在Debian 11/Debian 10系统上安装和配置Suricata
本文介绍在Debian 11/Debian 10系统上安装、配置和使用Suricata IDS/IPS工具的方法。
在Debian 11/10上安装Suricata IDS/IPS工具
有多种方法可以在Debian 11/10系统上安装Suricata IDS/IPS工具,以下将做一一介绍。
选项1:从APT在Debian 11/10上安装Suricata IDS/IPS工具
Suricata在默认的Debian 11/10存储库中可用,但此安装的主要问题是可用版本较旧。检查Debian 11/10上可用的Suricata存储库以及存储库中可用的版本:
$ sudo apt-cache show suricata
Package: suricata
Version: 1:6.0.1-3
Installed-Size: 6466
Maintainer: Pierre Chifflier <pollux@debian.org>
Architecture: amd64
Replaces: libhtp1 (<< 0.5.16), suricata-hyperscan (<< 3.2)
Depends: python3 (>= 3.2), python3-simplejson, python3:any, libbpf0 (>= 5.2.6), libc6 (>= 2.29), libcap-ng0 (>= 0.7.9), libevent-2.1-7 (>= 2.1.8-stable), libevent-pthreads-2.1-7 (>= 2.1.8-stable), libgcc-s1 (>= 4.2), libhiredis0.14 (>= 0.14.1), libhtp2 (>= 1:0.5.36-1~), libhyperscan5 (>= 5.4.0), libjansson4 (>= 2.2), libluajit-5.1-2 (>= 2.0.4+dfsg), liblz4-1 (>= 0.0~r127), libmagic1 (>= 5.12), libmaxminddb0 (>= 1.0.2), libnet1 (>= 1.1.5), libnetfilter-log1 (>= 0.0.13), libnetfilter-queue1 (>= 1.0.2), libnfnetlink0, libnspr4 (>= 2:4.9-2~), libnss3 (>= 2:3.13.4-2~), libpcap0.8 (>= 1.0.0), libpcre3, libyaml-0-2, zlib1g (>= 1:1.1.4), lsb-base (>= 3.0-6)
Pre-Depends: dpkg (>= 1.15.7.2), init-system-helpers (>= 1.54~)
Recommends: snort-rules-default, suricata-update
Suggests: libtcmalloc-minimal4
如果您选择此方法,请使用以下命令在Debian 11/10上安装Suricata IDS/IPS工具:
sudo apt install suricata
依赖关系树:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
libevent-core-2.1-7 libevent-pthreads-2.1-7 libhiredis0.14 libhtp2
libhyperscan5 libluajit-5.1-2 libluajit-5.1-common libnet1 libnetfilter-log1
libnetfilter-queue1 oinkmaster python3-simplejson python3-yaml
snort-rules-default suricata-update
Suggested packages:
snort | snort-pgsql | snort-mysql libtcmalloc-minimal4
The following NEW packages will be installed:
libevent-core-2.1-7 libevent-pthreads-2.1-7 libhiredis0.14 libhtp2
libhyperscan5 libluajit-5.1-2 libluajit-5.1-common libnet1 libnetfilter-log1
libnetfilter-queue1 oinkmaster python3-simplejson python3-yaml
snort-rules-default suricata suricata-update
0 upgraded, 16 newly installed, 0 to remove and 19 not upgraded.
Need to get 5,836 kB of archives.
