相关链接
规则库
Proofpoint Emerging Threats Rules
在线转化
类型解析文件
安装方法
官方文件
6.3. IP关键字 — Suricata 7.0.0-dev 文档
Suricata User Guide — Suricata 8.0.0-dev documentation
视频学习
suricata安装与配置
yum install epel-release yum-plugin-coper
yum copr enable @osif/suricata-6.0
yum install suricata
重要配置
在/var/log/suricata目录下面
eve.json 以json的形式格式储存信息
fast.log 预警核心文件‘
stats.log suricata的统计信息
suricata suricata程序运行日志文件
在/etc/suricata目录下的suricata为配置的文件
启动
启动时建议先在规则文件中添加一条规则
# ens33为监听的网卡,在/etc/suricata/目录下启动
suricata -c suricata.yaml -i ens33
# 后台启动
suricata -c suricata.yaml -i ens33 -D
suricata 识别http攻击
定义http攻击类型
config classification: web-status-attack,web服务器状态异常,4
config classification: web-scan-injection,web页面扫描攻击,2
config classification: web-sql-error,SQL注入攻击,1
config classification: web-xss-injection,xss跨站攻击,2
config classification: web-ssrf-attack,SSRF请求伪造,2
config classification: web-shell-attack,站点木马植入,1
config classification: web-file-upload,文件上传攻击,1
url地址栏异常
404状态码
# 404状态码
alert http any any <> $HOME_NET 80 (msg:"web服务器出现404状态码"; content: "404"; http_stat_code; sid: 561001;)
alert http any any <> any $HTTP_PORTS (msg:"频繁出现404状态码,疑似扫描"; content: "404"; http_stat_code; threshold: type threshold, track by_src, count 5, seconds 20; classtype: web-status-attack; sid: 561002;)
sql注入
# sql注入--url
alert http any any -> any $HTTP_PORTS (msg:"SQL注入攻击-union"; content: "union"; http_uri; nocase; classtype: web-sql-injection; sid: 561010; rev: 1;)
alert http any any -> any $HTTP_PORTS (msg:"SQL注入攻击-select"; content: "select"; http_uri; nocase; classtype: web-sql-injection; sid: 561011; rev: 1;)
alert http any any -> any $HTTP_PORTS (msg:"SQL注入攻击-order by"; content: "order by"; http_uri; nocase; classtype: web-sql-injection; sid: 561012; rev: 1;)
alert http any any -> any $HTTP_PORTS (msg:"SQL注入攻击-database"; content: "database"; http_uri; nocase; classtype: web-sql-injection; sid: 561013; rev: 1;)
alert http any any -> any $HTTP_PORTS (msg:"SQL注入攻击-version"; content: "version"; http_uri; nocase; classtype: web-sql-injection; sid: 561014; rev: 1;)
alert http any any -> any $HTTP_PORTS (msg:"SQL注入攻击-user"; content: "user"; http_uri; nocase; classtype: web-sql-injection; sid: 561015; rev: 1;)
alert http any any -> any $HTTP_PORTS (msg:"SQL注入攻击-updatexml"; content: "updatexml"; http_uri; nocase; classtype: web-sql-injection; sid: 561016; rev: 1;)
alert http any any -> any $HTTP_PORTS (msg:"SQL注入攻击-if"; content: "if("; http_uri; nocase; classtype: web-sql-injection; sid: 561017; rev: 1;)
alert http any any -> any $HTTP_PORTS (msg:"SQL注入攻击-and"; content: "|20|and|20|"; http_uri; nocase; classtype: web-sql-injection; sid: 561018; rev: 1;)
alert http any any -> any $HTTP_PORTS (msg:"SQL注入攻击---"; content: "--"; http_uri; pcre: "/\++|\s+/i"; nocase; classtype: web-sql-injection; sid: 561019; rev: 1;)
xss
# xss
alert http any any -> any $HTTP_PORTS (msg:"跨站脚本攻击-<script>"; content: "<script>"; http_uri; nocase; classtype: web-xss-attack; sid: 561020; rev: 1;)
ssrf
#ssrf
alert http any any -> any $HTTP_PORTS (msg:"服务器请求伪造-file"; content: "file|3A|"; http_uri; nocase; classtype: web-ssrf-attack; sid: 561030; rev: 1;)
木马脚本
# 木马脚本--url
alert http any any -> any $HTTP_PORTS (msg:"URL地址木马"; content: "<?"; http_uri; pcre: "/eval|assert|system\(|exec|$_POST|$_GET/i"; classtype: web-shell-attack; sid: 561040; rev: 1;)
