Contents
Suricata
SURICATA IDS/IPSはネットワーク上の通信を監視し、不審なトラフィックを検知するオープンソースのIDSです。基本的な仕組みはシグネチャ型であるため、あらかじめ設定した不正な通信を検知できます。また、Suricataは検知だけでなく防御も行えることが特徴です。
1.事前準備
①EPEL リポジトリをシステム上で有効化する
1 |
# dnf -y install epel-release |
②システムのアップデート
1 |
# dnf update -y |
2.Suricata のインストールと設定
①Suricata のインストール
1 2 3 4 5 |
# dnf -y install suricata バージョンの確認 # suricata -V This is Suricata version 6.0.20 RELEASE |
②Suricataがネットワークパケットを検査するインターフェースとIPアドレスを決定
1 2 3 |
# ip --brief add lo UNKNOWN 127.0.0.1/8 ::1/128 ens160 UP 192.168.11.83/24 fexx::xxc:29xx:fexx:69xx/64 |
③設定ファイルを編集
1 2 3 4 5 6 7 8 9 |
# vi /etc/suricata/suricata.yaml # 15行目 : varsセクションで、ネットワークを定義する HOME_NET: "[192.168.11.0/24]" EXTRNAL_NET: "!$HOME_NET" # 595行目 : af-packetセクションのインターフェース名を設定 af-packet: - interface: ens160 |
1 2 3 4 5 |
# vi /etc/sysconfig/suricata # 8行目 :インターフェイスを指定 # Add options to be passed to the daemon OPTIONS="-i ens160 --user suricata " |
④Suricataのルール更新
1 2 3 4 5 6 7 |
# suricata-update ---------------------------------------------- 11/9/2024 -- 09:24:02 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 52446; enabled: 39741; added: 52446; removed 0; modified: 0 11/9/2024 -- 09:24:02 - <Info> -- Writing /var/lib/suricata/rules/classification.config 11/9/2024 -- 09:24:02 - <Info> -- Testing with suricata -T. 11/9/2024 -- 09:24:24 - <Info> -- Done. |
⑤Suricataの起動
1 2 |
# systemctl enable --now suricata Created symlink /etc/systemd/system/multiuser.target.wants/suricata.service → /usr/lib/systemd/system/suricata.service. |
⑥Suricataの起動確認
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# systemctl status suricata ● suricata.service - Suricata Intrusion Detection Service Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; preset: disabled) Active: active (running) since Wed 2024-09-11 09:33:38 JST; 10s ago Docs: man:suricata(1) Process: 7195 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS) Main PID: 7196 (Suricata-Main) Tasks: 1 (limit: 10886) Memory: 279.0M CPU: 10.420s CGroup: /system.slice/suricata.service mq7196 /sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -i ens160 --user suricata Sep 11 09:33:38 Lepard systemd[1]: Starting Suricata Intrusion Detection Service... Sep 11 09:33:38 Lepard systemd[1]: Started Suricata Intrusion Detection Service. Sep 11 09:33:38 Lepard suricata[7196]: 11/9/2024 -- 09:33:38 - <Notice> - This is Suricata version 6.0.20 RELEASE running in SYSTEM mode |
ログを確認
1 2 3 4 5 6 7 8 9 10 11 |
# tail /var/log/suricata/suricata.log 11/9/2024 -- 09:33:38 - <Info> - stats output device (regular) initialized: stats.log 11/9/2024 -- 09:33:38 - <Info> - Running in live mode, activating unix socket 11/9/2024 -- 09:33:50 - <Info> - 1 rule files processed. 39741 rules successfully loaded, 0 rules failed 11/9/2024 -- 09:33:50 - <Info> - Threshold config parsed: 0 rule(s) found 11/9/2024 -- 09:33:51 - <Info> - 39744 signatures processed. 1159 are IP-only rules, 4861 are inspecting packet payload, 33520 inspect application layer, 108 are decoder event only 11/9/2024 -- 09:34:00 - <Info> - Going to use 2 thread(s) 11/9/2024 -- 09:34:00 - <Info> - Running in live mode, activating unix socket 11/9/2024 -- 09:34:00 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket' 11/9/2024 -- 09:34:00 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started. 11/9/2024 -- 09:34:00 - <Info> - All AFP capture threads are running |
統計情報を確認するには、stats.log ファイルを確認します(デフォルトで8秒ごとに更新)
1 |
# tail -f /var/log/suricata/stats.log |
より高度な出力であるEVE JSONは、以下のコマンドで生成することができる
1 |
# tail -f /var/log/suricata/eve.json |
3.Suricata のテスト
①curl ユーティリティで ping テストを実行
1 2 |
# curl http://testmynids.org/uid/index.html uid=0(root) gid=0(root) groups=0(root) |
②ログに記録されたかどうかを調べるため、アラートログを確認
1 2 |
# cat /var/log/suricata/fast.log 09/11/2024-09:36:01.071840 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 18.65.159.120:80 -> 192.168.11.83:53322 |
4.Suricata Rulesの設定
①Suricataにパッケージされているルールセットの表示
1 2 3 4 5 6 |