After this operation, 28.1 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
选项2:从源代码在Debian 11/10上安装Suricata IDS/IPS工具
请首先更新您的APT包索引:
sudo apt update
然后继续安装所需的软件包,以便从源代码安装Suricata IDS/IPS工具:
sudo apt-get install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev \
libnet1-dev libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \
libcap-ng-dev libcap-ng0 make libmagic-dev \
libnss3-dev libgeoip-dev liblua5.1-dev libhiredis-dev libevent-dev \
python-yaml rustc cargo
对于IPtables集成,请安装以下软件包:
sudo apt-get install libnetfilter-queue-dev libnetfilter-queue1 \
libnetfilter-log-dev libnetfilter-log1 \
libnfnetlink-dev libnfnetlink0
下一步是安装用于更新Suricata规则的Suricata更新工具。此工具将使用PIP进行安装:
sudo apt-get install python3-pip
安装PIP后,继续使用以下命令在Debian 11/10上安装Suricata更新:
sudo pip3 install --upgrade suricata-update
样本输出:
Collecting suricata-update
Downloading https://files.pythonhosted.org/packages/81/eb/051dcb8184831723d6d7d5e4b5f2f2d9b987430a00019cd0a1a5785bd430/suricata-update-1.2.2.tar.gz (69kB)
100% || 71kB 388kB/s
Collecting pyyaml (from suricata-update)
Downloading https://files.pythonhosted.org/packages/eb/5f/6e6fe6904e1a9c67bc2ca5629a69e7a5a0b17f079da838bab98a1e548b25/PyYAML-6.0-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl (596kB)
100% || 604kB 993kB/s
Building wheels for collected packages: suricata-update
Running setup.py bdist_wheel for suricata-update ... done
Stored in directory: /home/debian/.cache/pip/wheels/a1/d5/49/206350d2b2aeafb3e35a826f3baa8609bed844b3ef53d0e370
Successfully built suricata-update
Installing collected packages: pyyaml, suricata-update
Successfully installed pyyaml-6.0 suricata-update-1.2.2
查找Suricata更新的安装位置:
$ whereis suricata-update
suricata-update: /usr/local/bin/suricata-update
为Suricata更新工具创建一个符号链接:
sudo ln -s /usr/local/bin/suricata-update /usr/bin/suricata-update
现在进入官方Suricata下载页面,地址在https://suricata.io/,下载Suricata。或者,按如下方式提取.tar文件。以下以6.0.10版本为例:
wget https://www.openinfosecfoundation.org/download/suricata-6.0.10.tar.gz
现在提取文件:
tar xzf suricata-6.0.10.tar.gz
现在编译并安装Suricata,如下所示:
cd suricata-6.0.10
sudo ./configure --sysconfdir=/etc --localstatedir=/var --prefix=/usr/ --enable-lua --enable-nfqueue --enable-suricata-update --enable-rules
sudo make
sudo make install-full
在Debian 11/10上使用Suricata规则
默认情况下,Suricata被构建为使用某些称为签名的规则。这些签名用于通过匹配线程检测入侵。这些规则位于/usr/share/suricata/rules目录中:
ls /usr/share/suricata/rules
我的系统上的可用规则,如下:
app-layer-events.rules http-events.rules smb-events.rules
decoder-events.rules ipsec-events.rules smtp-events.rules
dhcp-events.rules kerberos-events.rules stream-events.rules
dnp3-events.rules modbus-events.rules tls-events.rules
dns-events.rules nfs-events.rules
files.rules ntp-events.rules
紧急威胁规则存储在/var/lib/suricata/rules/suricata.rules中,可以使用以下命令安装或更新:
$ sudo suricata-update
<Info> -- Using data-directory /var/lib/suricata.
<Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
<Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
<Info> -- Found Suricata version 6.0.10 at /usr/bin/suricata.
