[DPI][suricata] suricata 配置使用
至此, 我们已经拥有了suricata可以运行的环境了.
接下来,我们来研究一下它的功能, 首先,分析一下配置文件:
/suricata/etc/suricata/suricata.yaml
可以结合着默认配置文件的内容,同时读它的描述文档: http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html
这样更好理解.
快速浏览一遍配置之后, 基本上也就了解了suricata的主要功能. 配置项很丰富, 能力也很强大, 最简单快速的可以提供一个主管感受的方法,就是先打开http记录功能.
然后重启,会发现, 多个一个日志文件 /suricata/var/log/suricata/http.log
然后试着访问一个网页,
[root@suricata ~]# wget -q www.baidu.com
[root@suricata ~]#
该日志中,便记录下了这条http访问日志:
[root@suricata suricata]# cat /suricata/var/log/suricata/http.log
//-::02.035401 www.baidu.com[**]/[**]Wget/1.14 (linux-gnu)[**]192.168.7.8: -> 61.135.169.125:
//-::05.893547 www.baidu.com[**]/[**]Wget/1.14 (linux-gnu)[**]192.168.7.8: -> 61.135.169.121:
[root@suricata suricata]#
其他高级用法,可以结合文档, 尝试着进行修改测试, 慢慢熟悉.
另外, suricata有非常多的运行模式, 详见文档, 不做赘述
[root@suricata ~]# /suricata/usr/bin/suricata --list-runmodes
------------------------------------- Runmodes ------------------------------------------
| RunMode Type | Custom Mode | Description
|----------------------------------------------------------------------------------------
| PCAP_DEV | single | Single threaded pcap live mode
| ---------------------------------------------------------------------
| | autofp | Multi threaded pcap live mode. Packets from each flow are assigned to a single detect thread, unlike "pcap_live_auto" where packets from the same flow can be processed by any detect thread
| ---------------------------------------------------------------------
| | workers | Workers pcap live mode, each thread does all tasks from acquisition to logging
|----------------------------------------------------------------------------------------
| PCAP_FILE | single | Single threaded pcap file mode
| ---------------------------------------------------------------------
| | autofp | Multi threaded pcap file mode. Packets from each flow are assigned to a single detect thread, unlike "pcap-file-auto" where packets from the same flow can be processed by any detect thread
|----------------------------------------------------------------------------------------
| PFRING(DISABLED) | autofp | Multi threaded pfring mode. Packets from each flow are assigned to a single detect thread, unlike "pfring_auto" where packets from the same flow can be processed by any detect thread
| ---------------------------------------------------------------------
| | single | Single threaded pfring mode
| ---------------------------------------------------------------------
| | workers | Workers pfring mode, each thread does all tasks from acquisition to logging
|----------------------------------------------------------------------------------------
| NFQ | autofp | Multi threaded NFQ IPS mode with respect to flow
| ---------------------------------------------------------------------
| | workers | Multi queue NFQ IPS mode with one thread per queue
|----------------------------------------------------------------------------------------
| NFLOG | autofp | Multi threaded nflog mode
| ---------------------------------------------------------------------
| | single | Single threaded nflog mode
| ---------------------------------------------------------------------
| | workers | Workers nflog mode
|----------------------------------------------------------------------------------------
| IPFW | autofp | Multi threaded IPFW IPS mode with respect to flow
| ---------------------------------------------------------------------
| | workers | Multi queue IPFW IPS mode with one thread per queue
|----------------------------------------------------------------------------------------
| ERF_FILE | single | Single threaded ERF file mode
| ---------------------------------------------------------------------
| | autofp | Multi threaded ERF file mode. Packets from each flow are assigned to a single detect thread
|----------------------------------------------------------------------------------------
| ERF_DAG | autofp | Multi threaded DAG mode. Packets from each flow are assigned to a single detect thread, unlike "dag_auto" where packets from the same flow can be processed by any detect thread
| ---------------------------------------------------------------------
| | single | Singled threaded DAG mode
| ---------------------------------------------------------------------
| | workers | Workers DAG mode, each thread does all tasks from acquisition to logging
|----------------------------------------------------------------------------------------
| AF_PACKET_DEV | single | Single threaded af-packet mode
| ---------------------------------------------------------------------
| | workers | Workers af-packet mode, each thread does all tasks from acquisition to logging
| ---------------------------------------------------------------------
| | autofp | Multi socket AF_PACKET mode. Packets from each flow are assigned to a single detect thread.
|----------------------------------------------------------------------------------------
| NETMAP(DISABLED) | single | Single threaded netmap mode
| ---------------------------------------------------------------------
| | workers | Workers netmap mode, each thread does all tasks from acquisition to logging
| ---------------------------------------------------------------------
| | autofp | Multi threaded netmap mode. Packets from each flow are assigned to a single detect thread.
|----------------------------------------------------------------------------------------
[root@suricata ~]#
Detection-engine部分对规则引擎相关部分的讲解,值得详细的读一下, 可以帮助理解规则组织结构的内部实现.
http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#detection-engine
做一个自定义规则的配置测试:
修改配置文件,增加一个规则文件 my.rules
[root@suricata suricata]# grep -A rule-files suricata.yaml
rule-files:
- my.rules
[root@suricata suricata]# cat rules/my.rules
alert tcp any any -> any 80 (msg: "http test";)
[root@suricata suricata]#
重启suricata之后,做一条http访问, 将能在fast.log中,看见这条规则被命中.
[root@suricata suricata]# tailf /suricata/var/log/suricata/fast.log
//-::48.265375 [**] [::] http test [**] [Classification: (null)] [Priority: ] {TCP} 192.168.7.8: -> 66.102.251.33:
至此,基本前期准备已经完成, 接下来就是去读源码了.....