post 请求异常
处理post请求与get请求一致,只是需要将http_url换成http.request或者http_client_body即可
# sql注入--post--请求体
alert http any any -> any $HTTP_PORTS (msg:"SQL注入攻击-post"; content: "="; http.request_body; pcre: "/select/i"; http.content_type; content: "x-www-form-urlencoded"; classtype: web-sql-injection; sid: 561050; rev: 1;)
检测post请求正文是否存在木马关键字
# 木马脚本--post
alert http any any -> any $HTTP_PORTS (msg:"POST木马脚本"; content: "="; http.request_body; pcre: "/eval/i"; http.content_type; content: "x-www-form-urlencoded"; classtype: web-shell-attack; sid: 561060; rev: 1;)
请求头处理
# sql注入攻击-请求头版
alert http any any -> any $HTTP_PORTS (msg:"SQL注入攻击--请求头"; http.header; content: "="; pcre:"/select/i"; classtype: web-sql-injection; sid: 56160; rev: 1;)
业务逻辑检测
# 业务逻辑版本--多次登录爆破
alert http any any <> any $HTTP_PORTS (msg:"多次登录爆破"; content: "login.php"; http_uri; threshold: type threshold, track by_src, count 5, seconds 10; sid: 561070;)
suricata 处理文件上传流量
文件保存配置
- file-store
version: 2
enabled: yes
疑似上传木马
# 文件上传异常
alert http any any -> any $HTTP_PORTS (msg:"疑似上传木马"; http.method; content:"POST"; http.content_type; content: "multipart/form-data"; http.request_body; content: "Content-Disposition"; http.request_body; pcre: "/eval|assert|system\(|exec|$_POST|$_GET/i"; filestore; classtype: web-file-upload; sid: 561080; rev: 1;)
webshell流量分析及suricata 规则
# 蚁剑
alert http any any <> any $HTTP_PORTS (msg:"发现蚁剑流量特征"; http.request_body; content: "="; pcre:"/display_errors|set_time_limit/i"; nocase; classtype: web-shell-connect; sid: 561090; rev: 1;)
# 冰蝎3.0
alert tcp any any <> any $HTTP_PORTS (msg:"疑似冰蝎流量特征"; dsize: >1000; classtype: web-shell-connect; sid: 561100; rev: 1;)
# 冰蝎3.0
alert http any any <> any $HTTP_PORTS (msg:"发现冰蝎流量特征"; http.header; content: "no-cache"; pcre:"/Pragma|Cache-Control|e45e329feb5d925b/i"; classtype: web-shell-connect; sid: 561120; rev: 1;)
# 哥斯拉
alert http any any <> any $HTTP_PORTS (msg:"发现哥斯拉流量特征"; http.header; content: "="; pcre:"/Cookie: PHPSESSID=[a-z0-9]+\;|application\/xhtml+xml|application\/xml/i"; classtype: web-shell-connect; sid: 561120; rev: 1;)
suricata检测tcp和icmp
alert icmp any any <> $HOME_NET any (msg:"icmp载荷过大"; dsize: >100; sid: 561130; rev: 1;)
alert icmp any any <> $HOME_NET any (msg:"icmp载荷过大,次数过多"; dsize: >100; itype: 8; threshold: type threshold, track by_src, count 6, seconds 10; sid: 561140; rev: 1;)
alert icmp any any <> $HOME_NET any (msg:"icmp次数过多"; threshold: type threshold, track by_src, count 6, seconds 10; sid: 561150; rev: 1;)
alert icmp any any <> $HOME_NET any (msg:"icmp载荷过大"; dsize: >100; sid: 561160; rev: 1;)
tcp流量识别
TCP Flood
alert tcp any any -> $HOME_NET any (msg:"TCP泛洪"; flow: established, to_server; threshold: type threshold, track by_src, count 60, seconds 30; sid: 561170; rev: 1;)
flow: established, to_server;匹配已经建立的到服务器方向
SYN Flood
alert tcp $EXTERNAL_NET 10000: -> $HOME_NET 0:1023 (msg:"syn 泛洪"; flags: S; flow: to_server; dsiz:>900; threshold: type both, count 20, seconds 120, track by_src; sid: 561170; rev: 1;)
flow: to_server; 匹配到服务器方向
cc 攻击
alert http any any -> $HOME_NET any (msg:"cc攻击"; flow: established,to_server; threshold: type both, count 20, seconds 20, track by_src; http.method; content:"GET"; http.uri; content:"/?id="; sid: 561180; rev: 1;)
suricata检测mysql和ssh
