Rocky Linux 8 安装 Suricata IDS

[**]Suricata 是由开放信息安全基金会开发的免费、开源、独立的威胁检测引擎。 它是一种灵活、高性能的入侵检测系统 (IDS)、入侵防御系统 (IPS) 和网络安全监控 (NSM) 工具,可以检测和阻止针对我们的网络的攻击。 IDS 分析网络流量并通过匹配签名检测已知攻击,而 IPS 能够根据检测到的攻击阻止数据包的传递。[**]
[**]在这篇文章中,我们将向我们展示 Rocky Linux 8 上安装 Suricata IDS。[**]

先决条件

  • 在 云平台上运行 Rocky Linux 8 的服务器
  • 在我们的服务器上配置的 root 密码

创建 云服务器

[**]首先,登录到我们的 云服务器。 创建一个新服务器,选择 Rocky Linux 8 作为至少 1GB RAM 的操作系统。 通过 SSH 连接到我们的云服务器并使用页面顶部突出显示的凭据登录。[**]

在 Rocky Linux 8 上安装 Suricata

[**]默认情况下,Suricata 不包含在 Rocky Linux 默认存储库中,因此我们需要从 EPEL 存储库安装它。[**]
[**]我们可以使用以下命令安装 EPEL 存储库:[**]

dnf install epel-release -y

[**]安装后,使用以下命令验证 Suricata 包信息:[**]

dnf info suricata

[**]我们将获得以下输出:[**]

Available Packages
Name         : suricata
Version      : 5.0.8
Release      : 1.el8
Architecture : x86_64
Size         : 2.3 M
Source       : suricata-5.0.8-1.el8.src.rpm
Repository   : epel
Summary      : Intrusion Detection System
URL          : https://suricata-ids.org/
License      : GPLv2
Description  : The Suricata Engine is an Open Source Next Generation Intrusion
             : Detection and Prevention Engine. This engine is not intended to
             : just replace or emulate the existing tools in the industry, but
             : will bring new ideas and technologies to the field. This new Engine
             : supports Multi-threading, Automatic Protocol Detection (IP, TCP,
             : UDP, ICMP, HTTP, TLS, FTP and SMB! ), Gzip Decompression, Fast IP
             : Matching, and GeoIP identification.

[**]接下来,使用以下命令安装 Suricata:[**]

dnf install suricata -y

[**]安装 Suricata 后,我们可以继续下一步。[**]

配置 Suricata

[**]Suricata 使用多个规则来警告匹配的威胁。 所有规则都位于 /etc/suricata/rules/ 目录中。 我们可以使用以下命令查看它们:[**]

ls /etc/suricata/rules/

[**]我们将获得以下输出:[**]

app-layer-events.rules  dnp3-events.rules  http-events.rules      modbus-events.rules  smb-events.rules     tls-events.rules
decoder-events.rules    dns-events.rules   ipsec-events.rules     nfs-events.rules     smtp-events.rules
dhcp-events.rules       files.rules        kerberos-events.rules  ntp-events.rules     stream-events.rules

[**]我们可以使用以下命令更新所有规则:[**]

suricata-update

[**]我们将获得以下输出:[**]

16/3/2022 -- 05:22:20 -  -- Loading distribution rule file /usr/share/suricata/rules/smb-events.rules
16/3/2022 -- 05:22:20 -  -- Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules
16/3/2022 -- 05:22:20 -  -- Loading distribution rule file /usr/share/suricata/rules/stream-events.rules
16/3/2022 -- 05:22:20 -  -- Loading distribution rule file /usr/share/suricata/rules/tls-events.rules
16/3/2022 -- 05:22:20 -  -- Ignoring file rules/emerging-deleted.rules
16/3/2022 -- 05:22:23 -  -- Loaded 32324 rules.
16/3/2022 -- 05:22:23 -  -- Disabled 14 rules.
16/3/2022 -- 05:22:23 -  -- Enabled 0 rules.
16/3/2022 -- 05:22:23 -  -- Modified 0 rules.
16/3/2022 -- 05:22:23 -  -- Dropped 0 rules.
16/3/2022 -- 05:22:23 -  -- Enabled 131 rules for flowbit dependencies.
16/3/2022 -- 05:22:23 -  -- Creating directory /var/lib/suricata/rules.
16/3/2022 -- 05:22:23 -  -- Backing up current rules.
16/3/2022 -- 05:22:23 -  -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 32324; enabled: 24930; added: 32324; removed 0; modified: 0
16/3/2022 -- 05:22:23 -  -- Testing with suricata -T.
16/3/2022 -- 05:22:36 -  -- Done.

