使用 Suricata 进行入侵监控(一个简单小例子访问百度)
2017-08-09 21:24
2867 查看
[b] 前期博客[/b]
例如以百度网站为例:
[root@suricata rules]# cat test.rules![](https://oscdn.geek-share.com/Uploads/Images/Content/201708/934bae171e2328defafca9776641a5b4.png)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201708/ab38822e43001cfdea82f2dd70cc97e4.png)
[b]2、启动suricata [/b]
[b][b]
![](https://oscdn.geek-share.com/Uploads/Images/Content/201708/d82d976b932d0aff989335b685d5121d.png)
[/b][/b]
此时,查看log文件/var/log/suricata目录下![](https://oscdn.geek-share.com/Uploads/Images/Content/201708/2a6e2451c2a2d5ee17abbc1bd6ee56b7.png)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201708/38f8ac52969681cf074d0662cae4d78c.png)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201708/1deb6e542899febe55a9a55d038d6af6.png)
其生产的报警日志文件,就是fast.log。
基于CentOS6.5下Suricata(一款高性能的网络IDS、IPS和网络安全监控引擎)的搭建(图文详解)(博主推荐)
[b]1、自己编写一条规则,规则书写参考snort规则(suricata完全兼容snort规则)[/b]例如以百度网站为例:
[root@suricata rules]# cat test.rules
![](https://oscdn.geek-share.com/Uploads/Images/Content/201708/934bae171e2328defafca9776641a5b4.png)
[root@suricata rules]# pwd /etc/suricata/rules [root@suricata rules]# ls app-layer-events.rules emerging-activex.rules emerging-icmp.rules emerging-scada.rules emerging-web_server.rules smtp-events.rules botcc.portgrouped.rules emerging-attack_response.rules emerging-imap.rules emerging-scan.rules emerging-web_specific_apps.rules stream-events.rules botcc.rules emerging-chat.rules emerging-inappropriate.rules emerging-shellcode.rules emerging-worm.rules suricata-1.2-prior-open.yaml BSD-License.txt emerging.conf emerging-info.rules emerging-smtp.rules gen-msg.map suricata-1.3-enhanced-open.txt ciarmy.rules emerging-current_events.rules emerging-malware.rules emerging-snmp.rules gpl-2.0.txt suricata-1.3-etpro-etnamed.yaml classification.config emerging-deleted.rules emerging-misc.rules emerging-sql.rules http-events.rules suricata-1.3-open.yaml compromised-ips.txt emerging-dns.rules emerging-mobile_malware.rules emerging-telnet.rules LICENSE tor.rules compromised.rules emerging-dos.rules emerging-netbios.rules emerging-tftp.rules modbus-events.rules unicode.map decoder-events.rules emerging-exploit.rules emerging-p2p.rules emerging-trojan.rules rbn-malvertisers.rules dns-events.rules emerging-ftp.rules emerging-policy.rules emerging-user_agents.rules rbn.rules drop.rules emerging-games.rules emerging-pop3.rules emerging-voip.rules reference.config dshield.rules emerging-icmp_info.rules emerging-rpc.rules emerging-web_client.rules sid-msg.map [root@suricata rules]# vim test-baidu.rules
![](https://oscdn.geek-share.com/Uploads/Images/Content/201708/ab38822e43001cfdea82f2dd70cc97e4.png)
[root@suricata rules]# cat test-baidu.rules alert http any any -> any any (msg:"hit baidu.com...";content:"baidu"; reference:url, www.baidu.com;)将文件命名为test.rules,存放在目录/etc/suricata/rules下(直接存放在该目录下rules里面)。 同时,还要把这个自定义配置文件(如我这里已经改名了,为local.rules)放到配置文件里,才可以生效。
![](https://oscdn.geek-share.com/Uploads/Images/Content/201708/1dd7f99c2204743dd5db37ba11beedb3.png)
[b][b]
![](https://oscdn.geek-share.com/Uploads/Images/Content/201708/d82d976b932d0aff989335b685d5121d.png)
[/b][/b]
