5.2网安学习第五阶段第二周回顾(个人学习记录使用)

本周重点

①HIDS的基本应用(suricata)

②Suricata的基本应用

③Suricata的流量检测

④Suricata的https流量检测

⑤利用Elastic整合Suricata日志

⑥利用Wazuh对Suricata主动响应

本周主要内容

①HIDS的基本应用(suricata)

1、NIDS

1、定义：网络入侵检测系统

2、工作机制：网络流量需要经过NIDS系统，如果通过NIDS的检测规则，没有发现问题，则可以进入后续的设备。类似于在服务器的前面加入一层过滤器。

2、suricata的安装

1、安装：按照官方文档的提示，使用提供的命令进行在线安装

yum install epel-release yum-plugin-copr
yum copr enable @oisf/suricata-6.0
yum install suricata

# 安装完成后，对应的路径如下：
Suricata主程序路径：/usr/sbin/suricata
Suricata核心配置目录：/etc/suricata/
Suricata日志目录：/var/log/suricata/
Suricata附属程序目录：/usr/bin

# 日志目录下的4个文件的功能
eve.json：以JSON格式存储预警信息或附加信息
fast.log：预警核心文件，只用于存储警告信息，非结构化数据
stats.log：Suricata的统计信息
suricata.log：Suricata程序的运行日志

#Linux安装
# yum install libjansson, libpcap, libpcre2, libmagic, zlib, libyaml, gcc, pkg-config,libgeoip, liblua5.1, libhiredis, libevent

2、修改基础配置信息

直接编辑/etc/suricata/suricata.yaml

vars:
  # more specific is better for alert accuracy and performance
  address-groups:
    #HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
    #HOME_NET: "[192.168.0.0/16]"
    #HOME_NET: "[10.0.0.0/8]"
    #HOME_NET: "[172.16.0.0/12]"
    #HOME_NET: "any"
    HOME_NET: "[192.168.112.0/24]"     # 指定192.168.112.0/24网段属于本地网络
    #EXTERNAL_NET: "!$HOME_NET"           # 指定非HOME_NET的IP为外部网络
    EXTERNAL_NET: "any"                   # 指定任意IP地址，只要是源IP，均视为外部网络

3、手工创建一个规则文件(没有规则文件启动会报错)

touch /etc/suricata/rules/suricata.rules
再指定 default-rule-path: /etc/suricata/rules  或   /var/lib/suricata/rules 均可

#加入一条规则
alert http $EXTERNAL_NET any <> $HOME_NET 80 (msg:"出现404错误"; content: "404"; http_stat_code; sid:561001;)

4、启动

cd /etc/suricata && suricata -c suricata.yaml -i ens33

-c <path> 指定配置文件的路径
-i  ens33  指定网络接口，凡是拦截网络流量的工具，都需要设定网卡
-D daemon 守护线程，所以这里的-D就是将suricata切到守护模式(后台启动)
-r <path>  作用就是导入离线的流量包，比如用wireshake抓包，然后保存成一个pcap文件， 可以用  -r  ../../xxx.pcap

3、规则语法基础

1. 预警规则

()中的内容，使用key:value的方式来设置元素，元素之间使用“;”隔开。如果规则中存在特色字符，使用转移字符\来解决

alert  http  $External_net  any  <> $HOME_NET 80 (msg:"提示信息";content:"404";target;sid:1232;rev:123)

action: 比如alert，drop，reject

协议字符：http，tcp，ssh

src_ip: $External_net

src_port: any 代表任意，一般来说源端口是任意的

方向：请求流量使用-> , 既有请求流量又需要响应流量，使用 <> ; 只有这么两种

dest_ip:$HOME_NET

dest_port: 80 目标端口

2. IP地址的规则

../..   IP范围 , 192.168.211.1/24
!IP  代表取反，比如 ！192.168.211.10  表示除掉192.168.211.10的地址
[...,...,....] 分组IP地址，[172.12.2.2,192.168.211.0/24]
IP 指定IP地址，就是写死IP地址

3. 端口规则

[80,81,82] 分组写法，表示在[]中存在IP即可，类似SQL中的 in
[80:100] 表示从80到100的范围
[80:] 从80端口开始到最高的端口65535
！80 取反，排除80端口
[80:100,!99] 复合写法，表示80到100的端口，去掉99号端口

4. meta keyword 元关键字

msg：预警描述信息

sid：规则编号：唯一

rev：规则的版本，默认为0，可以自由设定

classtype：规则的归类，在文件classification.config中定义

reference：引用参考，一般用于引用CVE编号

priority：优先级，如果设定了优先级，则可能会覆盖classtype中定义的优先级，这个关键字的取值范围1~255，建议设定为 1-4，1级最高

metadata：元素据，用于添加非功能性的数据

target：允许指定警报的是那一侧的攻击目标，target：[src_ip | dest_ip]

②Suricata的基本应用

1、识别HTTP攻击

1、定义攻击类型

修改类型定义文件classification.config

# custom define web classtype
config classification: web_status_error,WEB服务器状态异常,4
config classification: web_scan_attack,WEB页面扫描攻击,2
config classification: web_sql_injection,SQL注入攻击,1
config classification: web_shell_attack,木马植入攻击,1

