你可能感兴趣的:(使用 Suricata 进行入侵监控(一个简单小例子访问百度))