[root@suricata ~]# sudo /usr/local/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 -s /etc/suricata/rules/test.rules3、打开虚拟机中火狐浏览器,访问www.baidu.com
![](https://oscdn.geek-share.com/Uploads/Images/Content/201708/dd532db72327cd95f6fb98d9cc821159.png)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201708/2a6e2451c2a2d5ee17abbc1bd6ee56b7.png)
[root@suricata ~]# cd /var/log/suricata [root@suricata suricata]# pwd /var/log/suricata [root@suricata suricata]# ls certs eve.json fast.log files stats.log suricata.log [root@suricata suricata]#fast.log显示数据包匹配的条数
![](https://oscdn.geek-share.com/Uploads/Images/Content/201708/38f8ac52969681cf074d0662cae4d78c.png)
[root@suricata suricata]# cat fast.log 08/09/2017-21:15:51.526950 [**] [1:2240002:1] SURICATA DNS malformed request data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.80.2:53 -> 192.168.80.86:52492 08/09/2017-21:16:00.603193 [**] [1:2240002:1] SURICATA DNS malformed request data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.80.2:53 -> 192.168.80.86:44808 08/09/2017-21:16:00.641131 [**] [1:2240002:1] SURICATA DNS malformed request data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.80.2:53 -> 192.168.80.86:37705 08/09/2017-21:16:00.860060 [**] [1:2240002:1] SURICATA DNS malformed request data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.80.2:53 -> 192.168.80.86:36831 08/09/2017-21:16:56.624866 [**] [1:2240002:1] SURICATA DNS malformed request data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.80.2:53 -> 192.168.80.86:52630 08/09/2017-21:17:00.111989 [**] [1:2240002:1] SURICATA DNS malformed request data [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.80.2:53 -> 192.168.80.86:44013192.168.80.2是我192.168.80.86(即suricata主机的网关)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201708/1deb6e542899febe55a9a55d038d6af6.png)
[root@suricata suricata]# ls certs eve.json fast.log files stats.log suricata.log [root@suricata suricata]# cat suricata.log 9/8/2017 -- 21:13:33 - <Notice> - This is Suricata version 3.1 RELEASE 9/8/2017 -- 21:13:42 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/tls-events.rules 9/8/2017 -- 21:13:42 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/test.rules 9/8/2017 -- 21:13:42 - <Error> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/test.rules 9/8/2017 -- 21:13:49 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started. 9/8/2017 -- 21:19:41 - <Notice> - Signal Received. Stopping engine. 9/8/2017 -- 21:19:41 - <Notice> - Stats for 'eth0': pkts: 11525, drop: 0 (0.00%), invalid chksum: 0 [root@suricata suricata]# pwd /var/log/suricata [root@suricata suricata]#
其生产的报警日志文件,就是fast.log。
相关文章推荐
- 使用jmeter进行接口测试的一个简单例子。
- 通过编码方式使用性能计数器来进行性能计数的一个简单例子 - ZT
- 一个简单的使用代理访问百度页面内容的python脚本
- python使用百度进行爬虫简单学习例子
- 使用gulp相关插件进行api的跨域访问并监控文件的变化的简单处理
- 使用Java在本地创建一个服务器 ,通过浏览器对其进行访问的一个简单测试
- 使用jmeter进行接口压力测试的一个简单例子
- GDB 7.0 中文手册 —— 1. GDB简介和一个简单的使用例子
- 如何恢复一个非用户sa创建的数据库,且使用原用户创建者进行访问
- Linux下,使用C/C++编写"静态链接库"的一个简单例子
- .net创建一个ActiveX控件并使用的简单例子
- 使用Java进行UG二次开发:简单的例子(上)
- 使用 Equinox 的Declarative Service 的一个简单例子
- 一个使用 ANSI.SYS Escape Sequences 进行时间显示的例子
- NET简单的一个画图程序 使用简单 自己可以相关自己的内容进行配置就可以使用了
- 使用servlet开发动态wap的一个简单例子
- 一个使用spring的最简单的例子。
- 一个简单的使用XMLHttpRequest获得服务器数据的例子
- Canlendar类使用的一个简单例子
- 一个使用GridView显示数据,并且可以进行添加、修改、删除操作的例子