2、编写检查的规则

检查规则在文件/var/lib/suricata/rules目录下面，文件名suricata.rules；/var/log/suricata

## Configure Suricata to load Suricata-Update managed rules.
##
default-rule-path: /var/lib/suricata/rules
rule-files:
  - suricata.rules

3、编写规则

alert http any any <> $HOME_NET 80 (msg:"WEB服务器404异常";content:"404";http_stat_code;classtype:web_status_error;sid:5610001;rev:1;)
alert http any any <> $HOME_NET 80 (msg:"SQL注入攻击-union";content:"union";http_uri;classtype:web_sql_injection;sid:5610002;rev:1;)

4、重启suricata，验证规则是否生效

在浏览器中输入：[http://192.168.230.138/dashboard/phpinfo.php?id=1%20union%20select%201,2,3,4%20#](http://192.168.230.138/dashboard/phpinfo.php?id=1 union select 1,2,3,4 #)

监控日志：/var/log/suricata/fast.log

05/20/2024-11:39:51.470394  [**] [1:5610002:1] SQL注入攻击-union [**] [Classification: SQL注入攻击] [Priority: 1] {TCP} 192.168.230.1:59589 -> 192.168.230.138:80

5、练习：

1. SQL注入检测：database()，version(),char()
2. web403异常，web 500异常

2、识别频率类的攻击的规则

404错误，当在一个时间范围内，连续多次的出现404，判定可能存在路径扫描

规则编写：

alert http any any <> $HOME_NET 80 (msg:"频繁出现404，疑似路径扫描";content:"404";http_stat_code;classtype:web_status_error;threshold:type threshold,track by_src,count 5,seconds 20;sid:561003;rev:1;)

threshold: 阈值

• 类型：type threshold 达到阈值则生成报警，limit 达到阈值后，最多生成多少次报警，这里的多少次由count决定，both照顾前面两种情况
• 追踪方向：track \
• 阈值：count \ 设定匹配规则的次数
• 时间窗口： seconds \ 设定n秒

练习：

1、识别登录的暴力破解密码的攻击

规则编写

alert http any any <> $HOME_NET 8080 (msg:"疑似登录爆破攻击";http.response_body;content:"login-fail";classtype:web_brute_attack;threshold:type threshold,track by_src,count 5,seconds 20;sid:561004;rev:1;)

增加检测的类型

config classification: web_brute_attack,暴力破解攻击,1

重启之后，进行验证；这里使用的目标web系统是woniusales

3、content规则字段解析

1、content字节表达方式

"     |22|
;     |3B|
:     |3A|
|     |7C|

例子：

content:"a|0D|bc";
content:"|61 0D 62 63|";
content:"a|0D|b|63|";

content在匹配的时候，区分大小写

如果不区分大小写，就需要是nocase关键字，告诉suricata在做匹配的时候不需要区分大小写

content: "abc"; nocase;

注意：nocase必须放在content的后面

2、深度：depth,表示从payload的有效载荷开始取指定的数目的字符

比如：payload=”abcdefghijk”,如果content=”def”;depth:3 这样就匹配不到

3、开始和结束字符

startswith: 检查content的值作为前缀；比如： content:”$GET”;startswith;表示被检测的内容必须以$GET作为开始。

endswith：检查content的值作为后缀；比如：content:”.png”;endswith; 表示被检测的内容必须以.png结束

4、偏移量offset

从有效载荷的开始数offset个字节然后才开始匹配content的内容

\

4、检测XSS攻击流量

规则：

alert http any any <> $HOME_NET 8080 (msg:"疑似XSS攻击";http.uri;content:"<script";nocase;classtype:web_sql_injection;sid:561005;rev:1;)

5、使用pcre进行复杂内容验证

pcre是兼容perl的正则表达式的一个标准，可以使用perl的规则来编写正则表达式

语法：pcre:”/regex/正则匹配的类型”

正则匹配的类型： i 表示忽略大小写，A，G

练习：

检测流量中包含一句话木马

php的一句话木马：

<php eval($_GET[0]);?>

jsp的一句话木马：

<% Process process = Runtime.getRuntime().exec(request.getParameter("cmd")); %>

规则

alert http any any <> $HOME_NET 80 (msg:"流量中存在一句话木马";http.uri;content:"<?";pcre:"/eval|assert|system\(|exec|$_GET|$_POST/i";classtype:web_shell_attack;sid:561006;rev:1;)

如果是在post的正文里面使用了一句话木马，如何检测？

检测的目标从http.uri变成请求正文内容，请求的正文关键字是: http.request_body 或 http_client_body

alert http any any <> $HOME_NET 8080 (msg:"流量中存在一句话木马";http.request_body;content:"exec";pcre:"/exec\(/";classtype:web_shell_attack;sid:561008;rev:1;)

4、一个规则中进行多个字段的匹配

规则描述

先匹配请求方法，如果是post，再匹配正文中是否存在一句话木马

alert http any any <> $HOME_NET 8080 (msg:"流量中存在一句话木马";http.method;content:"POST";startswith;http.request_body;content:"exec";pcre:"/exec\(/";classtype:web_shell_attack;sid:561009;rev:1;)

5、检测文件上传流量

1、文件上传的流量特征

• 方法是POST
• content_type必须是multipart/form-data
• 正文中必须要有： Content-Disposition

2、规则

alert http any any <> $HOME_NET 8080 (msg:"流量中存在一句话木马";http.method;content:"POST";startswith;http.content_type;content:"multipart/form-data";http.request_body;content:"Content-Disposition";classtype:web_file_upload;sid=561010;rev:1;)