# ls -al /var/lib/suricata/rules/ total 30028 drwxr-s--- 2 root suricata 4096 Sep 11 09:24 . drwxrws--- 4 suricata suricata 4096 Sep 11 09:24 .. -rw-r--r-- 1 root suricata 3228 Sep 11 09:24 classification.config -rw-r--r-- 1 root suricata 30734082 Sep 11 09:24 suricata.rules |
②ルールセットを提供するソースのインデックス一覧
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 |
# suricata-update list-sources Name: et/open Vendor: Proofpoint Summary: Emerging Threats Open Ruleset License: MIT Name: et/pro Vendor: Proofpoint Summary: Emerging Threats Pro Ruleset License: Commercial Replaces: et/open Parameters: secret-code Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset Name: oisf/trafficid Vendor: OISF Summary: Suricata Traffic ID ruleset License: MIT Name: scwx/enhanced Vendor: Secureworks Summary: Secureworks suricata-enhanced ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/malware Vendor: Secureworks Summary: Secureworks suricata-malware ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/security Vendor: Secureworks Summary: Secureworks suricata-security ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: abuse.ch/sslbl-blacklist Vendor: Abuse.ch Summary: Abuse.ch SSL Blacklist License: CC0-1.0 Replaces: s, s, l, b, l, /, s, s, l, -, f, p, -, b, l, a, c, k, l, i, s, t Name: abuse.ch/sslbl-ja3 Vendor: Abuse.ch Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset License: CC0-1.0 Replaces: s, s, l, b, l, /, j, a, 3, -, f, i, n, g, e, r, p, r, i, n, t, s Name: abuse.ch/sslbl-c2 Vendor: Abuse.ch Summary: Abuse.ch Suricata Botnet C2 IP Ruleset License: CC0-1.0 Name: abuse.ch/feodotracker Vendor: Abuse.ch Summary: Abuse.ch Feodo Tracker Botnet C2 IP ruleset License: CC0-1.0 Name: abuse.ch/urlhaus Vendor: abuse.ch Summary: Abuse.ch URLhaus Suricata Rules License: CC0-1.0 Name: etnetera/aggressive Vendor: Etnetera a.s. Summary: Etnetera aggressive IP blacklist License: MIT Name: tgreen/hunting Vendor: tgreen Summary: Threat hunting rules License: GPLv3 Name: malsilo/win-malware Vendor: malsilo Summary: Commodity malware rules License: MIT Name: stamus/lateral Vendor: Stamus Networks Summary: Lateral movement rules License: GPL-3.0-only Name: stamus/nrd-30-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 30 day list, complete License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-14-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 14 day list, complete License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-entropy-30-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 30 day list, high entropy License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-entropy-14-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 14 day list, high entropy License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-phishing-30-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 30 day list, phishing License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: stamus/nrd-phishing-14-open Vendor: Stamus Networks Summary: Newly Registered Domains Open only - 14 day list, phishing License: Commercial Parameters: secret-code Subscription: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed Name: pawpatrules Vendor: pawpatrules Summary: PAW Patrules is a collection of rules for IDPS / NSM Suricata engine License: CC-BY-SA-4.0 |
③ソースを有効にする(et/openを有効にする場合)
1 2 3 4 5 6 7 |
# suricata-update enable-source et/open 11/9/2024 -- 09:39:20 - <Info> -- Using data-directory /var/lib/suricata. 11/9/2024 -- 09:39:20 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml 11/9/2024 -- 09:39:20 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules. 11/9/2024 -- 09:39:20 - <Info> -- Found Suricata version 6.0.20 at /usr/sbin/suricata. 11/9/2024 -- 09:39:20 - <Info> -- Creating directory /var/lib/suricata/update/sources 11/9/2024 -- 09:39:20 - <Info> -- Source et/open enabled |
アップデートを実行
1 |
# suricata-update |
Suricata service再起動
1 |
# systemctl restart suricata |
5.Suricata Custom Rulesの作成
①カスタマールールを含むファイルを作成
1 2 3 |
