HMXT之家 > 鸿蒙开发Linux教程 > 正文

在Debian 11/Debian 10系统上安装和配置Suricata

2023-03-26 10:28作者:鸿蒙系统之家来源:HMXT之家

本文介绍在Debian 11/Debian 10系统上安装、配置和使用Suricata IDS/IPS工具的方法。

在Debian 11/Debian 10系统上安装和配置Suricata

在Debian 11/10上安装Suricata IDS/IPS工具

有多种方法可以在Debian 11/10系统上安装Suricata IDS/IPS工具,以下将做一一介绍。

选项1:从APT在Debian 11/10上安装Suricata IDS/IPS工具

Suricata在默认的Debian 11/10存储库中可用,但此安装的主要问题是可用版本较旧。检查Debian 11/10上可用的Suricata存储库以及存储库中可用的版本:

$ sudo apt-cache show suricata

Package: suricata

Version: 1:6.0.1-3

Installed-Size: 6466

Maintainer: Pierre Chifflier <pollux@debian.org>

Architecture: amd64

Replaces: libhtp1 (<< 0.5.16), suricata-hyperscan (<< 3.2)

Depends: python3 (>= 3.2), python3-simplejson, python3:any, libbpf0 (>= 5.2.6), libc6 (>= 2.29), libcap-ng0 (>= 0.7.9), libevent-2.1-7 (>= 2.1.8-stable), libevent-pthreads-2.1-7 (>= 2.1.8-stable), libgcc-s1 (>= 4.2), libhiredis0.14 (>= 0.14.1), libhtp2 (>= 1:0.5.36-1~), libhyperscan5 (>= 5.4.0), libjansson4 (>= 2.2), libluajit-5.1-2 (>= 2.0.4+dfsg), liblz4-1 (>= 0.0~r127), libmagic1 (>= 5.12), libmaxminddb0 (>= 1.0.2), libnet1 (>= 1.1.5), libnetfilter-log1 (>= 0.0.13), libnetfilter-queue1 (>= 1.0.2), libnfnetlink0, libnspr4 (>= 2:4.9-2~), libnss3 (>= 2:3.13.4-2~), libpcap0.8 (>= 1.0.0), libpcre3, libyaml-0-2, zlib1g (>= 1:1.1.4), lsb-base (>= 3.0-6)

Pre-Depends: dpkg (>= 1.15.7.2), init-system-helpers (>= 1.54~)

Recommends: snort-rules-default, suricata-update

Suggests: libtcmalloc-minimal4

如果您选择此方法,请使用以下命令在Debian 11/10上安装Suricata IDS/IPS工具:

sudo apt install suricata

依赖关系树:

Reading package lists... Done

Building dependency tree... Done

Reading state information... Done

The following additional packages will be installed:

  libevent-core-2.1-7 libevent-pthreads-2.1-7 libhiredis0.14 libhtp2

  libhyperscan5 libluajit-5.1-2 libluajit-5.1-common libnet1 libnetfilter-log1

  libnetfilter-queue1 oinkmaster python3-simplejson python3-yaml

  snort-rules-default suricata-update

Suggested packages:

  snort | snort-pgsql | snort-mysql libtcmalloc-minimal4

The following NEW packages will be installed:

  libevent-core-2.1-7 libevent-pthreads-2.1-7 libhiredis0.14 libhtp2

  libhyperscan5 libluajit-5.1-2 libluajit-5.1-common libnet1 libnetfilter-log1

  libnetfilter-queue1 oinkmaster python3-simplejson python3-yaml

  snort-rules-default suricata suricata-update

0 upgraded, 16 newly installed, 0 to remove and 19 not upgraded.

Need to get 5,836 kB of archives.

After this operation, 28.1 MB of additional disk space will be used.