3、文件上传的时候，包含一句话木马

alert http any any <> $HOME_NET 8080 (msg:"流量中存在一句话木马";http.method;content:"POST";startswith;http.content_type;content:"multipart/form-data";http.request_body;content:"Content-Disposition";http.request_body;pcre:"/eval|assert|system\(exec|$_POST|$_GET\(/i";classtype:web_file_upload;sid=561010;rev:1;)

3、练习：

编写一个上传文件的一句话木马检测规则

③Suricata的流量检测

1、icmp流量监测

规则：

alert icmp any any -> $HOME_NET any (msg:"检测到死亡ping攻击";dsize:>30;itype:8;threshold: type both,track by_src,count 20,seconds 5;sid:561011;rev:1;)

解释：

协议使用icmp， 目标端口设置为any，dsize关键字的作用判断有效载荷的字节数，>n,<n,!n; itype是icmp协议的类型type，这里的取8.

2、tcp flood

规则

alert  tcp  any any -> $HOME_NET any (msg:"TCP泛洪";flow: established,to_server;threshold: type threshold,track by_src,count 20 , seconds 1; sid:561012;rev:1;)

解释：

协议使用tcp，

关键字flow：

关键字可用于匹配流的方向，例如到/从客户端或到/从服务器。它还可以匹配是否建立了流。流关键字还可以用来表示签名必须只在流上匹配（只在流上匹配）或只在包上匹配（不在流上匹配）。
因此，使用Flow关键字可以匹配：
to_client
在从服务器到客户端的数据包上匹配。
to_server
在从客户端到服务器的数据包上匹配。
from_client
在从客户机到服务器的数据包上匹配（与到服务器相同）。
from_server
在从服务器到客户机的数据包上进行匹配（与“客户机”相同）。
已建立
匹配已建立的连接。
not_established
匹配不属于已建立连接的数据包。
无状态 stateless
匹配属于或不属于已建立连接的数据包。

3、SYN Flood

规则

alert  tcp any  any -> $HOME_NET any (msg:"SYN flood";flags:S;flow:stateless,to_server;dsize:>100;threshold: type threshold,track by_src,count 20 , seconds 1; sid:561012;rev:1)

flags:

F:finished 结束

S:syn 同步，会话开始

R：rst，reset 复位

A：ack 应答

U：urg 紧急

4、检测CC攻击流量

规则

alert http any any -> $HOME_NET 8080 (msg:"CC攻击";flow:established,to_server;threshold:type both,track by_src,count 20,seconds 1;http:method;content:"POST";http.request_body;content:"barcode";sid:561013;rev:1;)

这里使用了关键字flow，表示请求的发送是基于先建立的tcp的连接

5、MySQL爆破流量检测

规则

alert tcp any any <> $HOME_NET 3306 (msg:"MySQL爆破攻击";content:"Access denied for user";threshold: type threshold,track by_src,count 10,seconds 10;sid:561014;rev:1;)

6、MySQL木马写入流量检测

select "<?php eval($_POST[1]);?>" into outfile  "/opt/shell.php"

规则

alert tcp any any <> $HOME_NET 3306 (msg:"MySQL木马写入攻击";content:"into outfile";nocase;pcre:"/eval|assert|system|_POST|_GET/i";classtype:web_shell_attackl;sid:561015;rev:1;)

7、SSH流量检测

特征

规则：

alert  ssh any  any <> $HOME_NET 22 (msg:"SSH爆破";content:"|15 00 00 00 00 00 00 00 00 00 00|";threshold: type threshold,track by_src,count 3,seconds 10;sid:561016;rev:1;)

④Suricata的https流量检测

1、suricata是没有办法分析加密流量，所以只能通过其他的软件先将流量进行解密，然后传递给suricata

2、构造实验环境

• 一台客户机，模拟客户发送https请求，发给nginx
• 一台Linux，安装nginx服务，该设备上必须要安装https的证书，并且反向代理远程的tomcat
• 一台tomcat服务器，
• suricata可以安装在nginx或tomcat的服务器上

一、代理检测HTTPS的流量

原理：因为NIDS没有办法去检测加密的流量，所以需要通过代理的方式，先将加密的流量解密再进行检测。使用nginx来代理，然后suricata去检测nginx的流量。

1、准备好实验环境

• tomcat：192.168.230.13
• nginx：192.168.230.139
• suricata：192.168.230.138

2、给nginx生成证书

这里的证书的作用是用于解密浏览器传递过来的https加密流量

# 确认openssl是否安装好
openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
# 生成私钥
openssl genrsa -des3 -out server.pass.key 2048
# 去除私钥中的密码
rsa -in server.pass.key -out server.key
# 生成CSR证书
req -new -key server.key -out server.csr -subj "/C=CN/ST=BeiJing/L=BeiJing/O=dev/OU=dev/CN=localhost"
# 生成SSL的证书
openssl x509 -req -day 365 -in server.csr -signkey server.key -out server.crt

# 将 server.key  ，server.csr ，server.crt 复制到/usr/local/nginx/conf下面去
cp -p server.crt server.csr server.key    /usr/local/nginx/conf/