[**]接下来,我们需要配置 Suricata 以定义网络接口和网络接口的 IP 地址。[**]
[**]首先,使用以下命令查找服务器的网络接口和 IP 地址:[**]

ip --brief add

[**]可以看到接口是eth0,IP地址是209.23.8.4。[**]

lo               UNKNOWN        127.0.0.1/8 ::1/128 
eth0             UP             209.23.8.4/22 fe80::200:d1ff:fe17:804/64 
eth1             UP             fe80::200:aff:fe17:804/64 

[**]现在,编辑 Suricata 配置文件:[**]

nano /etc/suricata/suricata.yaml

[**]定义我们的 IP 地址和网络接口,如下所示:[**]

HOME_NET: "[209.23.8.4]"
EXTERNAL_NET: "!$HOME_NET"


af-packet:
  - interface: eth0

default-rule-path: /var/lib/suricata/rules
rule-files:
  - suricata.rules

[**]保存并关闭文件,然后使用以下命令禁用 Suricata 中的数据包卸载:[**]

ethtool -K eth0 gro off lro off

[**]接下来,我们需要编辑 /etc/sysconfig/suricata 文件并定义 Suricata 正在侦听的网络接口。[**]

nano /etc/sysconfig/suricata

[**]更改以下行:[**]

OPTIONS="-i eth0 --user suricata "

[**]完成后保存并关闭文件。 然后,使用以下命令启动并启用 Suricata 服务:[**]

systemctl enable --now suricata

[**]接下来,使用以下命令检查 Suricata 的状态:[**]

systemctl status suricata

[**]我们将获得以下输出:[**]

● suricata.service - Suricata Intrusion Detection Service
   Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2022-03-16 05:25:20 UTC; 5s ago
     Docs: man:suricata(1)
  Process: 24047 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
 Main PID: 24049 (Suricata-Main)
    Tasks: 1 (limit: 23696)
   Memory: 232.9M
   CGroup: /system.slice/suricata.service
           └─24049 /sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -i eth0 --user suricata

Mar 16 05:25:20 rockylinux systemd[1]: Starting Suricata Intrusion Detection Service...
Mar 16 05:25:20 rockylinux systemd[1]: Started Suricata Intrusion Detection Service.
Mar 16 05:25:20 rockylinux suricata[24049]: 16/3/2022 -- 05:25:20 -  - This is Suricata version 5.0.8 RELEASE running in SYSTEM mode

检查 Suricata 日志

[**]Suricata 提供各种日志文件来检查 Suricata 进程、警报和统计信息。[**]
[**]要检查 Suricata 进程日志,请运行以下命令:[**]

tail /var/log/suricata/suricata.log

[**]我们应该看到以下输出:[**]

16/3/2022 -- 05:25:20 -  - Running in live mode, activating unix socket
16/3/2022 -- 05:25:20 -  - SSSE3 support not detected, disabling Hyperscan for SPM
16/3/2022 -- 05:25:21 -  - 1 rule files processed. 24930 rules successfully loaded, 0 rules failed
16/3/2022 -- 05:25:21 -  - Threshold config parsed: 0 rule(s) found
16/3/2022 -- 05:25:21 -  - 24933 signatures processed. 1283 are IP-only rules, 4109 are inspecting packet payload, 19340 inspect application layer, 105 are decoder event only
16/3/2022 -- 05:25:30 -  - Going to use 2 thread(s)
16/3/2022 -- 05:25:30 -  - Running in live mode, activating unix socket
16/3/2022 -- 05:25:30 -  - Using unix socket file '/var/run/suricata/suricata-command.socket'
16/3/2022 -- 05:25:30 -  - all 2 packet processing threads, 4 management threads initialized, engine started.
16/3/2022 -- 05:25:30 -  - All AFP capture threads are running.

