• 使用 Suricata 进行入侵监控(一个简单小例子访问百度)


      前期博客

    基于CentOS6.5下Suricata(一款高性能的网络IDS、IPS和网络安全监控引擎)的搭建(图文详解)(博主推荐)

    1、自己编写一条规则,规则书写参考snort规则(suricata完全兼容snort规则)
       例如以百度网站为例:
       [root@suricata rules]# cat test.rules 
    [root@suricata rules]# pwd
    /etc/suricata/rules
    [root@suricata rules]# ls
    app-layer-events.rules   emerging-activex.rules          emerging-icmp.rules            emerging-scada.rules        emerging-web_server.rules         smtp-events.rules
    botcc.portgrouped.rules  emerging-attack_response.rules  emerging-imap.rules            emerging-scan.rules         emerging-web_specific_apps.rules  stream-events.rules
    botcc.rules              emerging-chat.rules             emerging-inappropriate.rules   emerging-shellcode.rules    emerging-worm.rules               suricata-1.2-prior-open.yaml
    BSD-License.txt          emerging.conf                   emerging-info.rules            emerging-smtp.rules         gen-msg.map                       suricata-1.3-enhanced-open.txt
    ciarmy.rules             emerging-current_events.rules   emerging-malware.rules         emerging-snmp.rules         gpl-2.0.txt                       suricata-1.3-etpro-etnamed.yaml
    classification.config    emerging-deleted.rules          emerging-misc.rules            emerging-sql.rules          http-events.rules                 suricata-1.3-open.yaml
    compromised-ips.txt      emerging-dns.rules              emerging-mobile_malware.rules  emerging-telnet.rules       LICENSE                           tor.rules
    compromised.rules        emerging-dos.rules              emerging-netbios.rules         emerging-tftp.rules         modbus-events.rules               unicode.map
    decoder-events.rules     emerging-exploit.rules          emerging-p2p.rules             emerging-trojan.rules       rbn-malvertisers.rules
    dns-events.rules         emerging-ftp.rules              emerging-policy.rules          emerging-user_agents.rules  rbn.rules
    drop.rules               emerging-games.rules            emerging-pop3.rules            emerging-voip.rules         reference.config
    dshield.rules            emerging-icmp_info.rules        emerging-rpc.rules             emerging-web_client.rules   sid-msg.map
    [root@suricata rules]# vim test-baidu.rules
     
    [root@suricata rules]# cat test-baidu.rules 
    alert http any any -> any any (msg:"hit baidu.com...";content:"baidu"; reference:url, www.baidu.com;)
       将文件命名为test.rules,存放在目录/etc/suricata/rules下(直接存放在该目录下rules里面)。
     
     
     
      同时,还要把这个自定义配置文件(如我这里已经改名了,为local.rules)放到配置文件里,才可以生效。
     
     
     
    2、启动suricata 
    [root@suricata ~]# sudo /usr/local/bin/suricata -c /etc/suricata/suricata.yaml    -i eth0   -s /etc/suricata/rules/test.rules
     
     
     
     
     
    3、打开虚拟机中火狐浏览器,访问www.baidu.com
     
     
     
     
         此时,查看log文件/var/log/suricata目录下

    [root@suricata ~]# cd /var/log/suricata
    [root@suricata suricata]# pwd
    /var/log/suricata
    [root@suricata suricata]# ls
    certs  eve.json  fast.log  files  stats.log  suricata.log
    [root@suricata suricata]# 
       fast.log显示数据包匹配的条数
    [root@suricata suricata]# cat fast.log 
    08/09/2017-21:15:51.526950  [**] [1:2240002:1] SURICATA DNS malformed request data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.80.2:53 -> 192.168.80.86:52492
    08/09/2017-21:16:00.603193  [**] [1:2240002:1] SURICATA DNS malformed request data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.80.2:53 -> 192.168.80.86:44808
    08/09/2017-21:16:00.641131  [**] [1:2240002:1] SURICATA DNS malformed request data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.80.2:53 -> 192.168.80.86:37705
    08/09/2017-21:16:00.860060  [**] [1:2240002:1] SURICATA DNS malformed request data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.80.2:53 -> 192.168.80.86:36831
    08/09/2017-21:16:56.624866  [**] [1:2240002:1] SURICATA DNS malformed request data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.80.2:53 -> 192.168.80.86:52630
    08/09/2017-21:17:00.111989  [**] [1:2240002:1] SURICATA DNS malformed request data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.80.2:53 -> 192.168.80.86:44013

       192.168.80.2是我192.168.80.86(即suricata主机的网关)




     
     
     
     
    [root@suricata suricata]# ls
    certs  eve.json  fast.log  files  stats.log  suricata.log
    [root@suricata suricata]# cat suricata.log 
    9/8/2017 -- 21:13:33 - <Notice> - This is Suricata version 3.1 RELEASE
    9/8/2017 -- 21:13:42 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/tls-events.rules
    9/8/2017 -- 21:13:42 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/test.rules
    9/8/2017 -- 21:13:42 - <Error> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/test.rules
    9/8/2017 -- 21:13:49 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
    9/8/2017 -- 21:19:41 - <Notice> - Signal Received.  Stopping engine.
    9/8/2017 -- 21:19:41 - <Notice> - Stats for 'eth0':  pkts: 11525, drop: 0 (0.00%), invalid chksum: 0
    [root@suricata suricata]# pwd
    /var/log/suricata
    [root@suricata suricata]# 
       
      其生产的报警日志文件,就是fast.log。
     
     
     
     
  • 相关阅读:
    C#程序调试
    jsp连接sql数据库
    SQL记录
    对于和/的小问题:证明路径中可以混合使用斜杠和反斜杠
    集合初识
    details.jsp页面的 response.addCookie(cookie);报错&tomcat高版本下的Cookie问题
    sql查询操作—顺序查询
    myeclipse使用Microsoft JDBC Driver 6.0 for SQL Server连接sql
    JavaScript、Java、C#关于for循环的比较
    关于jsp动作元素的一点疑惑
  • 原文地址:https://www.cnblogs.com/zlslch/p/7327795.html
Copyright © 2020-2023  润新知