Do you want to continue? [Y/n] Y

选项2:从源代码在Debian 11/10上安装Suricata IDS/IPS工具

请首先更新您的APT包索引:

sudo apt update

然后继续安装所需的软件包,以便从源代码安装Suricata IDS/IPS工具:

sudo apt-get install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev   \

 libnet1-dev libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \

 libcap-ng-dev libcap-ng0 make libmagic-dev         \

 libnss3-dev libgeoip-dev liblua5.1-dev libhiredis-dev libevent-dev \

 python-yaml rustc cargo

对于IPtables集成,请安装以下软件包:

sudo apt-get install libnetfilter-queue-dev libnetfilter-queue1  \

 libnetfilter-log-dev libnetfilter-log1      \

 libnfnetlink-dev libnfnetlink0

下一步是安装用于更新Suricata规则的Suricata更新工具。此工具将使用PIP进行安装:

sudo apt-get install python3-pip

安装PIP后,继续使用以下命令在Debian 11/10上安装Suricata更新:

sudo pip3 install --upgrade suricata-update

样本输出:

Collecting suricata-update

  Downloading https://files.pythonhosted.org/packages/81/eb/051dcb8184831723d6d7d5e4b5f2f2d9b987430a00019cd0a1a5785bd430/suricata-update-1.2.2.tar.gz (69kB)

    100% || 71kB 388kB/s 

Collecting pyyaml (from suricata-update)

  Downloading https://files.pythonhosted.org/packages/eb/5f/6e6fe6904e1a9c67bc2ca5629a69e7a5a0b17f079da838bab98a1e548b25/PyYAML-6.0-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl (596kB)

    100% || 604kB 993kB/s 

Building wheels for collected packages: suricata-update

  Running setup.py bdist_wheel for suricata-update ... done

  Stored in directory: /home/debian/.cache/pip/wheels/a1/d5/49/206350d2b2aeafb3e35a826f3baa8609bed844b3ef53d0e370

Successfully built suricata-update

Installing collected packages: pyyaml, suricata-update

Successfully installed pyyaml-6.0 suricata-update-1.2.2

查找Suricata更新的安装位置:

$ whereis suricata-update

suricata-update: /usr/local/bin/suricata-update

为Suricata更新工具创建一个符号链接:

sudo ln -s /usr/local/bin/suricata-update /usr/bin/suricata-update

现在进入官方Suricata下载页面,地址在https://suricata.io/,下载Suricata。或者,按如下方式提取.tar文件。以下以6.0.10版本为例:

wget https://www.openinfosecfoundation.org/download/suricata-6.0.10.tar.gz

现在提取文件:

tar xzf suricata-6.0.10.tar.gz

现在编译并安装Suricata,如下所示:

cd suricata-6.0.10

sudo ./configure --sysconfdir=/etc --localstatedir=/var --prefix=/usr/ --enable-lua --enable-nfqueue --enable-suricata-update --enable-rules

sudo make

sudo make install-full

在Debian 11/10上使用Suricata规则

默认情况下,Suricata被构建为使用某些称为签名的规则。这些签名用于通过匹配线程检测入侵。这些规则位于/usr/share/suricata/rules目录中:

ls /usr/share/suricata/rules

我的系统上的可用规则,如下:

app-layer-events.rules  http-events.rules      smb-events.rules

decoder-events.rules    ipsec-events.rules     smtp-events.rules

dhcp-events.rules       kerberos-events.rules  stream-events.rules

dnp3-events.rules       modbus-events.rules    tls-events.rules

dns-events.rules        nfs-events.rules

files.rules             ntp-events.rules

紧急威胁规则存储在/var/lib/suricata/rules/suricata.rules中,可以使用以下命令安装或更新:

$ sudo suricata-update

<Info> -- Using data-directory /var/lib/suricata.

<Info> -- Using Suricata configuration /etc/suricata/suricata.yaml

<Info> -- Using /usr/share/suricata/rules for Suricata provided rules.

<Info> -- Found Suricata version 6.0.10 at /usr/bin/suricata.