3、修改nginx.conf文件，对tomcat进行反向代理

user nginx;
#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

error_log /var/log/nginx/error.log;
#pid        logs/nginx.pid;
pid /run/nginx.pid;

events {
    worker_connections  1024;
}


http {
    #include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;
    upstream mytomcat{
        server 192.168.230.138:8080 weight=1;
        }

    # HTTPS server
    #
    server {
        listen       443 ssl;
        server_name  localhost;

        ssl_certificate      /usr/local/nginx/conf/server.crt;
        ssl_certificate_key  /usr/local/nginx/conf/server.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
        location /woniusales/{
                proxy_pass http://mytomcat/woniusales/;
                proxy_redirect default;
        }
        error_page 404 /404.html;
        error_page 500 502 503 504 /50x.html;
        location =/50x.html{
                root html;
        }
    }

}

4、启动nginx和tomcat，然后验证环境是否配置成果

5、准备suricata的规则

alert http any any <> $HOME_NET 8080 (msg:"流量中存在一句话木马";http.request_body;content:"exec";pcre:"/exec\(/";classtype:web_shell_attack;sid:561008;rev:1;)

6、重启suricata，在浏览器这边去输入含有敏感的关键字的请求，检测suricata是否能够正确的拦截流量

05/21/2024-06:25:02.489259  [**] [1:561008:1] 流量中存在一句话木马 [**] [Classification: 木马植入攻击] [Priority: 1] {TCP} 192.168.230.139:42282 -> 192.168.230.138:8080
05/21/2024-06:25:02.489259  [**] [1:561009:1] 流量中存在一句话木马 [**] [Classification: 木马植入攻击] [Priority: 1] {TCP} 192.168.230.139:42282 -> 192.168.230.138:8080

练习：

按照上述过程，编写一个检测流量中含有MySQL注入的规则

二、在suricata中实现ips的功能

suricata自己是没有办法去实现丢弃或者封禁的功能，suricata提供NFQueue的功能，这个功能和iptables的NFQueue结合起来就用实现对流量的管制

NFQueue的用途：iptables将流量放到这个队列中，然后等待用户程序对流量进行分析做出处置的决策，然后iptables会根据决策来执行处置行为。

实现步骤

1、安装iptables

yum -y install iptables iptables-services
systemctl stop firewalld
systemctl start iptables.service

2、开启iptables的队列功能

iptables -I INPUT -p tcp --dport 80 -j NFQUEUE
iptables -I OUTPUT -p tcp --sport 80 -j NFQUEUE
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -p tcp --dport 8080 -j NFQUEUE
iptables -I OUTPUT -p tcp --sport 8080  -j NFQUEUE

3、suricata启动队列监听

suricata -c suricata.yaml  -q 0

4、指定规则

drop http any any <> $HOME_NET 80 (msg:"频繁出现404，疑似路径扫描";content:"404";http_stat_code;classtype:web_status_error;threshold:type threshold,track by_src,count 5,seconds 20;sid:561003;rev:1;)

如果频繁的出现404则丢弃该IP过来的数据包

5、结果,可以看出多了drop标记

05/21/2024-08:40:53.583490  [**] [1:5610001:1] WEB服务器404异常 [**] [Classification: WEB服务器状态异常] [Priority: 4] {TCP} 192.168.230.138:80 -> 192.168.230.1:20941
05/21/2024-08:40:53.771510  [Drop] [**] [1:561003:1] 频繁出现404，疑似路径扫描 [**] [Classification: WEB服务器状态异常] [Priority: 4] {TCP} 192.168.230.138:80 -> 192.168.230.1:20941

⑤利用Elastic整合Suricata日志

一、配置FileBeat

1、查看目前已经启用哪些模块

[root@centqiang filebeat-7.14]# ./filebeat modules list
Error in modules manager: modules management requires 'filebeat.config.modules.path' setting
[root@centqiang filebeat-7.14]# vi filebeat.yml
filebeat.config.modules:
  path: /opt/filebeat-7.14/modules.d/*.yml
  reload.enabled: true
  reload.period: 10s

2、启用suricata模块

[root@centqiang filebeat-7.14]# ./filebeat modules enable suricata
Enabled suricata

3、对Suricat模块进行初始化

可以直接完成相应模板及Kibana的Dashboard的创建和处理，前提是先启动ES和Kibana。

（1）编辑： modules.d/suricata.yml

- module: suricata
  eve:
    enabled: true
    var.paths: ["/var/log/suricata/eve.json"]

（2）编辑：filebeat.yml，配置Filebeat连接Elastic和Kibana

setup.kibana:
  host: "192.168.112.198:5601"
  protocol: "http"
setup.dashboards.enabled: true