# mysql暴力破解
alert tcp any any <> any $MYSQL_PORTS (msg:"MYSQL 暴破攻击"; content: "Access denied for user"; nocase; threshold: type threshold, track by_src, count 5, seconds 20; sid: 561190;)
alert tcp any any <> any $MYSQL_PORTS (msg:"MYSQL登录失败-16"; content: "|4163636573732064656e69656420666f7220757365|"; sid: 561200;)
# ssh
alert ssh any any <> any 22 (msg:"SSH登录失败-16"; content: "|1500000000000000000000|"; sid: 561210;)
alert ssh any any <> any 22 (msg:"多次SSH登录失败-16"; content: "|1500000000000000000000|"; threshold: type threshold, track by_src, count 5, seconds 20; sid: 561210;)
suricata在本机的使用ips
1.需要启动iptables
环境配置
yum install -y iptables-services
判断nfq在启动状态
2.转发到nfq
nfq将网络包处理委托给用户态软件
iptables -I INPUT -j NFQUEUE
放开80端口
iptables -I INPUT -p tcp --dport 8888 -j ACCEPT
阻止IP访问
iptables -I INPUT -p tcp -s 192.168.138.1--dport 80 -j DROP
删除
iptables -D INPUT 1
suricata -c suricata.yaml -q 0
全部扔给suricata,导致suricata崩溃之后,访问网络受到影响
iptables -I INPUT -j NFQUEUE
在交给用户态软件之前,加一条22端口开放
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
alert http any any -> any $HTTP_PORTS (msg:"SQL注入攻击-and"; content: "|20|and|20|"; http_uri; nocase; classtype: web-sql-injection; sid: 561011; rev: 1;)
suricata在网关的使用ips
是否允许端口转发
iptabels路由转发_iptables路由转发-CSDN博客
# 访问192.168.138.130:8888时,将流量转发给192.168.138.150:8080
iptables -t nat -A PREROUTING -d 192.168.138.130 -p tcp --dport 8888 -j DNAT --to-destination 192.168.138.150:8080
# 192.168.138.150:8080来的流量,交给192.168.138.130:8888进行响应
iptables -t nat -A POSTROUTING -d 192.168.138.150 -p tcp --dport 8080 -j SNAT --to-source 192.168.138.130
# 使用iptables -nL -t nat 查看转发规则
# 转发端口放行
iptables -t filter -I FORWARD -j ACCEPT
# 目标服务器开启访问白名单
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.229.1/24" port protocol="tcp" port="80" accept'
firewall-cmd命令大全
命令firewalld和firewall-cmd用法_systemctl start firewalld.service-CSDN博客
suricata https
配置nginx反向代理,https协议
下载
http://nginx.org/download/nginx-1.21.0.tar.gz
tar -zxvf nginx-1.21.0.tar.gz
安装
yum install nginx
证书生成
nginx.conf
自定义规则包
# 将文件名改成suricata.rules
# 404状态码
alert http any any <> $HOME_NET 80 (msg:"web服务器出现404状态码"; content: "404"; http_stat_code; sid: 561001;)
alert http any any <> any $HTTP_PORTS (msg:"频繁出现404状态码,疑似扫描"; content: "404"; http_stat_code; threshold: type threshold, track by_src, count 5, seconds 20; classtype: web-status-attack; sid: 561002;)
# sql注入--url
alert http any any -> any $HTTP_PORTS (msg:"SQL注入攻击-union"; content: "union"; http_uri; nocase; classtype: web-sql-injection; sid: 561010; rev: 1;)
alert http any any -> any $HTTP_PORTS (msg:"SQL注入攻击-select"; content: "select"; http_uri; nocase; classtype: web-sql-injection; sid: 561011; rev: 1;)
alert http any any -> any $HTTP_PORTS (msg:"SQL注入攻击-order by"; content: "order by"; http_uri; nocase; classtype: web-sql-injection; sid: 561012; rev: 1;)
alert http any any -> any $HTTP_PORTS (msg:"SQL注入攻击-database"; content: "database"; http_uri; nocase; classtype: web-sql-injection; sid: 561013; rev: 1;)
alert http any any -> any $HTTP_PORTS (msg:"SQL注入攻击-version"; content: "version"; http_uri; nocase; classtype: web-sql-injection; sid: 561014; rev: 1;)
alert http any any -> any $HTTP_PORTS (msg:"SQL注入攻击-user"; content: "user"; http_uri; nocase; classtype: web-sql-injection; sid: 561015; rev: 1;)
alert http any any -> any $HTTP_PORTS (msg:"SQL注入攻击-updatexml"; content: "updatexml"; http_uri; nocase; classtype: web-sql-injection; sid: 561016; rev: 1;)