<Info> -- Loading /etc/suricata/suricata.yaml
<Info> -- Disabling rules for protocol http2
<Info> -- Disabling rules for protocol modbus
<Info> -- Disabling rules for protocol dnp3
<Info> -- Disabling rules for protocol enip
<Info> -- No sources configured, will use Emerging Threats Open
<Info> -- Last download less than 15 minutes ago. Not downloading https://rules.emergingthreats.net/open/suricata-6.0.10/emerging.rules.tar.gz
<Info> -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules
<Info> -- Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules
<Info> -- Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules
<Info> -- Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules
<Info> -- Loading distribution rule file /usr/share/suricata/rules/dns-events.rules
<Info> -- Loading distribution rule file /usr/share/suricata/rules/files.rules
<Info> -- Loading distribution rule file /usr/share/suricata/rules/http-events.rules
在Debian 11/10上配置Suricata IDS/IPS工具
既然Suricata已成功安装在Debian 11/10系统上,那就让我们编辑/etc/suricata/suricata.yaml中的YAML文件,以保护内部网络免受攻击:
sudo vim /etc/suricata/suricata.yaml
在该文件中,我们需要编辑HOME_NET,其中包括运行Suricata的系统的IP地址。
导航到vars部分并进行编辑,如下所示:
vars:
# more specific is better for alert accuracy and performance
address-groups:
#HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
HOME_NET: "[192.168.100.48]"
#HOME_NET: "[192.168.0.0/16]"
#HOME_NET: "[10.0.0.0/8]"
#HOME_NET: "[172.16.0.0/12]"
#HOME_NET: "any"
EXTERNAL_NET: "!$HOME_NET"
#EXTERNAL_NET: "any"
...
# Linux high speed capture support
af-packet:
- interface: enp0s3
请记住,您需要将192.168.100.124替换为内部网络IP地址,将enp0s3替换为网络接口。
在Debian 11/10上使用和测试Suricata IDS/IPS工具
1、在Debian 11/10上使用Suricata IDS/IPS工具
如果我们通过从源代码构建来安装Suricata服务,我们首先需要找到一种方法来管理它。下面将创建Suricata系统服务。
Suricata的主要配置文件位于/etc/suricata/suricata.yaml。要创建systemd Suricata服务,您需要了解您的网络接口:
$ ifconfig
我的网络接口是enp0s3,所以我将创建一个如下所示的文件:
$ sudo vim /etc/systemd/system/suricata.service
[Unit]
Description=Suricata Intrusion Detection Service
After=syslog.target network-online.target
[Service]
ExecStartPre=/bin/rm -f /var/run/suricata.pid
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml -i enp0s3 --pidfile /var/run/suricata.pid $OPTIONS
ExecReload=/bin/kill -USR2 $MAINPID
[Install]
WantedBy=multi-user.target
重新加载守护程序:
sudo systemctl daemon-reload
启动并启用Suricata服务:
sudo systemctl start suricata
检查服务的状态:
$ systemctl status suricata
suricata.service - Suricata Intrusion Detection Service
Loaded: loaded (/etc/systemd/system/suricata.service; disabled; vendor preset: enabled)
Active: active (running)
Suricata也可以通过如下指定接口来运行:
suricata -D -c /etc/suricata/suricata.yaml -i enp0s3
您可以使用以下方法查看Suricata上的统计日志:
sudo tail -f /var/log/suricata/stats.log
使用以下方法检查EVE.jso输出中的写入日志:
sudo tail -f /var/log/suricata/eve.json
检查Suricata中的警报日志,使用:
sudo tail -f /var/log/suricata/fast.log
2、在Debian 11/10上测试Suricata IDS/IPS工具
在本文中,我们将尝试对Debian 11/10系统进行DDoS攻击。如果您已经创建了自定义规则,则可以使用以下方法检查语法:
sudo suricata -c /etc/suricata/suricata.yaml -T -v
然后在另一个系统上,执行DDoS攻击,但确保安装了hping3软件包:
##在CentOS 8/RHEL 8/Rocky Linux 8上
sudo dnf install hping3
###在Debian/Ubuntu上
sudo apt install hping3
然后对您的Debian 11/10系统进行攻击:
sudo hping3 -S -p 22 --flood --rand-source 192.168.100.124
在安装了Suricata的Debian 11/10系统上运行此检查警报:
sudo tail -f /var/log/suricata/fast.log
这里从返回的信息中就能知道Suricata IDS/IPS使用默认的紧急威胁规则运行良好。
至此,测试Suricata IDS/IPS工具通过。