（3）运行 ./filebeat setup -e进行初始化操作，用于连接和配置ElasticSearch和Kibana。

[root@centqiang filebeat-7.14]# ./filebeat setup -e
2021-12-27T14:54:50.670+0800    INFO    instance/beat.go:665    Home path: [/opt/filebeat-7.14] Config path: [/opt/filebeat-7.14] Data path: [/opt/filebeat-7.14/data] Logs path: [/opt/filebeat-7.14/logs]
2021-12-27T14:54:50.670+0800    INFO    instance/beat.go:673    Beat ID: 5ff8de48-96bf-4699-8777-818b8f6e16c0
2021-12-27T14:54:50.671+0800    INFO    [beat]    instance/beat.go:1014    Beat info    {"system_info": {"beat": {"path": {"config": "/opt/filebeat-7.14", "data": "/opt/filebeat-7.14/data", "home": "/opt/filebeat-7.14", "logs": "/opt/filebeat-7.14/logs"}, "type": "filebeat", "uuid": "5ff8de48-96bf-4699-8777-818b8f6e16c0"}}}
2021-12-27T14:54:50.671+0800    INFO    [beat]    instance/beat.go:1023    Build info    {"system_info": {"build": {"commit": "574c21d25ddb65a63665ac26b54799f81a7e9706", "libbeat": "7.14.2", "time": "2021-09-15T10:26:32.000Z", "version": "7.14.2"}}}
2021-12-27T14:54:50.671+0800    INFO    [beat]    instance/beat.go:1026    Go runtime info    {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":4,"version":"go1.16.6"}}}
2021-12-27T14:54:50.671+0800    INFO    [beat]    instance/beat.go:1030    Host info    {"system_info": {"host": {"architecture":"x86_64","boot_time":"2021-12-27T09:38:40+08:00","containerized":false,"name":"centqiang","ip":["127.0.0.1/8","::1/128","192.168.112.195/24","fe80::c135:a71d:3611:b840/64","fe80::3726:145f:911a:51b2/64","fe80::2b1d:468a:d07a:34bc/64"],"kernel_version":"3.10.0-1160.el7.x86_64","mac":["00:0c:29:30:a6:c8"],"os":{"type":"linux","family":"redhat","platform":"centos","name":"CentOS Linux","version":"7 (Core)","major":7,"minor":9,"patch":2009,"codename":"Core"},"timezone":"CST","timezone_offset_sec":28800,"id":"4014b10d46364734aa0c022a21147156"}}}
2021-12-27T14:54:50.671+0800    INFO    [beat]    instance/beat.go:1059    Process info    {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"ambient":null}, "cwd": "/opt/filebeat-7.14", "exe": "/opt/filebeat-7.14/filebeat", "name": "filebeat", "pid": 10688, "ppid": 7839, "seccomp": {"mode":"disabled","no_new_privs":false}, "start_time": "2021-12-27T14:54:50.090+0800"}}}
2021-12-27T14:54:50.671+0800    INFO    instance/beat.go:309    Setup Beat: filebeat; Version: 7.14.2
2021-12-27T14:54:50.672+0800    INFO    [esclientleg]    eslegclient/connection.go:100    elasticsearch url: http://192.168.112.198:9200
2021-12-27T14:54:50.672+0800    INFO    [publisher]    pipeline/module.go:113    Beat name: centqiang
2021-12-27T14:54:50.673+0800    INFO    beater/filebeat.go:117    Enabled modules/filesets: wazuh (alerts),  ()
2021-12-27T14:54:50.674+0800    INFO    [esclientleg]    eslegclient/connection.go:100    elasticsearch url: http://192.168.112.198:9200
2021-12-27T14:54:50.677+0800    INFO    [esclientleg]    eslegclient/connection.go:273    Attempting to connect to Elasticsearch version 7.14.2
ILM policy and write alias loading not enabled.
2021-12-27T14:54:50.679+0800    INFO    template/load.go:229    Existing template will be overwritten, as overwrite is enabled.
2021-12-27T14:54:50.680+0800    INFO    template/load.go:132    Try loading template wazuh to Elasticsearch
2021-12-27T14:54:50.747+0800    INFO    template/load.go:124    Template with name "wazuh" loaded.
2021-12-27T14:54:50.747+0800    INFO    [index-management]    idxmgmt/std.go:297    Loaded index template.
Index setup finished.
Loading dashboards (Kibana must be running and reachable)
2021-12-27T14:54:50.747+0800    INFO    kibana/client.go:122    Kibana url: http://192.168.112.198:5601
2021-12-27T14:54:52.039+0800    INFO    kibana/client.go:122    Kibana url: http://192.168.112.198:5601
2021-12-27T14:56:10.013+0800    INFO    instance/beat.go:848    Kibana dashboards successfully loaded.
Loaded dashboards
2021-12-27T14:56:10.013+0800    WARN    [cfgwarn]    instance/beat.go:574    DEPRECATED: Setting up ML using Filebeat is going to be removed. Please use the ML app to setup jobs. Will be removed in version: 8.0.0
Setting up ML using setup --machine-learning is going to be removed in 8.0.0. Please use the ML app instead.
See more: https://www.elastic.co/guide/en/machine-learning/current/index.html
2021-12-27T14:56:10.014+0800    INFO    [esclientleg]    eslegclient/connection.go:100    elasticsearch url: http://192.168.112.198:9200
2021-12-27T14:56:10.018+0800    INFO    [esclientleg]    eslegclient/connection.go:273    Attempting to connect to Elasticsearch version 7.14.2
2021-12-27T14:56:10.018+0800    INFO    kibana/client.go:122    Kibana url: http://192.168.112.198:5601
2021-12-27T14:56:10.046+0800    WARN    fileset/modules.go:425    X-Pack Machine Learning is not enabled
2021-12-27T14:56:10.067+0800    WARN    fileset/modules.go:425    X-Pack Machine Learning is not enabled
Loaded machine learning job configurations
2021-12-27T14:56:10.067+0800    INFO    [esclientleg]    eslegclient/connection.go:100    elasticsearch url: http://192.168.112.198:9200
2021-12-27T14:56:10.070+0800    INFO    [esclientleg]    eslegclient/connection.go:273    Attempting to connect to Elasticsearch version 7.14.2
2021-12-27T14:56:10.072+0800    INFO    [esclientleg]    eslegclient/connection.go:100    elasticsearch url: http://192.168.112.198:9200
2021-12-27T14:56:10.075+0800    INFO    [esclientleg]    eslegclient/connection.go:273    Attempting to connect to Elasticsearch version 7.14.2
2021-12-27T14:56:10.203+0800    INFO    [modules]    fileset/pipelines.go:133    Elasticsearch pipeline loaded.    {"pipeline": "filebeat-7.14.2-suricata-eve-pipeline"}
2021-12-27T14:56:10.263+0800    INFO    [modules]    fileset/pipelines.go:133    Elasticsearch pipeline loaded.    {"pipeline": "filebeat-7.14.2-suricata-eve-dns"}
2021-12-27T14:56:10.320+0800    INFO    [modules]    fileset/pipelines.go:133    Elasticsearch pipeline loaded.    {"pipeline": "filebeat-7.14.2-suricata-eve-dns-answer-v1"}
2021-12-27T14:56:10.367+0800    INFO    [modules]    fileset/pipelines.go:133    Elasticsearch pipeline loaded.    {"pipeline": "filebeat-7.14.2-suricata-eve-dns-answer-v2"}
2021-12-27T14:56:10.427+0800    INFO    [modules]    fileset/pipelines.go:133    Elasticsearch pipeline loaded.    {"pipeline": "filebeat-7.14.2-suricata-eve-tls"}
2021-12-27T14:56:10.482+0800    INFO    [modules]    fileset/pipelines.go:133    Elasticsearch pipeline loaded.    {"pipeline": "filebeat-7.14.2-suricata-eve-http"}
2021-12-27T14:56:10.482+0800    INFO    cfgfile/reload.go:262    Loading of config files completed.
2021-12-27T14:56:10.482+0800    INFO    [load]    cfgfile/list.go:129    Stopping 1 runners ...
2021-12-27T14:56:10.546+0800    INFO    [modules]    fileset/pipelines.go:133    Elasticsearch pipeline loaded.    {"pipeline": "filebeat-7.14.2-wazuh-alerts-pipeline"}
Loaded Ingest pipelines

