Shulou(Shulou.com)06/01 Report--

Deployment reference: http://blog.csdn.net/qq_29277155/article/details/53205582

Partial reference: https://linux.cn/article-6985-1.html

Https://suricata-ids.org/download/

Http://suricata.readthedocs.io/en/latest/index.html

Http://www.cnblogs.com/piaolingzxh/p/4217480.html

Suricata is a high-performance network IDS,IPS and network security monitoring engine. Suricata is a network detection and protection engine developed by the Open Information Security Foundation and its supporting vendors. The engine is multithreaded and supports IPV6 built-in. Can load existing Snort rules and signatures, support Barnyard and Barnyard2 tools.

IDS: English abbreviation for "Intrusion Detection Systems", which means "* detection system" in Chinese. According to a certain security policy, monitor the operation of the network and system through software and hardware, and find all kinds of attempts, behaviors or results as far as possible. to ensure the confidentiality, integrity and availability of network system resources.

Barnyard: the well-known open source IDS logging tool, with fast response speed and excellent database writing capabilities, is an indispensable plug-in for the detection system defined by byebug.

The IPS:*** prevention system (IPS: Intrusion Prevention System) is a computer network security facility that complements antivirus software (Antivirus Programs) and firewall (Packet Filter, Application Gateway). * * Prevention system (Intrusion-prevention system) is a computer network security device that can monitor the network data transmission behavior of the network or network devices, and can instantly interrupt, adjust or isolate some abnormal or harmful network data transmission behavior. It is a new generation of intrusion detection system (IDS).

The difference between IDS and IPS: IDS only discovers * and generates an alarm, while IPS can not only detect *, but also take action against *.

Deploy Suricata, Barnyard 2, and Snorby servers

1. Mysql installation

Yum install-y mysql-community-server

Start mysql

Systemctl start mysqld.service

Assign permissions to mysql, set passwords, allow hosts to log in, omit

2. Installation related dependencies

Yum install epel-release

# mv / etc/yum.repos.d/CentOS-Base.repo / etc/yum.repos.d/CentOS-Base.repo.backup

# wget-O / etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo

# yum clean all

# yum makecache

Install dependency packages

Yum-y install ImageMagickgcc-c++ patch readline readline-devel zlib zlib-devel git-core libyaml-devel libffi-devel openssl-devel make libpcap-devel pcre-devel libyaml-devel file-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar libnetfilter_queue-devel lua-devel mysql-devel fontconfig-devel libX11-devel libXrender-devel libxml2-devel libxslt-devel qconf

Cd / opt/

Wget-O libhtp-0.5.20.tar.gz https://codeload.github.com/OISF/libhtp/tar.gz/0.5.20

Tar zxvf libhtp-0.5.20.tar.gz & & cd libhtp-0.5.20

. / autogen.sh

. / configure & & make & & make install

3. Install Ruby on rails

Curl-L get.rvm.io | bash-s stable

Command curl-sSL https://rvm.io/mpapis.asc | gpg2-- import-# Import certificate

Source / etc/profile.d/rvm.sh

Rvm install 2.0.0

Rvm use 2.0.0--default uses this statement only if there are multiple versions of ruby.

Ruby-v

Gem install bundler # install bundler

Cd / opt/

Git clone git://github.com/Snorby/snorby.git

Cd / opt/snorby

Create two files, snorby_config.yml and database.yml

Cp config/snorby_config.yml.example config/snorby_config.yml

Cp config/database.yml.example config/database.yml

Modify file reference: https://linux.cn/article-6985-1.html

Modify the file Gemfile to change gem 'rake',' 0.9.2' to gem 'rake',' > 0.9.2'

Sed-I'/ dm-postgres-adapter/d' Gemfile

Set up iptables

/ etc/init.d/iptables stop # turn off the firewall and other hosts can access http://ip:3000

Iptables-I INPUT-p tcp-- dport 3000-mstate-- state=NEW,ESTABLISHED,RELATED-j ACCEPT

Initialize rails

Bundle install

Cd / opt/snorby

Rake snorby:setup

Start the service snory:

Rails server-e production &

[1] 1519

[david-dai@dep006 snorby] $syck has been removed, psych is used instead

= > Booting Thin

= > Rails 3.2.22 application starting in production on http://0.0.0.0:3000

= > Call with-d to detach

= > Ctrl-C to shutdown server

4. Install suricata

Yum install suricata

Edit the suricata.yaml file

Touch / var/log/suricata/suricata.waldo

Modify the log format file:

Sed-I-e'/ default-log-format/a\ default-log-format: "[% I]% t-(% flug% l) (% n) -"'/ etc/suricata/suricata.yaml

Turn on the syslog function, go to / etc/suricata/suricata.yaml and find:

Sed-I-e'\ / var\ / log\ / suricata\ / suricata.log/,/Step 4max

Enable unified2 logging in the suricata yaml:

Sed-I-e'/ unified2-alert/,/unified2.alert/s/no/yes/g' / etc/suricata/suricata.yaml

Find # pid-file: / var/run/suricata.pid and remove the previous #

Sed-I-e'/ pid-file/a\ pid-file: / var/run/suricata.pid' / etc/suricata/suricata.yaml

Find rule-files and delete the emerging-icmp.rules and emerging-virus.rules below. (unfinished)

Enable threshold and find # threshold-file: / etc/suricata/threshold.config

Sed-I-e'/ threshold-file/a\ threshold-file: / etc/suricata/threshold.config' / etc/suricata/suricata.yaml

Configure Suricata IDS for the first time reference: https://linux.cn/article-6985-1.html

Vim / etc/suricata/suricata.yaml

(1) all interface:etho is modified to: interface:em2 because I only have em1 and em2 Nic. Here, the em2 Nic traffic of the public network ip is monitored, and the ye can monitor the em1 Nic traffic.

(2) now it's time to configure Suricata. The location of the configuration file is / etc/suricata/suricata.yaml. Refer to the following command to open the file with a text editor.

Specify the location of the Suricata log file for the default-log-dir keyword.

Default-log-dir: / var/log/suricata/

(3) below the vars section, you will find several important variables for Suricata. The HOME_NET variable needs to specify the network that Suricata checks. The! $HOME_NET assigned to the EXTERNAL_NET variable represents a network other than the local network. The XXX_PORTS variable is used to identify the port numbers used by different services. It is important to note that Suricata can automatically detect HTTP traffic no matter which port is used. Therefore, it is not so important to specify the port correctly.

Vars:

Address-groups:

HOME_NET: "[221.228.208.0] 24172.22.66.0]

(4) the host-os-policy part is used to defend against some well-known methods (such as TCP reassembly) that use the behavior of the operating system network stack to evade detection. As a countermeasure, modern IDC provides a "target-based" detection means by fine-tuning the detection engine algorithm for the target operating system. Therefore, if you know what operating system a host is running, providing this information to Suricata can greatly improve the success rate of detection. That's what host-os-policy is all about. In this example, the default IDC policy is the Linux system. If no operating system information is specified for an IP address, Suricata applies a detection policy based on the Linux system by default. As follows, Suricata applies a detection strategy based on the Windows system when it captures communications between 192.168.122.0Universe 28 and 192.168.122.155.

Host-os-policy:

Windows: [0.0.0.0/0]

Bsd: []

Bsd-right: []

Old-linux: []

Linux: [0.0.0.0/0]

Old-solaris: []

Solaris: []

Hpux10: []

Hpux11: []

Irix: []

Macos: []

Vista: []

Windows2k3: []

Turn off the LRO/GRO function of the em interface as follows.

Sudo ethtool-K em1 gro off lro off

Sudo ethtool-K em2 gro off lro off

Suricata supports many modes of operation. The running mode determines which thread IDC will use. The following command allows you to view all available operating modes.

Sudo / usr/local/bin/suricata-- list-runmodes

The installation rules can also be copied from other servers to the / etc/suricata/rules directory:

Root@deptest34:/home/david/suricata-2.0.8# make install-rules

Install-d "/ etc/suricata/rules"

/ usr/bin/wget-qO-http://rules.emergingthreats.net/open/suricata-2.0/emerging.rules.tar.gz | tar-x-z-C "/ etc/suricata/"-f-

You can now start suricata by running as root something like'/ usr/local/bin/suricata-c / etc/suricata//suricata.yaml-I eth0'.

If a library like libhtp.so is not found, you can run suricata with:

'LD_LIBRARY_PATH=/usr/local/lib / usr/local/bin/suricata-c / etc/suricata//suricata.yaml-I eth0'.

While rules are installed now, it's highly recommended to use a rule manager for maintaining rules.

The two most common are Oinkmaster and Pulledpork. For a guide see:

Https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster

Root@deptest34:/home/david/suricata-2.0.8# echo $?