[**]要检查 Suricata 警报日志,请运行以下命令:[**]

tail -f /var/log/suricata/fast.log

[**]我们应该看到以下输出:[**]

03/16/2022-05:25:53.059177  [**] [1:2402000:6215] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 45.155.205.43:54612 -> 209.23.8.4:14381
03/16/2022-05:25:53.059177  [**] [1:2403342:73004] ET CINS Active Threat Intelligence Poor Reputation IP group 43 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 45.155.205.43:54612 -> 209.23.8.4:14381

[**]要检查 Suricata 统计日志,请运行以下命令:[**]

tail -f /var/log/suricata/stats.log

[**]我们应该看到以下输出:[**]

------------------------------------------------------------------------------------
Counter                                       | TM Name                   | Value
------------------------------------------------------------------------------------
capture.kernel_packets                        | Total                     | 651
decoder.pkts                                  | Total                     | 651
decoder.bytes                                 | Total                     | 51754
decoder.ipv4                                  | Total                     | 398
decoder.ipv6                                  | Total                     | 251
decoder.ethernet                              | Total                     | 651

测试 Suricata IDS

[**]至此,Suricata IDS 已安装并配置完毕。 现在,是时候测试 Suricata IDS 是否正常工作了。 要对其进行测试,请登录另一个系统并安装 hping3 实用程序以执行 DDoS 攻击。[**]

dnf install hping3

[**]安装 hping3 后,使用以下命令执行 DDoS 攻击:[**]

hping3 -S -p 22 --flood --rand-source 209.23.8.4

[**]现在,转到 Suricata 系统并使用以下命令检查警报日志:[**]

tail -f /var/log/suricata/fast.log

[**]我们应该看到以下输出:[**]

03/16/2022-05:29:11.007980  [**] [1:2402000:6215] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 45.155.205.56:43288 -> 209.23.8.4:1336
03/16/2022-05:29:18.049526  [**] [1:2402000:6215] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 89.248.163.164:44217 -> 209.23.8.4:37394
03/16/2022-05:29:18.049526  [**] [1:2403393:73004] ET CINS Active Threat Intelligence Poor Reputation IP group 94 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 89.248.163.164:44217 -> 209.23.8.4:37394
03/16/2022-05:30:52.933947  [**] [1:2402000:6215] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 167.248.133.173:24721 -> 209.23.8.4:9307
03/16/2022-05:31:52.284374  [**] [1:2402000:6215] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 89.248.165.202:57104 -> 209.23.8.4:6061
03/16/2022-05:31:52.284374  [**] [1:2403393:73004] ET CINS Active Threat Intelligence Poor Reputation IP group 94 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 89.248.165.202:57104 -> 209.23.8.4:6061
03/16/2022-05:32:19.951353  [**] [1:2403341:73004] ET CINS Active Threat Intelligence Poor Reputation IP group 42 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 45.137.21.208:42694 -> 209.23.8.4:57335
03/16/2022-05:32:21.477358  [**] [1:2403369:73004] ET CINS Active Threat Intelligence Poor Reputation IP group 70 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 61.160.237.40:48539 -> 209.23.8.4:2375
03/16/2022-05:33:07.307152  [**] [1:2403399:73004] ET CINS Active Threat Intelligence Poor Reputation IP group 100 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 97.74.81.123:55652 -> 209.23.8.4:3389
03/16/2022-05:33:13.355428  [**] [1:2402000:6215] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {UDP} 146.88.240.4:41296 -> 209.23.8.4:69

[**]上述输出证实 Suricata 运行良好。[**]

[**]在本指南中,我们解释了 Rocky Linux 8 上安装 Suricata IDS。我们还配置了 Suricata IDS 并使用 DDoS 攻击对其进行了测试。 我们现在可以在生产服务器上实施 Suricata IDS 以保护其免受 DDoS 攻击。 [**]

© 版权声明
THE END
喜欢就支持一下吧
点赞13 分享
评论 抢沙发

请登录后发表评论