如果上述命令执行过程没有出现错误，说明初始化成功。

二、在Kibana中配置Dashboard

1、确认索引正常

2、搜索Dashboard

2、进入[Filebeat Suricata] Alert Overview

可以看到，Suricata预警在下方以表格的形式正常列出，但是上方的图表却出现了错误。

3、为图表修正错误

将鼠标放在 Error 提示信息上，可以看到，出错的图表的错误主要出现在关联的某个字段已经不存在的情况。

此时，只需要点击图表右上方的齿轮按钮，并在“Edit Visualization”菜单中，为其指定正确的列名即可。

4、Discover搜索并查看

三、利用Wazuh整合Suricata

1、配置Wazuh监控eve.json

<localfile>
    <log_format>json</log_format>
    <location>/var/log/suricata/eve.json</location>
  </localfile>

2、确认内置规则

ruleset/rules/0475-suricata_rules.xml

<group name="ids,suricata,">
    <rule id="86600" level="0">
        <decoded_as>json</decoded_as>
        <field name="timestamp">\.+</field>
        <field name="event_type">\.+</field>
        <description>Suricata messages.</description>
        <options>no_full_log</options>
    </rule>
    <rule id="86601" level="3">
        <if_sid>86600</if_sid>
        <field name="event_type">^alert$</field>
        <description>Suricata: Alert - $(alert.signature)</description>
        <options>no_full_log</options>
    </rule>
</group>

3、自定义规则对应Wazuh级别

<group name="ids,suricata,">
    <rule id="86601" level="5" overwrite="yes">
      <if_sid>86600</if_sid>
      <field name="event_type">^alert$</field>
      <description>Suricata普通预警：$(alert.signature)</description>
      <options>no_full_log</options>
    </rule>
    <rule id="86605" level="12">
      <if_sid>86601</if_sid>
      <field name="alert.severity">^1$</field>
      <description>Suricata严重预警：$(alert.signature)</description>
      <options>no_full_log</options>
    </rule>
</group>

4、启动Wazuh并实时查看alerts.log

5、在Kibana中进行查看

⑥利用Wazuh对Suricata主动响应

一、配置解码器和规则

1、基本思路

从eve.json中可以读取到src_ip，并且通过JSON解码器也能够识别为正常的字段值，但是firewall-drop需要的字段是srcip（Wauzh内置的静态字段），而不是src_ip，所以必须要想办法将src_ip识别和提取出来，变成Wazuh的srcip的字段，才可以正常触发主动响应。

那么如何从eve.json中提取出src_ip，并且赋值给srcip呢？就按照原始Wazuh提取数据字段的方式进行处理即可。

2、解码器

<!-- Suricata主动响应解码器 -->
<decoder name="suricata_eve">
  <prematch>^{"timestamp</prematch>
  <regex offset="after_prematch">"event_type":"(\w+)"\S+"src_ip":"(\S+)"\S+"signature":"(\S+)"\S+"severity":(\d)</regex>
  <order>event_type,srcip,signature,severity</order>
</decoder>