alert http any any -> any $HTTP_PORTS (msg:"SQL注入攻击-if"; content: "if("; http_uri; nocase; classtype: web-sql-injection; sid: 561017; rev: 1;)
alert http any any -> any $HTTP_PORTS (msg:"SQL注入攻击-and"; content: "|20|and|20|"; http_uri; nocase; classtype: web-sql-injection; sid: 561018; rev: 1;)
alert http any any -> any $HTTP_PORTS (msg:"SQL注入攻击---"; content: "--"; http_uri; pcre: "/\++|\s+/i"; nocase; classtype: web-sql-injection; sid: 561019; rev: 1;)
# xss
alert http any any -> any $HTTP_PORTS (msg:"跨站脚本攻击-<script>"; content: "<script>"; http_uri; nocase; classtype: web-xss-attack; sid: 561020; rev: 1;)
#ssrf
alert http any any -> any $HTTP_PORTS (msg:"服务器请求伪造-file"; content: "file|3A|"; http_uri; nocase; classtype: web-ssrf-attack; sid: 561030; rev: 1;)
# 木马脚本--url
alert http any any -> any $HTTP_PORTS (msg:"URL地址木马"; content: "<?"; http_uri; pcre: "/eval|assert|system\(|exec|$_POST|$_GET/i"; classtype: web-shell-attack; sid: 561040; rev: 1;)
# sql注入--post--请求体
alert http any any -> any $HTTP_PORTS (msg:"SQL注入攻击-post"; content: "="; http.request_body; pcre: "/select/i"; http.content_type; content: "x-www-form-urlencoded"; classtype: web-sql-injection; sid: 561050; rev: 1;)
# 木马脚本--post
alert http any any -> any $HTTP_PORTS (msg:"POST木马脚本"; content: "="; http.request_body; pcre: "/eval/i"; http.content_type; content: "x-www-form-urlencoded"; classtype: web-shell-attack; sid: 561060; rev: 1;)
# sql注入攻击-请求头版
alert http any any -> any $HTTP_PORTS (msg:"SQL注入攻击--请求头"; http.header; content: "="; pcre:"/select/i"; classtype: web-sql-injection; sid: 56160; rev: 1;)
# 业务逻辑版本--多次登录爆破
alert http any any <> any $HTTP_PORTS (msg:"多次登录爆破"; content: "login.php"; http_uri; threshold: type threshold, track by_src, count 5, seconds 10; sid: 561070;)
# 文件上传异常
alert http any any -> any $HTTP_PORTS (msg:"疑似上传木马"; http.method; content:"POST"; http.content_type; content: "multipart/form-data"; http.request_body; content: "Content-Disposition"; http.request_body; pcre: "/eval|assert|system\(|exec|$_POST|$_GET/i"; filestore; classtype: web-file-upload; sid: 561080; rev: 1;)
# 蚁剑
alert http any any <> any $HTTP_PORTS (msg:"发现蚁剑流量特征"; http.request_body; content: "="; pcre:"/display_errors|set_time_limit/i"; nocase; classtype: web-shell-connect; sid: 561090; rev: 1;)
# 冰蝎
#alert tcp any any <> any $HTTP_PORTS (msg:"疑似冰蝎流量特征"; dsize: >1000; classtype: web-shell-connect; sid: 561100; rev: 1;)
alert http any any <> any $HTTP_PORTS (msg:"发现冰蝎流量特征"; http.header; content: "no-cache"; pcre:"/Cache-Control|e45e329feb5d925b/i"; classtype: web-shell-connect; sid: 561110; rev: 1;
# 哥斯拉
# icmp
alert icmp any any <> $HOME_NET any (msg:"icmp载荷过大"; dsize: >100; sid: 561130; rev: 1;)
alert icmp any any <> $HOME_NET any (msg:"icmp载荷过大,次数过多"; dsize: >100; itype: 8; threshold: type threshold, track by_src, count 6, seconds 10; sid: 561140; rev: 1;)
alert icmp any any <> $HOME_NET any (msg:"icmp次数过多"; threshold: type threshold, track by_src, count 5, seconds 10; sid: 561150; rev: 1;)
# 泛洪
alert tcp any any -> $HOME_NET any (msg:"TCP泛洪"; flow: established, to_server; threshold: type threshold, track by_src, count 20, seconds 30; sid: 561170; rev: 1;)
#alert tcp $EXTERNAL_NET 10000: -> $HOME_NET 0:1023 (msg:"syn 泛洪"; flags: S; flow: to_server; dsize:>900; threshold: type both, count 20, seconds 120, track by_src; sid: 561170; rev: 1;)