# vi /etc/suricata/rules/local.rules 下記内容を記載 alert icmp any any -> $HOME_NET any (msg:"ICMP Ping"; sid:1; rev:1;) |
②設定ファイルを編集(新しいルールのパスを定義)
1 2 3 4 5 6 7 8 |
# vi /etc/suricata/suricata.yaml # 1969行目あたりに追記 default-rule-path: /var/lib/suricata/rules rule-files: - suricata.rules - /etc/suricata/rules/local.rules |
③設定ファイルのテスト
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# suricata -T -c /etc/suricata/suricata.yaml -v 11/9/2024 -- 09:41:20 - <Info> - Running suricata under test mode 11/9/2024 -- 09:41:20 - <Notice> - This is Suricata version 6.0.20 RELEASE running in SYSTEM mode 11/9/2024 -- 09:41:20 - <Info> - CPUs/cores online: 2 11/9/2024 -- 09:41:20 - <Info> - Setting engine mode to IDS mode by default 11/9/2024 -- 09:41:20 - <Info> - master exception-policy set to: auto 11/9/2024 -- 09:41:20 - <Info> - fast output device (regular) initialized: fast.log 11/9/2024 -- 09:41:20 - <Info> - eve-log output device (regular) initialized: eve.json 11/9/2024 -- 09:41:20 - <Info> - stats output device (regular) initialized: stats.log 11/9/2024 -- 09:41:32 - <Info> - 2 rule files processed. 39742 rules successfully loaded, 0 rules failed 11/9/2024 -- 09:41:32 - <Info> - Threshold config parsed: 0 rule(s) found 11/9/2024 -- 09:41:33 - <Info> - 39745 signatures processed. 1160 are IP-only rules, 4861 are inspecting packet payload, 33520 inspect application layer, 108 are decoder event only 11/9/2024 -- 09:41:41 - <Notice> - Configuration provided was successfully loaded. Exiting. 11/9/2024 -- 09:41:41 - <Info> - cleaning up signature grouping structure... complete |
Suricat service再起動
1 |
# systemctl restart suricata |
④Custom Rulesの適用テスト
同一ローカルネットワーク上の別のデバイスでpingを実行し、ログに記録されたかどうかを確認する
1 2 3 4 |
# cat /var/log/suricata/fast.log 09/11/2024-09:42:36.876475 [**] [1:1:1] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.11.22:8 -> 192.168.11.83:0 09/11/2024-09:42:36.876583 [**] [1:1:1] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.11.83:0 -> 192.168.11.22:0 |
JSON形式のログを取得するには、システムにjqをインストールする
1 |
# dnf install jq |
1 |
# systemctl restart suricata |
下記コマンドを実行し、同一ローカルネットワーク上の別のデバイスでpingを実行する
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 |
# tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")' pingを実行するとコンソールに下記のように表示される { "timestamp": "2024-09-11T09:44:56.750479+0900", "flow_id": 1477309433934735, "in_iface": "ens160", "event_type": "alert", "src_ip": "192.168.11.22", "src_port": 0, "dest_ip": "192.168.11.83", "dest_port": 0, "proto": "ICMP", "icmp_type": 8, "icmp_code": 0, "alert": { "action": "allowed", "gid": 1, "signature_id": 1, "rev": 1, "signature": "ICMP Ping", "category": "", "severity": 3 }, "flow": { "pkts_toserver": 1, "pkts_toclient": 0, "bytes_toserver": 74, "bytes_toclient": 0, "start": "2024-09-11T09:44:56.750479+0900" } } { "timestamp": "2024-09-11T09:44:56.750539+0900", "flow_id": 1477309433934735, "in_iface": "ens160", "event_type": "alert", "src_ip": "192.168.11.83", "src_port": 0, "dest_ip": "192.168.11.22", "dest_port": 0, "proto": "ICMP", "icmp_type": 0, "icmp_code": 0, "alert": { "action": "allowed", "gid": 1, "signature_id": 1, "rev": 1, "signature": "ICMP Ping", "category": "", "severity": 3 }, "flow": { "pkts_toserver": 2, "pkts_toclient": 1, "bytes_toserver": 148, "bytes_toclient": 74, "start": "2024-09-11T09:44:56.750479+0900" } } { "timestamp": "2024-09-11T09:45:00.357164+0900", "flow_id": 760028420926224, "in_iface": "ens160", "event_type": "alert", "src_ip": "192.168.11.22", "src_port": 58027, "dest_ip": "192.168.11.82", "dest_port": 443, "proto": "TCP", "metadata": { "flowints": { "applayer.anomaly.count": 1 } }, "alert": { "action": "allowed", "gid": 1, "signature_id": 2260001, "rev": 1, "signature": "SURICATA Applayer Wrong direction first Data", "category": "Generic Protocol Command Decode", "severity": 3 }, "app_proto": "failed", "app_proto_tc": "tls", "flow": { "pkts_toserver": 5, "pkts_toclient": 3, "bytes_toserver": 370, "bytes_toclient": 424, "start": "2024-09-11T09:45:00.355088+0900" } } |