security Onion

引言

内容

ISO：securityonion-16.04.5.6.iso

外网页面访问
UFW sudo ufw allow 80 开放80端口
UFW sudo ufw allow 443
或者关闭防火墙：/usr/sbin/ufw disable

重启HIDS 大部分重启命令在/usr/sbin目录so开头的脚本文件

/usr/sbin/so-sensor-restart  

/etc/nsm/rules/local.rules 规则文件中添加内容，重启引擎，并进行发包测试

在local.rules添加规则后，执行
sudo rule-update #加载local.rules 把规则复制到download.rules
vi download.rules 查看是否存在新规则

flowbits：规则联动

alert http any any -> any any (msg:"test"; flow:to_server,established; content:"assert"; http_uri; content:"base64_decode"; nocase; distance:0; http_uri; fast_pattern; flowbits:set,CVE-2017-12629; flowbits:noalert; classtype:web-application-attack; sid:80000001; rev:2; metadata:created_at 2019_03_19, updated_at 2019_03_19;)
alert http any any -> any any (msg:"test111"; flow:from_server,established; content:"assert"; http_server_body; flowbits:isset,CVE-2017-12629; classtype:web-application-attack; sid:80000000; rev:2; metadata:created_at 2019_03_19, updated_at 2019_03_19;)

PCAP: https://github.com/Fate9091/fate/blob/master/assert_test.pcap

进入Security onion 数据库

sudo mysql --defaults-file=/etc/mysql/debian.cnf