0

Update rules command:

Suricatasc-c reload-rules

Start suricata:

LD_LIBRARY_PATH=/usr/local/lib / usr/sbin/suricata-c / etc/suricata/suricata.yaml-I em2-D &

Tailf / var/log/suricata/stats.log

5. Install barnyard2

Cd / opt/

Wget https://codeload.github.com/firnsy/barnyard2/tar.gz/v2-1.13

Tar xvfz barnyard2-2-1.13.tar.gz & & cd barnyard2-2-1.13 /

. / autogen.sh

. / configure-with-mysql-libraries=/usr/lib64/mysql/-with-mysql=/usr/bin/mysql

Make & & make install

Vim / etc/suricata/barnyard2.conf

Configure Barnyard 2

# copy the etc/barnyard2.conf file from the Barnyard 2 installation source file to the configuration directory of Suricata

Cd / opt/barnyard2-2-1.13

Cp. / etc/barnyard2.conf / etc/suricata/

# create barnyard2 log directory / var/log/barnyard2

Mkdir / var/log/barnyard2

Modify barnyard2.conf

Change the default snort file configuration to suricata

Sed-I's etc/suricata/barnyard2.conf snort _ etc/suricata/barnyard2.conf

Sed-I 's/gen-msg.map/\ / rules\ / gen-msg.map/g' / etc/suricata/barnyard2.conf

Sed-I 's/sid-msg.map/\ / rules\ / sid-msg.map/g' / etc/suricata/barnyard2.conf

Add database information to barnyard2.conf

Sed-I'$an output database: log, mysql, user=root password=1q2w3e4r dbname=snorby host=localhost' / etc/suricata/barnyard2.conf

# find "config hostname" and "config interface". Em2 is the network card where the image port is located. Modify it according to your actual situation.

Sed-I-e'/ # config hostname: thor/\ a/config hostname: $hostname/' / etc/suricata/barnyard2.conf

Sed-I-e'/ # config interface: eth0/\ a/config interface: em2/' / etc/suricata/barnyard2.conf

Sed-I-e'/ config waldo_file/a\ config waldo_file: / var/log/suricata/suricata.waldo' / etc/suricata/barnyard2.conf

Start barnyard2:

Sudo / usr/local/bin/barnyard2-c / etc/suricata/barnyard2.conf-d / var/log/suricata-f unified2.alert-w / var/log/suricata/suricata.waldo-D &

So far, a server ids/ips monitoring has deployed the monitoring client and presentation server, what if you need to monitor other servers?

It seems that it is a way to copy the traffic image to this server on the network. Here, the suricata client is deployed using the Candace S method.

II. Install Suricata and Barnyard 2 clients on the ubuntu server

Here, Suricata is deployed on each server and saved in waldo format. Barnyard2 pushes all logs to the snorby server and displays them uniformly.

1. Install the dependency package

Apt-get install libpcre3 libpcre3-dbg libpcre3-dev libpcap*\

Build-essential autoconf automake libtool pkg-config\

Libpcap-dev libnet1-dev mysql-client libmysqlclient16 flex software-properties-common python-software-properties

2. Here, you can install suricata by ppa, or you can install suricata by compiling and installing barnyard2.

Sudo add-apt-repository ppa:oisf/suricata-stable

Sudo apt-get update

Sudo apt-get install suricata

Wget http://www.tcpdump.org/release/libpcap-1.2.1.tar.gz

Tar-zxvf libpcap-1.2.1.tar.gz

Cd libpcap-1.2.1

Apt-get install flex

. / configure & & make & & make install

Root@TS-DEP-CENTER01:/tmp/barnyard2-2-1.1 percent / sbin/ldconfig

Cd / tmp/

Wget https://www.openinfosecfoundation.org/download/suricata-3.2.4.tar.gz

Tar-zxvf suricata-3.2.4.tar.gz

Cd suricata-3.2.4

Make clean

. / configure-- prefix=/usr/-- sysconfdir=/etc/-- localstatedir=/var/

Make

Make install

Mkdir-p / var/log/barnyard2

Mkdir-p / var/log/suricata

Cd / tmp/

Wget https://codeload.github.com/firnsy/barnyard2/tar.gz/v2-1.13

Mv v2-1.13 barnyard2-2-1.13.tar.gz

Cd / tmp/barnyard2-2-1.13

. / configure-- with-mysql & & make & & make install

Cp. / etc/barnyard2.conf / etc/suricata/

3. Modify the configuration files of barnyard2 and suricata

I can copy the previous configuration, and I synchronize it directly with salt.

