Suricata - Nchọpụta mbubata yana ngwa nchekwa mgbochi
Suricata bụ igwe na-achọpụta ihe iyi egwu dị ike, nke na-emepe emepe nke na-enye ọrụ maka nchọpụta intrusion (IDS), mgbochi intrusion (IPS), na nlekota nchekwa netwọk. Ọ na-eme nyocha ngwungwu miri emi yana ụkpụrụ dabara ngwakọta nke siri ike na nchọpụta ihe iyi egwu.
N'oge edere ntuziaka a, ụdị Suricata kachasị ọhụrụ bụ 6.0.5.
- IDS/IPS – Suricata bụ Nchọpụta Nchọpụta na Mgbochi Mgbochi dabere na iwu nke na-eme ka usoro iwu mepere emepe dị ka Emerging Threats Suricata ruleet iji nyochaa okporo ụzọ netwọkụ maka omume ọjọọ ọ bụla, mmebi iwu, na egwu.
- Nchọpụta protocol akpaaka - injin Suricata na-achọpụta ụkpụrụ dị ka HTTP na HTTPS na-akpaghị aka. FTP na SMB n'ọdụ ụgbọ mmiri ọ bụla ma tinye nyocha ziri ezi na mgbagha ndekọ. Nke a na-abịa aka n'ịchọpụta malware na ọwa CnC.
- Ederede Lua – Suricata nwere ike ịkpọku ederede Lua nke na-enye nchọpụta malware dị elu iji chọpụta na decode trafic malware nke siri ike ịchọpụta.
- Otutu-threading - Suricata na-enye ọsọ na mkpa na netwọk okporo ụzọ mkpebi. Emepụtara injin ahụ iji tinye ike nhazi nke igwe chipsets multi-core nke ọgbara ọhụrụ na-enye.
Ịwụnye Suricata Intrusion Detection Tool na Linux
Na ngalaba a, anyị ga-egosi otu esi etinye Suricata na nkesa dabere na RHEL.
Suricata bụ ebe nchekwa Debian/Ubuntu na-enye ma enwere ike itinye ya ngwa ngwa site na iji njikwa ngwugwu dabara adaba. Agbanyeghị, ọ dị mma ịmara na nke a anaghị etinye ụdị Suricata kachasị ọhụrụ. Iji wụnye ụdị ọhụrụ, ịkwesịrị ịwụnye ya site na isi iyi nke anyị ga-ekpuchi ma emechaa na ntuziaka a.
Iji wụnye Suricata site na iji njikwa ngwugwu dabara adaba, gbaa iwu a:
$ sudo apt install suricata -y
Suricata na-amalite na-akpaghị aka ozugbo etinyere ya. Ị nwere ike kwado nke a dịka ndị a.
$ sudo systemctl status suricata
Iji tinye Suricata na nkesa RHEL dị ka CentOS Stream, Rocky Linux, AlmaLinux, Fedora, na RHEL, ị ga-ebu ụzọ mee ka ebe nchekwa EPEL rụọ ọrụ.
$ dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm [RHEL 9] $ dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm [RHEL 8] $ yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm [RHEL 7]
Ozugbo agbanyere EPEL, wụnye ngwugwu ndị a chọrọ ma tinye ebe nchekwa OISF na sistemụ gị.
----------- On Fedora Systems ----------- $ sudo dnf install dnf-plugins-core $ sudo dnf copr enable @oisf/suricata-6.0 ----------- On RHEL Systems ----------- $ sudo dnf install yum-plugin-copr $ sudo dnf copr enable @oisf/suricata-6.0
Ọzọ, wụnye Suricata site na iji yum ngwugwu njikwa dị ka egosiri.
$ sudo dnf install suricata -y Or $ sudo yum install suricata -y
Ozugbo arụnyere Suricata, malite ma nyochaa ọkwa ya.
$ sudo systemctl start suricata $ sudo systemctl status suricata
Wụnye Suricata site na Isi mmalite na Linux
Ebe nchekwa OS ndabara anaghị enye ụdị Suricata kachasị ọhụrụ. Ọ bụrụ na ebumnuche gị bụ ịwụnye ụdị Suricata kachasị ọhụrụ, mgbe ahụ ịkwesịrị ịwụnye ya site na isi mmalite.