直接监控fast.log也不是不可以，但是有很多信息无法准确提取，所以建议监控eve.json日志

3、规则

<group name="ids,suricata,">
  <rule id="562600" level="0">
      <decoded_as>suricata_eve</decoded_as>
      <description>Suricata预警信息根规则.</description>
      <options>no_full_log</options>
  </rule>
  <rule id="562601" level="3">
      <if_sid>562600</if_sid>
      <field name="event_type">^alert$</field>
      <description>Suricata-Wazuh预警：$(srcip))</description>
      <options>no_full_log</options>
  </rule>
  <rule id="562602" level="12">
      <if_sid>562601</if_sid>
      <field name="severity">^1$</field>
      <description>Suricata致命预警：$(srcip) - $(signature)</description>
      <options>no_full_log</options>
  </rule>
</group>

4、禁用json解码器

<decoder name="json">
  <prematch>^NoUse{\s*"</prematch>
  <plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>

由于内置解码器json会先于suricata_eve自定义解码器执行，所以前期可以先通过禁用json解码器的方式进行规则调试，但是后期肯定不能这样做，否则对其他JSON数据的解码就会存在问题，仍然需要寻找解决方案。

5、测试规则

/var/ossec/bin/wazuh-logtest
{"timestamp":"2021-12-28T12:24:18.861779+0800","flow_id":801237179200730,"in_iface":"ens33","event_type":"alert","src_ip":"192.168.112.1","src_port":1110,"dest_ip":"192.168.112.195","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":5613007,"rev":1,"signature":"URL地址木马","category":"站点木马植入","severity":1},"http":{"hostname":"192.168.112.195","url":"/security/read.php?id=%3C?eval($_POST[a]);","http_user_agent":"Mozilla/5.0","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":374},"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":793,"bytes_toclient":1074,"start":"2021-12-28T12:24:18.816346+0800"}}

二、设计主动响应

1、主动响应

<active-response>
    <command>firewall-drop</command>
    <location>local</location>
    <level>9</level>
    <timeout>600</timeout>
</active-response>

2、进行测试

** Alert 1640685105.129291: - ossec,active_response,pci_dss_11.4,gpg13_4.13,gdpr_IV_35.7.d,nist_800_53_SI.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,tsc_CC7.4,
2021 Dec 28 17:51:45 centqiang->/var/ossec/logs/active-responses.log
Rule: 651 (level 3) -> 'Host Blocked by firewall-drop Active Response'
2021/12/28 17:51:45 active-response/bin/firewall-drop: {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2021-12-28T17:51:45.954+0800","rule":{"level":12,"description":"Suricata致命预警：URL地址木马","id":"566002","firedtimes":1,"mail":true,"groups":["ids"," suricata_eve"]},"agent":{"id":"000","name":"centqiang"},"manager":{"name":"centqiang"},"id":"1640685105.128130","full_log":"{\"timestamp\":\"2021-12-28T17:51:44.154165+0800\",\"flow_id\":1619038894591458,\"in_iface\":\"ens33\",\"event_type\":\"alert\",\"src_ip\":\"192.168.112.1\",\"src_port\":16996,\"dest_ip\":\"192.168.112.195\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":5613007,\"rev\":1,\"signature\":\"URL地址木马\",\"category\":\"站点木马植入\",\"severity\":1},\"http\":{\"hostname\":\"192.168.112.195\",\"url\":\"/security/read.php?id=1%20%22%3C?%20eval($_POST[a]);%20?%3E%22%20into%20outfile(%22/opt/shell.php%22)\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":374},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":820,\"bytes_toclient\":1074,\"start\":\"2021-12-28T17:51:44.101858+0800\"}}","decoder":{"name":"suricata_eve"},"data":{"srcip":"192.168.112.1","event_type":"alert","signature":"URL地址木马","severity":"1"},"location":"/var/log/suricata/eve.json"},"program":"active-response/bin/firewall-drop"}}
version: 1
origin.name: node01
origin.module: wazuh-execd
command: add
parameters.extra_args: []
parameters.alert.timestamp: 2021-12-28T17:51:45.954+0800
parameters.alert.rule.level: 12
parameters.alert.rule.description: Suricata致命预警：URL地址木马
parameters.alert.rule.id: 566002
parameters.alert.rule.firedtimes: 1
parameters.alert.rule.mail: true
parameters.alert.rule.groups: ["ids", " suricata_eve"]
parameters.alert.agent.id: 000
parameters.alert.agent.name: centqiang
parameters.alert.manager.name: centqiang
parameters.alert.id: 1640685105.128130
parameters.alert.full_log: {"timestamp":"2021-12-28T17:51:44.154165+0800","flow_id":1619038894591458,"in_iface":"ens33","event_type":"alert","src_ip":"192.168.112.1","src_port":16996,"dest_ip":"192.168.112.195","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":5613007,"rev":1,"signature":"URL地址木马","category":"站点木马植入","severity":1},"http":{"hostname":"192.168.112.195","url":"/security/read.php?id=1%20%22%3C?%20eval($_POST[a]);%20?%3E%22%20into%20outfile(%22/opt/shell.php%22)","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":374},"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":820,"bytes_toclient":1074,"start":"2021-12-28T17:51:44.101858+0800"}}
parameters.alert.decoder.name: suricata_eve
parameters.alert.data.srcip: 192.168.112.1
parameters.alert.data.event_type: alert
parameters.alert.data.signature: URL地址木马
parameters.alert.data.severity: 1
parameters.alert.location: /var/log/suricata/eve.json
parameters.program: active-response/bin/firewall-drop