Refer to the above, omit

Example barnyard2 configuration:

Vim / etc/suricata/barnyard2.conf

Root@TS-DEP-CENTER01:/opt# grep-v'^ #'/ etc/suricata/barnyard2.conf | grep-v'^ $'

Config reference_file: / etc/suricata/reference.config

Config classification_file: / etc/suricata/classification.config

Config gen_file: / etc/suricata//rules/gen-msg.map

Config sid_file: / etc/suricata//rules/sid-msg.map

Config hostname: TS-DEP-CENTER01-172.22.66.41

Config interface: em2

Input unified2

Output alert_fast: stdout

Output database: log, mysql, user=root password=1q2w3e4r dbname=snorby host=172.22.66.6

4. Start suricata:

Suricata-c / etc/suricata/suricata.yaml-I em1-D &

5. Start barnyard2

Sudo / usr/local/bin/barnyard2-c / etc/suricata/barnyard2.conf-d / var/log/suricata-f unified2.alert-w / var/log/suricata/suricata.waldo-D &

The printed log will tell you whether you have successfully connected to the database and the reported host and network card information.

Then go to the system to view the sensor (host) information:

Question:

Depshlt02 (ubuntu14.04)

The following packages have unmet dependencies:

Libpcre3-dbg: Depends: libpcrecpp0 (= 1 libpcrecpp0 8.31-2ubuntu2.1) but 1 purl 8.31-2ubuntu2.3 is to be installed

Libpcre3-dev: Depends: libpcrecpp0 (= 1 libpcrecpp0 8.31-2ubuntu2.1) but 1 purl 8.31-2ubuntu2.3 is to be installed

Problem solving:

Vim / etc/apt/source.list add:

Deb http://cn.archive.ubuntu.com/ubuntu/ trusty main universe multiverse restricted

Deb http://cn.archive.ubuntu.com/ubuntu/ trusty-updates main universe multiverse restricted

Then execute:

Apt-get update

Apt-get install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev mysql-client

Finally, you can see event statistics and sensors host information on the snorby system.

3. Salt is installed in batches on the server:

1. Define two salt groups

One group contains two ip (one private network and one public network), and the other group contains only one private network ip.

Root@TS-OP03:/home/david-dai# vim / etc/salt/master.d/group.conf

Nodegroups:

Suricata_two_ip:'or 172.22.66.8 or Song172.22.66.9 or Song172.22.66.10 or Song172.22.66.11 or Song172.22.66.12 or Song172.22.66.13 or Song172.22.66.22 or Song172.22.66.23

Or Sport 172.22.66.24 or Sport 172.22.66.29 or Sport 172.22.66.30 or Sport 172.22.66.41 or Sport 172.22.66.42 or Seven 172.22.66.43 or Seven 172.22.66.44 or Seven 172.22.66.45 or Sport 172.22.

66.46 or Smits 172.22.66.47 or Stiles 172.22.66.50'

Suricata_one_ip: 'suricata_one_ip 172.22.66.21 or Smits 172.22.66.25 or Song172.22.66.26 or Song172.22.66.27 or Song172.22.66.28 or Song172.22.66.48 or Song172.22.66.49 or Song172.22.66.

51 or Smits 172.22.66.52 or Song172.22.66.53 or Song172.22.66.54 or Song172.22.66.55 or Song172.22.66.56 or Song172.22.66.57 or Song172.22.66.58'

2. For the first group two ip,em1, the private network ip,em2 is the public network ip, and the dual Nic only monitors the em2 Nic traffic of the public network ip.

Install the dependency package:

Salt-N suricata_two_ip cmd.run "apt-get install-y bison flex libpcap*"

Salt-N suricata_two_ip cmd.run 'apt-get install-y-force-yes libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool pkg-config libpcap-dev libnet1-dev mysql-client libmysqlclient16 flex software-properties-common python-software-properties'

3. Synchronize some necessary configurations (suricata.yaml&barnyard.con)

Salt-N suricata_two_ip cmd.run 'sudo add-apt-repository ppa:oisf/suricata-stable'

Salt-N suricata_two_ip cmd.run 'sudo apt-get update'

Salt-N suricata_two_ip cmd.run 'sudo apt-get install-y suricata'

Salt-N suricata_two_ip cmd.run 'dpkg-l | grep suricata'