N'oge edere ntuziaka a, ụdị Suricata kachasị ọhụrụ bụ 6.0.5. Iji wụnye Suricata site na isi iyi na nkesa Ubuntu/Debian na RHEL, wụnye ọba akwụkwọ ndị a, ngwa nchịkọta, na ihe ndabere.
----------- On Debian Systems ----------- $ sudo apt install rustc build-essential cargo libpcre3 libpcre3-dbg libpcre3-dev make autoconf automake libtool libcap-ng0 make libmagic-dev libjansson-dev libjansson4 libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev pkg-config libnetfilter-queue1 libnfnetlink0 libnetfilter-queue-dev libnfnetlink-dev -y ----------- On RHEL Systems ----------- $ sudo yum install gcc libpcap-devel pcre-devel libyaml-devel file-devel zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar make libnetfilter_queue-devel lua-devel PyYAML libmaxminddb-devel rustc cargo lz4-devel -y
Na-esote, wụnye ngwa suricata-update iji melite iwu Suricata.
$ sudo apt install python3-pip [On Debian] $ sudo yum install python3-pip [On RHEL] $ pip3 install --upgrade suricata-update
Mepụta njikọ ihe atụ na /usr/bin/suricata-update.
$ sudo ln -s /usr/local/bin/suricata-update /usr/bin/suricata-update
Ugbu a gaa na iwu wget.
$ wget https://www.openinfosecfoundation.org/download/suricata-6.0.6.tar.gz
Ozugbo ebudatara, wepụ faịlụ tarball wee wụnye ya.
$ sudo tar -xvf suricata-6.0.6.tar.gz $ cd suricata-6.0.6 $ ./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var $ make $ make install-full
Na-ahazi Suricata na Linux
Iji malite ịhazi Suricata, anyị kwesịrị ịkọwapụta IP dị n'ime na netwọkụ mpụga. Iji mee nke a, nweta faịlụ nhazi.
$ sudo vim /etc/suricata/suricata.yaml
Maka ntuziaka HOME_NET, kọwaa adreesị IP nke sistemụ Linux gị.
HOME_NET: "[173.82.235.7]"
Na-esote, tọọ ntuziaka EXTERNAL_NET ka ọ bụrụ !$HOME_NET.
EXTERNAL_NET: "!$HOME_NET"
Na-esote, kọwapụta interface netwọk nke Suricata ga-enyocha okporo ụzọ netwọk. N'ọnọdụ anyị, nke a bụ interface eth0.
Ị nwere ike nyochaa interface netwọk gị na-arụ ọrụ site na iji iwu ip:
$ ip a
Na faịlụ nhazi, melite ntuziaka interface site na aha interface netwọk.
- interface: eth0
Na-esote, hụ na edobere njiri mara-iwu-ụzọ ka /etc/suricata/rules.
Wee chekwaa mgbanwe ndị ahụ wee mechie faịlụ nhazi. Mgbe ahụ malitegharịa Suricata maka mgbanwe itinye.
$ sudo systemctl status suricata
Na-emelite Suricata Rulesets na Linux
Site na ndabara, ụgbọ mmiri Suricata nwere oke iwu nchọpụta dị na /etc/suricata/rules directory. Otú ọ dị, a na-ewere ndị a adịghị ike na ndị na-adịghị arụ ọrụ n'ịchọpụta intrusion. Ịkwesịrị ịkwanye iwu Egwu Egwu (ET) nke a na-ewere dị ka usoro iwu zuru oke maka Suricata.
Suricata na-enye ngwá ọrụ a maara dị ka suricata-update nke na-enweta iwu iwu sitere na ndị na-eweta mpụga. Iji nweta usoro iwu ọhụrụ maka ihe nkesa gị, mee iwu a.
$ sudo suricata-update -o /etc/suricata/rules
Site na mmepụta, ị nwere ike ịhụ suricata-update na-ebute n'efu Emerging Threats ET Open Rules ma chekwaa ha na Suricata's /etc/suricata/rules/suricata. Na mgbakwunye, Ọ na-egosi ọnụ ọgụgụ nke iwu edoziri. N'ihe atụ a, ngụkọta nke 35941 ka agbakwunyere. N'ime ndị ahụ, 28221 nyere ikike, 18 wepụrụ, na 1249 gbanwere.
