In many scenarios, it is necessary to judge the threats in the data packets based on the data packets. For the existing data packets, how to determine what kind of attack the data packets are?
Method 1 can be based on experience. It is relatively easy to judge common WEB attacks, such as SQL injection, command execution and other attacks. However, threats are ever-changing, such as the traffic characteristics of mining and the specific characteristics of specific tools. It is often difficult to make a judgment in the first place without in-depth research and comparison.
Method 2 imports data packets into specific network security vendor devices, but these devices are often commercial devices. On the one hand, they need to be charged. On the other hand, commercial devices often take into account the balance between false positives and alarms. The scenarios to be dealt with should be considered comparatively It is complicated, and it is inevitable that leakage will occur.
At this time, if security analysts build local traffic analysis tools and accumulate on a secondary basis, they can form handy weapons according to their needs. At present, the security industry mainly includes three engines for traffic threat discovery, namely suricata, snort and zeek. Among them, suricata and snort are biased towards the discovery of known threats, including known vulnerabilities, known WEB attack methods, hacking tools, malware and so on. ZEEK prefers to discover unknown threats through threat hunting through the recording of key behaviors.
For these three traffic detection engines, you can download them from the corresponding github respectively, install them on the Linux system, and send the pcap to the three engines for playback verification. However, the same data packet needs to be operated separately in three engines, and it is relatively cumbersome to need three times. At this time, you can use the dalton open source project. Dalton centrally manages the three traffic probe engines of suricata, snort, and zeek through a controller, and presents the results in a unified manner.
See here for the open source address of dalton . Since dalton provides services in the form of docker, it is still very convenient to use, so you need to update the version of docker to the latest. According to the instructions in dalton, as follows:
docker service docker start
./start-dalton.sh
At this time, the installation script will download multiple docker containers, including dalton service-related containers, such as controller, nginx, redis, suricata, snort, zeek and other containers. After dalton is successfully installed, it will look like Figure 1 below: Figure
1
Among them, snort, suricata, and zeek are probe containers on the traffic side, dalton_controller is a traffic probe scheduling control container, dalton_web is a WEB UI container, and dalton_redis message queue storage container. You can see that the port opened by the UI is port 80, so you can directly access the corresponding IP address, as shown in Figure 2: Figure
2
Select the specified engine version (generally select the new version) and the rule set to play back the pcap, taking suricata as an example as follows Figure 3:
Figure 3
is as shown in Figure 3 above. The 6.0 version of Suricata is selected, the rule set is the rule set that comes with Suricata, and the output log is the log in eve format that comes with Suricata. The key to this comparison is the selection of the rule set. Since Suricata has relatively few rules, it is recommended to enrich the rule set of Suricata, which is also the aspect that security analysts need to accumulate. It is very important for security analysts to collect rule sets that meet their own requirements. The following links are common rule sets on github
https://github.com/klingerko/nids-rule-library
https://github.com/al0ne/suricata-rules
https://github.com/travisbgreen/hunting-rules
https://github.com/xNymia/Suricata-Signatures
Among them, the rule set involved in nids-rule-library is relatively rich, as shown in Figure 4 below: Figure 4
shows
that some major security companies such as proofpoint provide et open rule sets, and et pro paid rule sets (the annual fee is 5000 Yuan RMB), the rule changes mainly tend to be related to the attack methods. Talos Labs also maintains a vulnerability rule set for snort (the annual fee is about 300 yuan, which is relatively very cheap), and the modified rule set is mainly inclined to rules related to well-known vulnerabilities. In addition, there are many open source intelligence sources such as abuse and osint, including digital certificate intelligence, malicious IP intelligence, and hard packets of malicious domain names. It is recommended to include these rule sets and use them as a personal analysis library. Put the regularly updated rule set above into the rulesets directory under the dalton directory, and then you can select it on the page. As shown in the 3 rulesets shown above.
Dalton provides various forms of alarms, and the results of the operation are shown in Figure 5 below:
Figure 5
Generally speaking, you only need to look at the alarm in the alert. If you want to see more content and do work related to threat hunting, you can look at the content in eve json, as shown in Figure 6 below: Figure 6 can
be
seen In addition to alerts, the content in eve json also provides the ability to record anomaly abnormal events and meta source information of various protocols such as smb, decrpc, etc., and can analyze more possible content from the perspective of abnormal behavior discovery .
The above is only an introduction to the suricata part in dalton, and the same is true for snort and zeek. It is worth noting that no matter what kind of traffic inspection engine, the rule set is extremely important. Since the scenarios of personal security analysts do not need to consider the impact of performance, and the traffic scenarios they face are also very simple, it is recommended to collect all rule sets on github for snort, suricata, and zeek, and update them regularly so that local tools The detection capability reaches the extreme. In the follow-up security analyst in my column, here , the following content will be introduced:
- How to create a personal collection of local detection rules based on github.
- Based on the analysis log of Dalton, the association of attack technology points is carried out, a security event detection tool is built, and the upgrade of rule alarms to security events is completed.
This article is an original article by the youth in the village of CSDN, and may not be reproduced without permission. The blogger links here .