alert http any any -> $HOME_NET any (msg:"cc攻击"; flow: established,to_server; threshold: type both, count 20, seconds 20, track by_src; http.method; content:"GET"; http.uri; content:"/?id="; sid: 561180; rev: 1;)
# mysql
alert tcp any any <> any 3306 (msg:"MYSQL 暴破攻击"; content: "Access denied for user"; nocase; threshold: type threshold, track by_src, count 5, seconds 20; sid: 561190;)
alert tcp any any <> any 3306 (msg:"MYSQL登录失败-16"; content: "|4163636573732064656e69656420666f7220757365|"; sid: 561200;)
# ssh
alert ssh any any <> any 22 (msg:"SSH登录失败-16"; content: "|1500000000000000000000|"; sid: 561210;)
alert ssh any any <> any 22 (msg:"多次SSH登录失败-16"; content: "|1500000000000000000000|"; threshold: type threshold, track by_src, count 5, seconds 20; sid: 561220;)
ES--日志处理
安装
Su+ELK实现网络监测(2)——ELK安装与配置_elk部署监测-CSDN博客
配置--允许远程登录访问
transport.tcp.compress: true
transport.tcp.port: 9300
network.publish_host: 192.168.138.160 # 本机ip
node.master: true # 允许成为主节点
node.data: true # 允许成为数据节点
#xpack.security.enabled: true # 建议关闭或不设置,若设置了有很多非常麻烦的事
#xpack.security.transport.ssl.enabled: true
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-methods: OPTIONS, HEAD, GET, POST, PUT, DELETE
http.cors.allow-headers: "X-Requested-With, Content-Type, Content-Length, X-User"
indices.query.bool.max_clause_count: 8192
search.max_buckets: 100000
启动--不允许root用户启动
su es
./elasticSearch
kibana
安装
Su+ELK实现网络监测(2)——ELK安装与配置_elk部署监测-CSDN博客
配置
启动
./kibana --allow-root 启动
filebeat
下载
https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.6.0-linux-x86_64.tar.gz
修改filebeat.yml
filebeat.config.modules:
path: /opt/filebeat/filebeat-7.6.0-linux-x86_64/modules.d/*.yml
reload.enabled: true
reload.period: 10s
启动suricata模块
./filebeat modules enable suricata
./filebeat modules list
对suricata初始化
/opt/filebeat/filebeat-7.6.0-linux-x86_64/modules.d
# Module: suricata
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.6/filebeat-module-suricata.html
- module: suricata
# All logs
eve:
enabled: true
var.paths: ["/var/log/suricata/eve.json"]
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
配置连接es 和 kibana
filebeat.config.modules:
path: /opt/filebeat/filebeat-7.6.0-linux-x86_64/modules.d/*.yml
reload.enabled: true
reload.period: 10s
output.elasticsearch.hosts: ["192.168.138.160:9200"]
setup.kibana:
host: "192.168.138.160:5601"
protocol: "http"
setup.dashboards.enabled: true
# 测试启动
./filebeat setup -e
# 正常启动
./filebeat -e
kibana查看
日志实时监控与开机启动
GitHub - djmpink/TailLog: 实时日志(tail log)查看监控客户端工具
[root@localhost ]# cd /usr/lib/systemd/system
[root@localhost /usr/lib/systemd/system]# vim suricata.service
[Unit]
Description=Suricata Intrusion Detection System
After=network.target
[Service]
Type=simple
ExecStart=suricata -c /etc/suricata/suricata.yaml -i ens33
PrivateTmp=true
[Install]
WantedBy=multi-user.target
[root@localhost /usr/lib/systemd/system]# systemctl daemon-reload # 重新加载刷新服务
[root@localhost /usr/lib/systemd/system]# systemctl enable suricata.service # 设置开机自启
[root@localhost /usr/lib/systemd/system]# systemctl start suricata.service # 开启
[root@localhost /usr/lib/systemd/system]# systemctl status suricata.service # 查状态
[root@localhost /usr/lib/systemd/system]# systemctl stop suricata.service # 关闭