Suricata 是由 OSIF 开发的免费开源网络分析和威胁检测软件,它可以用作入侵检测系统(IDS)和入侵防御系统(IPS),使用规则集和签名语言来检测和预防威胁。它是 Snort 的替代方案,可以从安全角度深入了解网络上发生的情况。
在本教程中,我将向您展示如何在 Ubuntu 22.04 服务器上安装 Suricata。
入门
在开始之前,最好将系统包更新到最新版本,您可以通过运行以下命令来更新所有这些:
apt update -y
apt upgrade -y
更新所有软件包后,运行以下命令以安装所有必需的依赖项:
apt install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libjansson4 pkg -config libnspr4-dev libnss3-dev liblz4-dev rustc cargo python3-pip python3-distutils
apt install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0
完成后,您可以继续下一步。
源代码安装 Suricata
首先,使用以下命令下载最新版本的 Suricata:
wget https://www.openinfosecfoundation.org/download/suricata-6.0.8.tar.gz
下载完成后,使用以下命令提取下载的文件:
tar xzf suricata-6.0.8.tar.gz
接下来,导航到提取的目录并使用以下命令对其进行配置:
cd suricata-6.0.8
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var
您将获得以下输出:
Host: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / g++ (real)
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -g -O2 -std=c11 -march=native -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
PCAP_CFLAGS -I/usr/include
SECCFLAGS
To build and install run 'make' and 'make install'.
You can run 'make install-conf' if you want to install initial configuration
files to /etc/suricata/. Running 'make install-full' will install configuration
and rules and provide you a ready-to-run suricata.
To install Suricata into /usr/bin/suricata, have the config in
/etc/suricata and use /var/log/suricata as log dir, use:
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/
接下来,使用以下命令安装 Suricata:
make
make install-full
您将获得以下输出:
You can now start suricata by running as root something like:
/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0
If a library like libhtp.so is not found, you can run suricata with:
LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0
The Emerging Threats Open rules are now installed. Rules can be
updated and managed with the suricata-update tool.
For more information please see:
https://suricata.readthedocs.io/en/latest/rule-management/index.html
make[1]: Leaving directory '/root/suricata-6.0.8'
Ubuntu 存储库安装 Suricata
您还可以从 Ubuntu 存储库安装 Suricata。首先,使用以下命令安装所有依赖项:
apt install gnupg2 software-properties-common curl wget git unzip -y
接下来,使用以下命令添加 Suricata 存储库:
add-apt-repository ppa:oisf/suricata-stable --yes
接下来,使用以下命令更新存储库缓存:
apt update
接下来,使用以下命令验证 Suricata 包:
apt-cache policy suricata
您将获得以下输出:
suricata:
Installed: (none)
Candidate: 1:6.0.4-3
Version table:
1:6.0.4-3 500
500 http://us.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
最后,使用以下命令安装 Suricata:
apt install suricata jq
您现在可以使用以下命令验证 Suricata 包信息:
suricata --build-info
您应该得到以下输出:
This is Suricata version 6.0.8 RELEASE
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST
SIMD support: SSE_3
Atomic intrinsics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 11.2.0, C version 201112
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.41, linked against LibHTP v0.5.41
Suricata Configuration:
AF_PACKET support: yes
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: yes
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Unix socket enabled: yes
Detection enabled: yes
配置 Suricata
接下来,编辑 Suricata 配置文件并定义您的网络接口和网络:
nano /etc/suricata/suricata.yaml
更改以下行:
HOME_NET: "[10.0.2.0/24]"
EXTERNAL_NET: "!$HOME_NET"
af-packet:
- interface: eth0
# - sip
sip:
enabled: no
保存并关闭文件,然后使用以下命令更新 Suricata 配置:
suricata-update
接下来,使用以下命令验证 Suricata 配置文件:
suricata -T -c /etc/suricata/suricata.yaml -v
您将获得以下输出:
18/10/2022 -- 13:45:14 - - fast output device (regular) initialized: fast.log
18/10/2022 -- 13:45:14 - - eve-log output device (regular) initialized: eve.json
18/10/2022 -- 13:45:14 - - stats output device (regular) initialized: stats.log
18/10/2022 -- 13:45:14 - - SSSE3 support not detected, disabling Hyperscan for SPM
18/10/2022 -- 13:45:16 - - 1 rule files processed. 28624 rules successfully loaded, 0 rules failed
18/10/2022 -- 13:45:16 - - Threshold config parsed: 0 rule(s) found
18/10/2022 -- 13:45:16 - - 28627 signatures processed. 1219 are IP-only rules, 5166 are inspecting packet payload, 22038 inspect application layer, 108 are decoder event only
18/10/2022 -- 13:45:19 - - Configuration provided was successfully loaded. Exiting.
