一套完整的基于开源框架的网络入侵检测平台。
suricata(检测引擎) + barnyard(数据分析) + snorby(页面展示)。
整体架构
pfring零拷贝
网卡驱动直接将报文数据传递到用户空间,减少内核数据拷贝而带来的性能开销
性能测试
通过BPS设备,模拟真实的网络数据包来测试性能,BPS设备的两个口分别和交换机的1口和2口上相连形成环路,然后将1口的进出流量镜像到业务板,如下图:
安装
为了和客户系统环境保持一致性,操作系统版本选择centos-6.5
镜像下载地址
http://archive.kernel.org/centos-vault/6.5/isos/x86_64/
选择最小化安装包
centos-6.5-x86_64-minimal
内核版本
2.6.32-431.el6.x86_64
yum install lrzsz
yum install wget
yum install gdb
yum install ntp
yum install bc
yum install syslog
yum install tcpdump
使用pf_ring_6.0.2版本
安装方法参考网站
流程图如下:
安装步骤如下
cd ~
yum install gcc
yum install ncurses-devel
wget http://archive.kernel.org/centos-vault/6.5/os/Source/SPackages/kernel-2.6.32-431.el6.src.rpm
rpm -ivh kernel-2.6.32-431.el6.src.rpm
cd ./rpmbuild/SOURCES/
tar -jxvf linux-2.6.32-431.el6.tar.bz2
cp linux-2.6.32-431.el6 /usr/src/kernels/ -rf
cd /usr/src/kernels/linux-2.6.32-431.el6/
make menuconfig
1) Select “Enable loadable module support”, then “Module signature verification (EXPERIMENTAL)”. Disable it.
2) Then go back to the main menu, select “Cryptographic API” then “In-kernel signature checker (EXPERIMENTAL)” and disable that one too.make
cd /lib/modules/2.6.32-431.el6.x86_64
rm build -rf
ln -s /usr/src/kernels/linux-2.6.32-431.el6/ build
cd ~
wget http://downloads.sourceforge.net/project/ntop/PF_RING/PF_RING-6.0.2.tar.gz
cd PF_RING-6.0.2/kernel
Make&&make install
insmod pf_ring.ko transparent_mode=2 min_num_slot=65534
cd ~
wget http://archive.kernel.org/centos-vault/6.5/os/Source/SPackages/numactl-2.0.7-8.el6.src.rpm
rpm -ivh numactl-2.0.7-8.el6.src.rpm
cd rpmbuild/SOURCES
tar -zxvf numactl-2.0.7.tar.gz
cd numactl-2.0.7
make&&make install
cd ~/PF_RING-6.0.2/userland/lib
./configure --prefix=/usr/local/pfring
make&&make install
ethtool -i eth4查看网卡驱动名称
cd ~PF_RING-6.0.2/drivers/PF_RING_aware/intel/ixgbe/ixgbe-3.21.2-zc/src/
make
cp ixgbe.ko /lib/modules/2.6.32-431.el6.x86_64/kernel/drivers/net/ixgbe/ixgbe.ko
rmmod ixgbe
insmod ixgbe.ko
使用suricata_2.0.7版本
参考网站
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_65_Installation
安装步骤如下
sudo yum -y install libpcap libpcap-devel libnet libnet-devel pcre \
pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml \
libyaml-devel zlib zlib-devel file-devel libcap-ng-devel
cd ~
wget http://www.netfilter.org/projects/libnfnetlink/files/libnfnetlink-1.0.1.tar.bz2
tar -zjvf libnfnetlink-1.0.1.tar.bz2
cd libnfnetlink-1.0.1
./configure &&make &&make install
cd ~