MENU

Suricata规则测试环境

November 15, 2020 • Read: 118 • 安全攻防阅读设置

0x01 需求描述

需要一个旧版本suricata规则测试环境,能够做到轻量部署,方便移植和看结果以及历史记录,参考Suricata+ELK(Docker化部署)数据展示搭建台单机测试环境(centos7+suricata-4.1.3)。


0x02 基础环境

1. 系统组件
# 安装目录/root/suricata_vulnTest
[root@centos7 ~]# yum install epel-release -y
[root@centos7 ~]# sudo yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar make libnetfilter_queue-devel lua-devel PyYAML libmaxminddb-devel rustc cargo lz4-devel
[root@centos7 ~]# ntpdate cn.pool.ntp.org  && date && systemctl stop firewalld.service && systemctl disable firewalld.service 
2. 依赖组件
  • docker
[root@centos7 ~]# sudo yum install -y yum-utils \ device-mapper-persistent-data \ lvm2
[root@centos7 ~]# sudo yum-config-manager \ --add-repo \ https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@centos7 ~]# sudo yum install docker-ce -y 
[root@centos7 ~]# sudo mkdir -p /etc/docker
[root@centos7 ~]# sudo tee /etc/docker/daemon.json <<-'EOF'
{
  "registry-mirrors": ["https://780urbjd.mirror.aliyuncs.com"]
}
EOF
[root@centos7 ~]# sudo systemctl start docker && sudo systemctl enable docker
  • docker-compose
[root@centos7 ~]# curl -L https://get.daocloud.io/docker/compose/releases/download/1.24.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
[root@centos7 ~]# sudo chmod +x /usr/local/bin/docker-compose && ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
3. 运行组件
  • suricata
[root@centos7 ~]# wget https://openinfosecfoundation.org/download/suricata-4.1.3.tar.gz &&  tar -xvzf suricata-4.1.3.tar.gz && cd  suricata-4.1.3 && ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua && make && make install-full && ldconfig && suricata --build-info && suricata -T
[root@centos7 ~]# vim /etc/suricata/suricata.yaml
default-rule-path: /root/suricata_vulnTest/rules
rule-files:
- hack.rules
[root@centos7 ~]# ls /var/log/suricata/eve.json && sudo ethtool -K eth0 gro off lro off
  • elk
[root@centos7 ~]# docker pull logstash:7.5.1 && docker pull kibana:7.5.1 && docker pull elasticsearch:7.5.1
[root@centos7 ~]# chmod -R 777 /root/suricata_vulnTest/elasticsearch/data
[root@centos7 ~]# cd /root/suricata_vulnTest/envi && docker-compose up -d && docker ps 
# 如果logstash没起来可能性较大内存问题
  • filebeat
[root@centos7 ~]# wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.5.1-x86_64.rpm && rpm -ivh filebeat-7.5.1-x86_64.rpm
[root@centos7 ~]# chmod go-w /root/suricata_vulnTest/synesis_lite_suricata-1.1.0/filebeat/filebeat.yml
[root@centos7 ~]# vim /lib/systemd/system/filebeat.service
[Unit]
Description=Filebeat sends log files to Logstash or directly to Elasticsearch.
Documentation=https://www.elastic.co/products/beats/filebeat
Wants=network-online.target
After=network-online.target

[Service]
User=root
ExecStart=filebeat -e -c /root/suricata_vulnTest/synesis_lite_suricata-1.1.0/filebeat/filebeat.yml
Restart=always

[Install]
WantedBy=multi-user.target

0x03 运行测试

1. 开机自启
[root@centos7 ~]# cd /root/suricata_vulnTest && docker-compose up -d
[root@centos7 ~]# systemctl daemon-reload && systemctl start filebeat && systemctl enable filebeat
[root@centos7 ~]# reboot
[root@centos7 ~]# ps -ef |grep filebeat && docker ps 
2. 配置界面
  • 配置数据源
http://<ip>:5601
discover --- suricata* ---  @timestamp
management --- saved objects --- synlite_suricata.dashboards.json
3. 监控测试
# 添加规则
[root@centos7 ~]# vim /root/suricata_vulnTest/hack.rules
# 监听流量(直接网卡或者pcap流,参数-D 后台运行)
[root@centos7 ~]# suricata -c /etc/suricata/suricata.yaml  -i eth0 -v
[root@centos7 ~]# suricata -c /etc/suricata/suricata.yaml  -r data.pcap -v
# 查看告警
[root@centos7 ~]# tail -f /var/log/suricata/fast.log
http://<ip>:5601

配置个页面自动刷新,更方便些。


0x04 参考引用

Suricata+ELK(Docker化部署)数据展示

---The END---
  • 文章标题:《Suricata规则测试环境》
  • 文章作者:Coco413
  • 文章链接:https://www.coco413.com/archives/66/
  • 版权声明:本文为原创文章,仅代表个人观点,内容采用《署名-非商业性使用-相同方式共享 4.0 国际》进行许可,转载请注明出处。
  • Archives QR Code
    QR Code for this page
    Tipping QR Code