题外: 装个splunk看一下, 结合suricata做分析,看一下.
安装手册: http://docs.splunk.com/Documentation/SplunkLight/7.0.2/Installation/InstallonLinux
说起了很简单,只有三步
To follow these installation instructions, replace splunk_package_name.tgz with the name of the installer package you downloaded. . Move the .tgz file to the directory you want to install Splunk Light. For example, to install it into /opt/splunk, use: mv splunk_package_name.tgz /opt/splunk
. In the installation directory, use the tar command to expand the file. tar xvzf splunk_package_name.tgz
. Start Splunk Light. splunk start --accept-license
登录: http://suricata:8000
配置也很简单,都是图像化操作, data input设置成 fast.log就好了.
然后,就是酱紫:
我想说, 这不就是个日志分析工具么?
我更喜欢,grep+sed+bash+awk --!!!!
[DPI][suricata] suricata 配置使用的更多相关文章
- Suricata规则配置
Suricata 规则配置 IDS/IPS/WAF IPS.IDS和WAF分别是入侵防御系统和入侵检测系统以及WEB应用防火墙的简称,很多人说这些玩意不就是盒子吗已经过时了,其实不是,SIEM其实是有 ...
- [development][security][suricata] suricata 使用与调研
0: OISF:https://oisf.net/ 1: suricata是什么 https://suricata-ids.org/ 2:安装 https://redmine.openinfosecf ...
- Suricata的配置
见官网 https://suricata.readthedocs.io/en/latest/configuration/index.html# Docs » 8. Configuration Edit ...
- [DPI][suricata] suricata-4.0.3 安装部署
suricata 很值得借鉴.但是首先还是要安装使用,作为第一步的熟悉. 安装文档:https://redmine.openinfosecfoundation.org/projects/suricat ...
- 配置suricata
yum -y install libpcap libpcap-devel libnet libnet-devel pcre \ pcre-devel gcc gcc-c++ automake auto ...
- Suricata开源IDS安装与配置
开源IDS Suricata安装 Linux下的依赖问题的解决 在Debian,Ubuntu或者Linux Mint系列 $ sudo apt-get install wget build-essen ...
- Suricata 之IPS模式
IPS 1.Suricata 本身是不具有拦截功能的,想要让它拦截包需要配合 iptables 使用. 首先要确定安装的suricata是否支持IPS模式,如果在安装编译的时候没有启用IPS模式,NF ...
- 构建基于Suricata+Splunk的IDS入侵检测系统
一.什么是IDS和IPS? IDS(Intrusion Detection Systems):入侵检测系统,是一种网络安全设备或应用软件,可以依照一定的安全策略,对网络.系统的运行状况进行监视,尽可能 ...
- Suricata在ubuntu14.04环境下安装
简介 Suricata是一款高性能的网络IDS.IPS和网络安全监控引擎.它是由the Open Information Security Foundation开发,是一款开源的系统,现在的NIDS领 ...
随机推荐
- Socket网络编程--小小网盘程序(3)
接上一小节,这次增加另外的两张表,用于记录用户是保存那些文件.增加传上来的文件的文件指纹,使用MD5表示. 两张表如下定义: create table files( fid int, filename ...
- 常用七种排序的python实现
1 算法复杂度 算法复杂度分为时间复杂度和空间复杂度.其中, 时间复杂度是指执行算法所需要的计算工作量:而空间复杂度是指执行这个算法所需要的内存空间. 算法的复杂性体现在运行该算法时的计算机所需资源的 ...
- python学习之struct模块
class struct.Struct(format) 返回一个struct对象(结构体,参考C). 该对象可以根据格式化字符串的格式来读写二进制数据. 第一个参数(格式化字符串)可以指定字节的顺序. ...
- openfire接收离线消息
先接收离线消息后再通知openfire上线 //获取离线消息 OfflineMessageManager offlineMessageManager=new OfflineMessageManager ...
- GNU make使用(二)
[时间:2017-06] [状态:Open] [关键词:makefile,gcc,编译,shell命令,目标文件] 0 引言及目标 之前使用Makefile都是把源文件和目标文件放到同一个目录编译.近 ...
- 【iCore4 双核心板_ARM】例程二十:LWIP_TCP_CLIENT实验——以太网数据传输
实验现象: 核心代码: int main(void) { system_clock.initialize(); //ϵͳʱÖÓ³õʼ»¯ led.initialize(); //LED³õʼ ...
- 【emWin】例程二十四:窗口对象——Header
简介: HEADER 小工具用于标记表格的列,本例程示例演示如何使用HEADER小工具. 触摸校准(上电可选择是否进入校准界面) 实验指导书及代码包下载: 链接:http://pan.baidu.co ...
- Java知多少(上)
Java知多少(1)语言概述 Java知多少(2)虚拟机(JVM)以及跨平台原理 Java知多少(3) 就业方向 Java知多少(4)J2SE.J2EE.J2ME的区别 Java知多少(5) Java ...
- c++ 动态判断基类指针指向的子类类型(typeid)
我们在程序中定义了一个基类,该基类有n个子类,为了方便,我们经常定义一个基类的指针数组,数组中的每一项指向都指向一个子类,那么在程序中我们如何判断这些基类指针是指向哪个子类呢? 本文提供了两种方法 ( ...
- jQuery的ID选择器失效问题
jQuery的ID选择器,在同一项目别的文件中一切正常: 在当前页面,jQuery的其它功能(如:$(document).ready(function(){ alert("ok" ...