<Info> -- Loading /etc/suricata/suricata.yaml

<Info> -- Disabling rules for protocol http2

<Info> -- Disabling rules for protocol modbus

<Info> -- Disabling rules for protocol dnp3

<Info> -- Disabling rules for protocol enip

<Info> -- No sources configured, will use Emerging Threats Open

<Info> -- Last download less than 15 minutes ago. Not downloading https://rules.emergingthreats.net/open/suricata-6.0.10/emerging.rules.tar.gz

<Info> -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules

<Info> -- Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules

<Info> -- Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules

<Info> -- Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules

<Info> -- Loading distribution rule file /usr/share/suricata/rules/dns-events.rules

<Info> -- Loading distribution rule file /usr/share/suricata/rules/files.rules

<Info> -- Loading distribution rule file /usr/share/suricata/rules/http-events.rules

在Debian 11/10上配置Suricata IDS/IPS工具

既然Suricata已成功安装在Debian 11/10系统上,那就让我们编辑/etc/suricata/suricata.yaml中的YAML文件,以保护内部网络免受攻击:

sudo vim /etc/suricata/suricata.yaml

在该文件中,我们需要编辑HOME_NET,其中包括运行Suricata的系统的IP地址。

导航到vars部分并进行编辑,如下所示:

vars:

  # more specific is better for alert accuracy and performance

  address-groups:

    #HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"

    HOME_NET: "[192.168.100.48]"

    #HOME_NET: "[192.168.0.0/16]"

    #HOME_NET: "[10.0.0.0/8]"

    #HOME_NET: "[172.16.0.0/12]"

    #HOME_NET: "any"

    EXTERNAL_NET: "!$HOME_NET"

    #EXTERNAL_NET: "any"

...

# Linux high speed capture support

af-packet:

  - interface: enp0s3

请记住,您需要将192.168.100.124替换为内部网络IP地址,将enp0s3替换为网络接口。

在Debian 11/10上使用和测试Suricata IDS/IPS工具

1、在Debian 11/10上使用Suricata IDS/IPS工具

如果我们通过从源代码构建来安装Suricata服务,我们首先需要找到一种方法来管理它。下面将创建Suricata系统服务。

Suricata的主要配置文件位于/etc/suricata/suricata.yaml。要创建systemd Suricata服务,您需要了解您的网络接口:

$ ifconfig

我的网络接口是enp0s3,所以我将创建一个如下所示的文件:

$ sudo vim /etc/systemd/system/suricata.service

[Unit]

Description=Suricata Intrusion Detection Service

After=syslog.target network-online.target

[Service]

ExecStartPre=/bin/rm -f /var/run/suricata.pid

ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml -i enp0s3 --pidfile /var/run/suricata.pid $OPTIONS

ExecReload=/bin/kill -USR2 $MAINPID

[Install]

WantedBy=multi-user.target

重新加载守护程序:

sudo systemctl daemon-reload

启动并启用Suricata服务:

sudo systemctl start suricata

检查服务的状态:

$ systemctl status suricata

suricata.service - Suricata Intrusion Detection Service

Loaded: loaded (/etc/systemd/system/suricata.service; disabled; vendor preset: enabled)

Active: active (running) 

Suricata也可以通过如下指定接口来运行:

suricata -D -c /etc/suricata/suricata.yaml -i enp0s3

您可以使用以下方法查看Suricata上的统计日志:

sudo tail -f /var/log/suricata/stats.log

使用以下方法检查EVE.jso输出中的写入日志:

sudo tail -f /var/log/suricata/eve.json

检查Suricata中的警报日志,使用:

sudo tail -f /var/log/suricata/fast.log

2、在Debian 11/10上测试Suricata IDS/IPS工具

在本文中,我们将尝试对Debian 11/10系统进行DDoS攻击。如果您已经创建了自定义规则,则可以使用以下方法检查语法:

sudo suricata -c /etc/suricata/suricata.yaml -T -v

然后在另一个系统上,执行DDoS攻击,但确保安装了hping3软件包:

##在CentOS 8/RHEL 8/Rocky Linux 8上

sudo dnf install hping3

###在Debian/Ubuntu上

sudo apt install hping3

然后对您的Debian 11/10系统进行攻击:

sudo hping3 -S -p 22 --flood --rand-source 192.168.100.124

在安装了Suricata的Debian 11/10系统上运行此检查警报:

sudo tail -f /var/log/suricata/fast.log

这里从返回的信息中就能知道Suricata IDS/IPS使用默认的紧急威胁规则运行良好。

至此,测试Suricata IDS/IPS工具通过。

栏目相关文章

热门推荐

热门阅读

关于我们 联系我们 版权声明 站内导航

© hmxthome.com HMXT之家 版权所有