Root@TS-OP03:/home/david-dai# cp suricata.yaml / srv/salt/chinadep/

Salt-N suricata_two_ip cp.get_file salt://chinadep/suricata.yaml / etc/suricata/suricata.yaml

Root@TS-OP03:/home/david-dai# cp barnyard2.conf / srv/salt/chinadep/

Root@TS-OP03:/home/david-dai# cp-pr barnyard2-2-1.13 / srv/salt/chinadep/

Root@TS-OP03:/home/david-dai# ls-ld / srv/salt/chinadep/

Salt-N suricata_two_ip cp.get_dir salt://chinadep/barnyard2-2-1.13 / tmp/

Salt-N suricata_two_ip cp.get_file salt://chinadep/barnyard2.conf / etc/suricata/barnyard2.conf

4. Install suricata&barnary

Root@TS-OP03:/home/david-dai# vim / srv/salt/chinadep/barnyard.sh

#! / bin/bash

Sed-I's / ^ config hostname./config hostname:'$(hostname)'/ g' / etc/suricata/barnyard2.conf

Apt-get install-y-force-yes libmysqlclient libdbd-mysql-perl mysql-common mysql-client libmysql

Apt-get install-y-force-yes bison flex libpcap

Apt-get install-y-force-yes libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool pkg-config libpcap-dev libnet1-dev mysql-client

T libmysqlclient16 flex software-properties-common python-software-properties

Cd / tmp

Tar-zxvf libpcap-1.2.1.tar.gz

Cd / tmp/libpcap-1.2.1

. / configure

Make

Make install

/ sbin/ldconfig

Echo $? > / tmp/barnyard_two_ip.txt

Cd / tmp/barnyard2-2-1.13 /

Chmod + x autogen.sh

Make clean

. / autogen.sh

Ln-s / usr/lib/x86_64-linux-gnu/libmysqlclient* / usr/include/mysql/

. / configure-with-mysql-libraries=/usr/include/mysql-with-mysql=/usr/bin/mysql

Make

Make install

Echo $? > > / tmp/barnyard_two_ip.txt

Salt-N suricata_two_ip cp.get_file salt://chinadep/barnyard.sh / tmp/barnyard.sh

Salt-N suricata_two_ip cmd.run 'chmod + x / tmp/barnyard.sh'

Salt-N suricata_two_ip cmd.run'sh-x / tmp/barnyard.sh'

5. Check the configuration

Root@TS-OP03:/home/david-dai# salt-N suricata_two_ip cmd.run "grep ^ 'config hostname' / etc/suricata/barnyard2.conf"

CK749X1:

Config hostname: TS-DEP-CENTER05

8K649X1:

Config hostname: TS-DEP-CENTER06

Insert a sentence: if you log in to the server and want to sed modify hostname on a single server, execute the following command:

Sed-I's / ^ config hostname./config hostname: 'hostname'/g' / etc/suricata/barnyard2.conf' or: "sed-I's / ^ config hostname./config hostname:'$(hostname)'/ g'/ etc/suricata/barnyard2.conf"

6. Start suricata and barnary. You must log in to a single server to perform startup.

Root@TS-OP03:/home/david-dai# vim / srv/salt/chinadep/barnyard_start.sh

Sudo ps aux | grep-v grep | grep suricata | awk-F''{print $2}'| xargs kill

Sleep 5

Sudo mv / var/run/suricata.pid / tmp/

# start suricata

Sudo nohup suricata-c / etc/suricata/suricata.yaml-I em2-D & > nohup.out

Sleep 5

# start barnyard2

Sudo nohup / usr/local/bin/barnyard2-c / etc/suricata/barnyard2.conf-d / var/log/suricata-f unified2.alert-w / var/log/suricata/suricata.waldo-D & > nohup.

Out

Salt-N suricata_two_ip cp.get_file salt://chinadep/barnyard_start.sh / tmp/barnyard_start.sh

Salt-N suricata_two_ip cmd.run 'chmod + x / tmp/barnyard_start.sh'

# salt-N suricata_two_ip cmd.run'sh-x / tmp/barnyard_start.sh'

Salt execution failed. You must log in to the server and execute: sh-x / tmp/barnyard_start.sh

Perform manually:

Suricata-c / etc/suricata/suricata.yaml-I em1-D &

/ usr/local/bin/barnyard2-c / etc/suricata/barnyard2.conf-d / var/log/suricata-f unified2.alert-w / var/log/suricata/suricata.waldo-D &

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.