使用 Suricata 进行入侵监控(一个简单小例子访问百度)
前期博客
基于CentOS6.5下Suricata(一款高性能的网络IDS、IPS和网络安全监控引擎)的搭建(图文详解)(博主推荐)
1、自己编写一条规则,规则书写参考snort规则(suricata完全兼容snort规则)
例如以百度网站为例:
[root@suricata rules]# cat test.rules
[root@suricata rules]# pwd /etc/suricata/rules [root@suricata rules]# ls app-layer-events.rules emerging-activex.rules emerging-icmp.rules emerging-scada.rules emerging-web_server.rules smtp-events.rules botcc.portgrouped.rules emerging-attack_response.rules emerging-imap.rules emerging-scan.rules emerging-web_specific_apps.rules stream-events.rules botcc.rules emerging-chat.rules emerging-inappropriate.rules emerging-shellcode.rules emerging-worm.rules suricata-1.2-prior-open.yaml BSD-License.txt emerging.conf emerging-info.rules emerging-smtp.rules gen-msg.map suricata-1.3-enhanced-open.txt ciarmy.rules emerging-current_events.rules emerging-malware.rules emerging-snmp.rules gpl-2.0.txt suricata-1.3-etpro-etnamed.yaml classification.config emerging-deleted.rules emerging-misc.rules emerging-sql.rules http-events.rules suricata-1.3-open.yaml compromised-ips.txt emerging-dns.rules emerging-mobile_malware.rules emerging-telnet.rules LICENSE tor.rules compromised.rules emerging-dos.rules emerging-netbios.rules emerging-tftp.rules modbus-events.rules unicode.map decoder-events.rules emerging-exploit.rules emerging-p2p.rules emerging-trojan.rules rbn-malvertisers.rules dns-events.rules emerging-ftp.rules emerging-policy.rules emerging-user_agents.rules rbn.rules drop.rules emerging-games.rules emerging-pop3.rules emerging-voip.rules reference.config dshield.rules emerging-icmp_info.rules emerging-rpc.rules emerging-web_client.rules sid-msg.map [root@suricata rules]# vim test-baidu.rules
[root@suricata rules]# cat test-baidu.rules alert http any any -> any any (msg:"hit baidu.com...";content:"baidu"; reference:url, www.baidu.com;)
将文件命名为test.rules,存放在目录/etc/suricata/rules下(直接存放在该目录下rules里面)。
同时,还要把这个自定义配置文件(如我这里已经改名了,为local.rules)放到配置文件里,才可以生效。
2、启动suricata
[root@suricata ~]# sudo /usr/local/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 -s /etc/suricata/rules/test.rules
3、打开虚拟机中火狐浏览器,访问www.baidu.com
此时,查看log文件/var/log/suricata目录下
[root@suricata ~]# cd /var/log/suricata [root@suricata suricata]# pwd /var/log/suricata [root@suricata suricata]# ls certs eve.json fast.log files stats.log suricata.log [root@suricata suricata]#
fast.log显示数据包匹配的条数
[root@suricata suricata]# cat fast.log 08/09/2017-21:15:51.526950 [**] [1:2240002:1] SURICATA DNS malformed request data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.80.2:53 -> 192.168.80.86:52492 08/09/2017-21:16:00.603193 [**] [1:2240002:1] SURICATA DNS malformed request data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.80.2:53 -> 192.168.80.86:44808 08/09/2017-21:16:00.641131 [**] [1:2240002:1] SURICATA DNS malformed request data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.80.2:53 -> 192.168.80.86:37705 08/09/2017-21:16:00.860060 [**] [1:2240002:1] SURICATA DNS malformed request data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.80.2:53 -> 192.168.80.86:36831 08/09/2017-21:16:56.624866 [**] [1:2240002:1] SURICATA DNS malformed request data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.80.2:53 -> 192.168.80.86:52630 08/09/2017-21:17:00.111989 [**] [1:2240002:1] SURICATA DNS malformed request data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.80.2:53 -> 192.168.80.86:44013
192.168.80.2是我192.168.80.86(即suricata主机的网关)
[root@suricata suricata]# ls certs eve.json fast.log files stats.log suricata.log [root@suricata suricata]# cat suricata.log 9/8/2017 -- 21:13:33 - <Notice> - This is Suricata version 3.1 RELEASE 9/8/2017 -- 21:13:42 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/tls-events.rules 9/8/2017 -- 21:13:42 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/test.rules 9/8/2017 -- 21:13:42 - <Error> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/test.rules 9/8/2017 -- 21:13:49 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started. 9/8/2017 -- 21:19:41 - <Notice> - Signal Received. Stopping engine. 9/8/2017 -- 21:19:41 - <Notice> - Stats for 'eth0': pkts: 11525, drop: 0 (0.00%), invalid chksum: 0 [root@suricata suricata]# pwd /var/log/suricata [root@suricata suricata]#
其生产的报警日志文件,就是fast.log。
作者:大数据和人工智能躺过的坑
出处:http://www.cnblogs.com/zlslch/
本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文链接,否则保留追究法律责任的权利。
如果您认为这篇文章还不错或者有所收获,您可以通过右边的“打赏”功能 打赏我一杯咖啡【物质支持】,也可以点击右下角的【好文要顶】按钮【精神支持】,因为这两种支持都是我继续写作,分享的最大动力!
