1. suricata安装
ubuntu依赖安装
sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev
build-essential autoconf automake libtool libpcap-dev libnet1-dev
libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0
make libmagic-dev libjansson-dev libjansson4 pkg-config librdkafka-dev
centos依赖安装
sudo yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel
zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar make
libnetfilter_queue-devel lua-devel
除此之外,由于centos没有现成的librdkafka库,需要编译安装,下载0.8.6版本的librdkafka,执行以下命令安装:
tar -xzf librdkafka-0.8.6.tar.gz
cd librdkafka-0.8.6
./configure
make
sudo make install
编译
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-rdkafka --enable-lua
make
sudo make install
sudo ldconfig
sudo make install-full //安装配置文件和rules文件
运行
sudo suricata -i eth0 // eth0根据实际网卡名称修改
异常处理
centos下如果运行时提示找不到librdkafka.so.1,需要修改/etc/ld.so.conf文件,在下面添加一行:
/usr/local/lib
2. 配置说明
如果要支持输出hash值到kafka,同时生成http-data.log文件,需要在suricata.yaml文件中作如下配置,各配置名称根据实际情况进行修改:
# kafka producer info
- kafka-pro:
broker-list: 192.168.0.134:9092 # a comma separated list of brokers addresses
topic: ceshi_test # the topic for kafka messages
compression: none # compression codec: none, gzip, snappy
partition: -1 # below < 0 means Unassigned Partition
max-retries: 1 # number of retries if message delivery fails
backoff-ms: 10 # ms to wait for backoff
buffer-max-messages: 100000 # max of messages to keep in internal buffer
log-level: 6 # sames log levels as SC_LOG_LEVEL . Debug is 7.
上面的配置只是发送到信息到kafka,发送间隔是5秒,如果想修改发送间隔,在web的设置界面可以修改配置,设置发送时间间隔。
生成http-data.log文件配置:
- http-body-data:
enabled: yes
type: file
filename: http-data.log
此时的配置只是生成了http-data.log,里面存储的是16进制的html响应报文内容,如果想要同时存储文本格式的http响应报文,可以配置type为both,此时会在当前目录下生成一个http文件夹,文件夹下会生成以每次访问源/目的ip,源/目的端口组合成文件名的.data文件,文件中存储的就是每次响应报文的文本格式内容。
eve.json文件默认就会生成,可以通过修改配置文件来添加输出的字段。比如想输出Cookie字段,就可以按如下设置:
--eve-log:
--http:
extend: yes
custom: [Accept-Encoding, Accept-Language, Authorization, Cookie]
规则配置
安装完成以后,默认规则文件位置在/etc/suricata/rules文件夹下,为了灵活的配置规则文件,需要在rules文件夹下添加一个4dogs.rules文件,然后把4dogs.rules添加到suricata.yaml文件中的rule-files下,后续通过web界面的设置,就可以配置该文件。
支持lua脚本配置
为了实现对同一用户多次F5刷新的判断,启用lua脚本实现流追踪功能,需要在configure时启用enable-lua功能,同时要保证系统已经安装好了lua库。
ubuntu系统:
sudo apt-get install libreadline-dev
sudo apt-get install liblua5.1-dev
centos系统:
yum install lua-devel
然后编译安装,安装好以后,在配置文件suricata.yaml中启用lua脚本,如果运行时提示有些库找不到,执行sudo ldconfig即可。
- lua:
enabled: yes
#scripts-dir: /etc/suricata/lua-output/
scripts:
- packet.lua
packet.lua脚本放在/etc/suricata/lua-output/文件夹下,具体内容可根据自己需要,按照对应的格式编写。示例如下,生成名为http.log的日志文件存储在/var/log/suricata目录下。
function init (args)
local needs = {}
needs["protocol"] = "http"
return needs
end
name = "http.log"
function setup (args)
filename = SCLogPath() .. "/" .. name
file = assert(io.open(filename, "a"))
SCLogInfo("HTTP Log Filename " .. filename)
http = 0
end
function log(args)
-- 获取请求头
http_req = HttpGetRawRequestHeaders()
if http_req == nil then
http_req = "headers unknown"
end
-- 过滤掉css,js和图片的请求响应信息
if string.find(http_req, "text/html") ~= nil then
-- 获取服务器响应时的时间,使用报文时间代替,否则需要从http响应头中获取
startts = SCPacketTimeString()
-- print ("timestamp: " .. startts .. "n")
-- 获取flowHash值,并且转换成字符串形式显示
-- 新增接口,源代码中没有,需使用修改后的代码,否则报错
hash = SCFlowHash()
hashstr = string.format("%.0f", hash)
-- print ("Flow Hash: " .. hashstr .. "n")
-- 获取flowId值,并且转换成字符串形式显示
id = SCFlowId()
idstr = string.format("%.0f",id)
-- print ("Flow ID: " .. idstr .. "n")
-- 获取此次会话的五元组信息
ipver, srcip, dstip, proto, sp, dp = SCFlowTuple()
file:write("flow@".."[*"..hash.."*]"..srcip..":"..sp.."->"..dstip..":"..dp.."n")
file:write("timestamp: " .. startts .. "nn")
file:write(http_req .. "n")
-- file:flush()
-- 获取响应头
http_res = HttpGetRawResponseHeaders()
if http_res == nil then
http_res = "response headers unkonwn"
end
if string.find(http_res, "text/html") ~= nil then
file:write(http_res .. "n")
-- file:flush()
-- 获取响应报文
res_body, o, e = HttpGetResponseBody()
for k, v in ipairs(res_body) do
file:write(v)
-- file:flush()
end
end
end
-- 向文件写入缓冲区中的所有数据
file:flush()
http = http + 1
end
function deinit (args)
SCLogInfo ("HTTP transactions logged: " .. http);
file:close(file)
end
此时http.log中日志内容如下,分别记录了请求信息,请求时间,请求报文头,响应报文头以及响应报文信息。