0x00 前言
Arkime/moloch 全包捕获工具,对于安全来讲最大的优势就是威胁溯源,与suricata结合最好的好处就是,可以定点捕获与告警对应的pcap包,单纯从学习Suricata检测的角度来看,非常有用,你可以拿着pcap包分析触发的suricata规则,当然如果从告警运营的角度就是确认威胁是否存在的最好原始凭证。
注意本系列文章均为CentOS 7 环境,使用的组件均为当前最新版本
0x01 Suricata配置
1. yum安装
安装最新的Suricata版本,截止到目前为6.0.3
# yum install epel-release yum-plugin-copr -y
# yum copr enable @oisf/suricata-6.0
# yum install suricata -y
2. 更新规则
自动下载Suricata规则文件,默认会放在/var/lib/suricata/rules
# suricata-update
3. 启动suricata
由于默认的suricata.yaml加载配置的目录就是规则自动下载的目录,所以只需启动即可
# systemctl restart suricata
0x02 Arkime配置
1. 配置suricata插件
# cd /opt/arkime/etc/
# vim config.ini
搜索关键词pluginsDir,在面新增如下内容
# Add suricata.so to your plugins line, or add a new plugins line
plugins=suricata.so
# suricataAlertFile should be the full path to your alert.json or eve.json file
suricataAlertFile=/var/log/suricata/eve.json
suricataExpireMinutes=60
2. arkime读取suricata数据
这步是比较关键的,为此我也折腾了不少时间,这样就不会出现arkime不能联动Suricata展现的问题了
2.1 修改eve.json权限
# chmod o+r /var/log/suricata/eve.json
2.2 修改dorpUser
# cd /opt/arkime/etc/
# vim config.ini
搜索关键词dropUser,修改为root,保存后重启arkime抓包进程
# systemctl restart arkimecapture
0x02 测试效果
1. suricata本地执行访问百度
curl -XGET http://www.baidu.com
2. 内置的suricata规则触发告警
# tail -f /var/log/suricata/eve.json | grep '"event_type":"alert"'
{"timestamp":"2021-10-22T04:19:34.862982-0400","flow_id":830691572369045,"in_iface":"eth0","event_type":"alert","src_ip":"192.168.8.11","src_port":46073,"dest_ip":"220.181.38.149","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2013028,"rev":5,"signature":"ET POLICY curl User-Agent Outbound","category":"Attempted Information Leak","severity":2,"metadata":{"created_at":["2011_06_14"],"updated_at":["2020_04_22"]}},"http":{"hostname":"www.baidu.com","url":"/","http_user_agent":"curl/7.29.0","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":1048},"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":4,"bytes_toserver":440,"bytes_toclient":1684,"start":"2021-10-22T04:19:34.771733-0400"}}
3. arkime查询关联效果
查询栏查询
suricata.signature == EXISTS!