18/10/2022 -- 13:45:19 - - cleaning up signature grouping structure... complete
接下来,使用以下命令启动并启用 Suricata 服务:
systemctl enable --now suricata
您还可以使用以下命令检查 Suricata 服务:
systemctl status suricata
您应该看到以下输出:
? suricata.service - LSB: Next Generation IDS/IPS
Loaded: loaded (/etc/init.d/suricata; generated)
Active: active (running) since Tue 2022-10-18 13:38:52 UTC; 6min ago
Docs: man:systemd-sysv-generator(8)
Process: 16504 ExecStart=/etc/init.d/suricata start (code=exited, status=0/SUCCESS)
Tasks: 7 (limit: 2242)
Memory: 40.0M
CPU: 4.073s
CGroup: /system.slice/suricata.service
??16514 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -vvv
Oct 18 13:38:52 ubuntu2204 systemd[1]: Starting LSB: Next Generation IDS/IPS...
Oct 18 13:38:52 ubuntu2204 suricata[16504]: Starting suricata in IDS (af-packet) mode... done.
Oct 18 13:38:52 ubuntu2204 systemd[1]: Started LSB: Next Generation IDS/IPS.
您还可以使用以下命令查看各种运行模式:
suricata --list-runmodes
您将获得以下输出:
------------------------------------- Runmodes ------------------------------------------
| RunMode Type | Custom Mode | Description
|----------------------------------------------------------------------------------------
| PCAP_DEV | single | Single threaded pcap live mode
| ---------------------------------------------------------------------
| | autofp | Multi threaded pcap live mode. Packets from each flow are assigned to a single detect thread, unlike "pcap_live_auto" where packets from the same flow can be processed by any detect thread
| ---------------------------------------------------------------------
| | workers | Workers pcap live mode, each thread does all tasks from acquisition to logging
|----------------------------------------------------------------------------------------
| PCAP_FILE | single | Single threaded pcap file mode
| ---------------------------------------------------------------------
| | autofp | Multi threaded pcap file mode. Packets from each flow are assigned to a single detect thread, unlike "pcap-file-auto" where packets from the same flow can be processed by any detect thread
|----------------------------------------------------------------------------------------
| PFRING(DISABLED) | autofp | Multi threaded pfring mode. Packets from each flow are assigned to a single detect thread, unlike "pfring_auto" where packets from the same flow can be processed by any detect thread
| ---------------------------------------------------------------------
| | single | Single threaded pfring mode
| ---------------------------------------------------------------------
| | workers | Workers pfring mode, each thread does all tasks from acquisition to logging
|----------------------------------------------------------------------------------------
验证 Suricata
在验证 Suricata 之前,您需要禁用网络接口上的数据包卸载功能。
您可以使用以下命令禁用它:
ethtool -K eth0 gro off lro off
接下来,使用以下命令停止 Suricata:
systemctl stop suricata
rm -rf /var/run/suricata.pid
接下来,使用以下命令手动运行 Suricata:
suricata -D -c /etc/suricata/suricata.yaml -i eth0
接下来,登录远程系统并运行 hping3 命令对 Suricata 服务器进行简单的 DDoS 攻击:
hping3 -S -p 80 --flood --rand-source suricata-ip -I eth0 -c 50
接下来,回到 Suricata 服务器并检查 Suricata 日志文件:
tail -f /var/log/suricata/fast.log
您应该看到以下输出:
11/1/2022-14:01:38.569298 [**] [1:2210008:2] SURICATA STREAM 3way handshake SYN resend different seq on SYN recv [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 157.32.37.21:59188 -> 209.23.10.188:80
11/1/2022-14:01:38.569304 [**] [1:2210004:2] SURICATA STREAM 3way handshake SYNACK resend with different ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 209.23.10.188:80 -> 157.32.37.21:59188
11/1/2022-14:01:38.569649 [**] [1:2210008:2] SURICATA STREAM 3way handshake SYN resend different seq on SYN recv [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 157.32.37.21:53343 -> 209.23.10.188:80
11/1/2022-14:01:38.569655 [**] [1:2210004:2] SURICATA STREAM 3way handshake SYNACK resend with different ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 209.23.10.188:80 -> 157.32.37.21:53343
11/1/2022-14:01:38.570762 [**] [1:2210008:2] SURICATA STREAM 3way handshake SYN resend different seq on SYN recv [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 157.32.37.21:62070 -> 209.23.10.188:80
11/1/2022-14:01:38.570770 [**] [1:2210004:2] SURICATA STREAM 3way handshake SYNACK resend with different ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 209.23.10.188:80 -> 157.32.37.21:62070
11/1/2022-14:01:38.571748 [**] [1:2210008:2] SURICATA STREAM 3way handshake SYN resend different seq on SYN recv [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 157.32.37.21:5001 -> 209.23.10.188:80