Na-agbakwunye Suricata Rulesets na Linux
Ngwá ọrụ suricata-update na-enye gị ohere ị nweta iwu n'aka ndị na-enye iwu. Ụfọdụ nwere n'efu dịka ntọala ET Open, ebe ndị ọzọ chọrọ ndenye aha akwụ ụgwọ.
Ka ịdepụta usoro ndabara nke ndị na-eweta iwu, gbasoo iwu suricata-update dị ka egosiri.
$ sudo suricata-update list-sources
Iji tinye ụkpụrụ iwu, dịka ọmụmaatụ, iwu tgreen/hunting, gbasoro iwu a.
$ sudo suricata-update enable-source tgreen/hunting
Ozugbo ị gbakwunyere ụkpụrụ iwu, jiri ọkọlọtọ -o /etc/suricata/rules malite iwu suricata-update ọzọ.
$ sudo suricata-update -o /etc/suricata/rules
Na-anwale Iwu Suricata na Linux
Tupu ịmalite ịnwale Suricata, a na-atụ aro ka ịnwale ma nhazi ahụ dị mma. Iji mee nke a, mee iwu a:
$ sudo suricata -T -c /etc/suricata/suricata.yaml -v
Gbaa mbọ hụ na enweghị mkpesa. Ọ bụrụ na ị na-agba ọsọ RHEL, CentOS Stream, Fedora, na Rocky Linux malite ma mee Suricata.
$ sudo systemctl start suricata $ sudo systemctl enable suricata
Ka ọ dị ugbu a, anyị arụnyela nke ọma, ma hazie Suricata ma melite usoro iwu. Usoro iwu mepere emepe ET nwere ihe karịrị iwu 30,000 maka ịchọpụta okporo ụzọ ọjọọ. Na ngalaba a, anyị ga-etinye Suricata na ule wee lelee ma ọ nwere ike ịchọpụta okporo ụzọ netwọk na-enyo enyo.
Anyị ga-anwale iwu ET Mepee site na ịmegharị ntinye aka dịka ntuziaka Suricata's Quickstart kwadoro.
A ga-eji akara mbinye aka 2100498 nwalee arụmọrụ IDS site na izipu arịrịọ HTTP na webụsaịtị testmynids.org bụ NIDS (Network Intrusion and Detection System) kpuchie.
$ curl http://testmynids.org/uid/index.html
Ị ga-enweta mmepụta na-esonụ.
uid=0(root) gid=0(root) groups=0(root)
Emebere arịrịọ HTTP ezitere ka ọ kpalite mkpu site n'imimi mmepụta nke iwu id nke nwere ike na-agba ọsọ na sistemu dịpụrụ adịpụ site na shei.
Ugbu a, ka anyị nyochaa ndekọ Suricata maka njikere kwekọrọ. Ụgbọ mmiri Suricata nwere faịlụ ndekọ abụọ nke na-abịa na ndabara.
/var/log/suricata/fast.log /var/log/suricata/eve.log
Anyị ga-elele maka ntinye log na /var/log/suricata/fast.log log log nke dabara na iwu grep. Anyị ga-achọ ndenye ndekọ site na iji njirimara iwu 2100498 sitere na akwụkwọ Quickstart.
$ grep 2100948 /var/log/suricata/fast.log
Ị ga-enweta mmepụta na-esonụ nke na-egosi ntinye aka. Ebe a, 173.82.235.7 bụ adreesị IP ọha nke sava ahụ.
09/09/2022-22:17:06.796434 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 13.226.210.123:80 -> 173.82.235.7:33822
N'aka nke ọzọ, ịnwere ike ịlele faịlụ ndekọ /var/log/suricata/eve.log maka ID mbinye aka nke 2100498 dị ka egosiri.
$ jq 'select(.alert .signature_id==2100498)' /var/log/suricata/eve.json
Nke a bụ ntuziaka zuru oke maka otu esi etinye na hazie Suricata na Linux. Anyị elelela ụzọ nrụnye dị iche iche, otu esi ahazi Suricata na melite iwu Suricata yana otu esi ejikwa ọrụ Suricata systemd yana mee ule ntinye netwọkụ.
Ọ bụ olile anya anyị na ị nwere ike ịwụnye nke ọma ma jiri Suricata chekwa sistemu gị pụọ na ntinye netwọkụ ma ọ bụ okporo ụzọ ọjọọ.