三、存在的问题

1、双向流量的srcip问题

Suricata存在双向流量，如果是from_server=>to_client方向的流量，src_ip是服务器IP地址，此时使用Wazuh去提取该IP并且进行主动响应，则IP地址提取错误，应该提取的是dest_ip才是攻击源IP地址。解决方案：

（1）在Suricata规则中使用metadata: key value;来标识方向，进而让Wazuh进行识别（得需要两个解码器）

（2）利用Suricata的target，并设置为target: dest_ip，而不是默认的src_ip。

（3）使用Python实时解析Suricata日志并对Severity=1级别进行主动响应，抛弃Wazuh的规则约束。

以下是通过使用target来定义规则的用法：

第一步：定义解码器

<decoder name="suricata_eve">
  <prematch>^{"timestamp</prematch>
  <regex offset="after_prematch">"event_type":"(\w+)"\S+"signature":"(\S+)"\S+"severity":(\d+)\S+"source":{"ip":"(\S+)"</regex>
  <order>event_type,signature,severity,srcip</order>
</decoder>

第二步：进行测试

[root@centqiang alerts]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.2.5
Type one log per line
{"timestamp":"2022-07-28T11:28:26.648845+0800","flow_id":1784851008772983,"in_iface":"ens33","event_type":"alert","src_ip":"192.168.112.195","src_port":80,"dest_ip":"192.168.112.1","dest_port":56009,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":561001,"rev":0,"signature":"出现404错误","category":"","severity":3,"source":{"ip":"192.168.112.1","port":56009},"target":{"ip":"192.168.112.195","port":80}},"http":{"hostname":"192.168.112.195","url":"/dashboard/phpinfo.phpx","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":404,"length":692},"files":[{"filename":"/dashboard/phpinfo.phpx","sid":[],"gaps":false,"state":"UNKNOWN","stored":false,"size":645,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":6,"bytes_toserver":692,"bytes_toclient":1837,"start":"2022-07-28T11:28:26.646007+0800"}}
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
    name: 'suricata_eve'
    event_type: 'alert'
    severity: '3'
    signature: '出现404错误'
    srcip: '192.168.112.1'
**Phase 3: Completed filtering (rules).
    id: '562601'
    level: '3'
    description: 'Suricata-Wazuh预警：192.168.112.1)'
    groups: '['ids', 'suricata']'
    firedtimes: '1'
    mail: 'False'
**Alert to be generated.

2、json解码器被禁用问题

为了不禁用json解码器，可以将suricata_eve解码器直接定义成json解码器的子解码器

<decoder name="json">
  <prematch>^{\s*"</prematch>
  <plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>
<decoder name="suricata_eve">
  <parent>json</parent>
  <prematch>^{"timestamp</prematch>
  <regex offset="after_prematch">"event_type":"(\w+)"\S+"signature":"(\S+)"\S+"severity":(\d+)\S+"source":{"ip":"(\S+)"</regex>
  <order>event_type,signature,severity,srcip</order>
</decoder>

在定义规则时将解码器直接指定为json即可

<rule id="562600" level="0">
      <decoded_as>json</decoded_as>
      <description>Suricata预警信息根规则.</description>
      <options>no_full_log</options>
</rule>

此时再进行日志测试，结果如下：

**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
    name: 'json'
    parent: 'json'
    event_type: 'alert'
    severity: '3'
    signature: '出现404错误'
    srcip: '192.168.112.1'
**Phase 3: Completed filtering (rules).
    id: '562601'
    level: '3'
    description: 'Suricata-Wazuh预警：192.168.112.1'
    groups: '['ids', 'suricata']'
    firedtimes: '1'
    mail: 'False'
**Alert to be generated.

prematch>^{\s*“
<plugin_decoder>JSON_Decoder</plugin_decoder>


json
^{“timestamp
“event_type”:”(\w+)”\S+“signature”:“(\S+)”\S+“severity”😦\d+)\S+“source”:{“ip”:“(\S+)”
event_type,signature,severity,srcip

在定义规则时将解码器直接指定为json即可

```xml
<rule id="562600" level="0">
      <decoded_as>json</decoded_as>
      <description>Suricata预警信息根规则.</description>
      <options>no_full_log</options>
</rule>

此时再进行日志测试，结果如下：

**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
    name: 'json'
    parent: 'json'
    event_type: 'alert'
    severity: '3'
    signature: '出现404错误'
    srcip: '192.168.112.1'
**Phase 3: Completed filtering (rules).
    id: '562601'
    level: '3'
    description: 'Suricata-Wazuh预警：192.168.112.1'
    groups: '['ids', 'suricata']'
    firedtimes: '1'
    mail: 'False'
**Alert to be generated.

事实上，如果不是为了实现主动响应，Wazuh本身就自带Suricata规则，直接使用即可。