Contents
Suricata
SURICATA IDS/IPS is an open source IDS that monitors communications on the network and detects suspicious traffic.
The basic mechanism is signature-based, so it can detect predefined unauthorized communications. Suricata is also characterized by its ability to provide protection as well as detection.
1.Suricata Installation and Configuration
①Suricata Install
|
1 |
# apt install suricata |
Check Version
|
1 2 |
# suricata -V This is Suricata version 6.0.10 RELEASE |
Register and activate the service
|
1 2 3 |
# systemctl enable suricata.service Synchronizing state of suricata.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable suricata |
②Determine interface and IP address where Suricata will inspect network packets
|
1 2 3 |
# ip --brief add lo UNKNOWN 127.0.0.1/8 ::1/128 ens33 UP 192.168.11.83/24 fe80::20c:29ff:fef9:86e2/64 |
③Edit configuration file
|
1 2 3 4 5 6 7 8 9 |
# vi /etc/suricata/suricata.yaml # Line 15 : In the vars section, define the network HOME_NET: "[192.168.11.0/24]" EXTRNAL_NET: "!$HOME_NET" # Line 589 : Set interface name in af-packet section af-packet: - interface: ens33 |
|
1 2 3 4 |
# vi /etc/default/suricata Line 16 # Interface to listen on (for pcap mode) IFACE=ens33 |
④Suricata rules update
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
# suricata-update -o /etc/suricata/rules 19/6/2023 -- 16:52:51 - <Info> -- Using data-directory /var/lib/suricata. 19/6/2023 -- 16:52:51 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml 19/6/2023 -- 16:52:51 - <Info> -- Using /etc/suricata/rules for Suricata provided rules. 19/6/2023 -- 16:52:51 - <Info> -- Found Suricata version 6.0.10 at /usr/bin/suricata. 19/6/2023 -- 16:52:51 - <Info> -- Loading /etc/suricata/suricata.yaml 19/6/2023 -- 16:52:51 - <Info> -- Disabling rules for protocol http2 19/6/2023 -- 16:52:51 - <Info> -- Disabling rules for protocol modbus 19/6/2023 -- 16:52:51 - <Info> -- Disabling rules for protocol dnp3 19/6/2023 -- 16:52:51 - <Info> -- Disabling rules for protocol enip 19/6/2023 -- 16:52:51 - <Info> -- No sources configured, will use Emerging Threats Open 19/6/2023 -- 16:52:51 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-6.0.10/emerging.rules.tar.gz. 100% - 3937754/3937754 19/6/2023 -- 16:52:53 - <Info> -- Done. 19/6/2023 -- 16:52:53 - <Info> -- Loading distribution rule file /etc/suricata/rules/app-layer-events.rules 19/6/2023 -- 16:52:53 - <Info> -- Loading distribution rule file /etc/suricata/rules/decoder-events.rules 19/6/2023 -- 16:52:53 - <Info> -- Loading distribution rule file /etc/suricata/rules/dhcp-events.rules 19/6/2023 -- 16:52:53 - <Info> -- Loading distribution rule file /etc/suricata/rules/dnp3-events.rules 19/6/2023 -- 16:52:53 - <Info> -- Loading distribution rule file /etc/suricata/rules/dns-events.rules 19/6/2023 -- 16:52:53 - <Info> -- Loading distribution rule file /etc/suricata/rules/files.rules 19/6/2023 -- 16:52:53 - <Info> -- Loading distribution rule file /etc/suricata/rules/http-events.rules 19/6/2023 -- 16:52:53 - <Info> -- Loading distribution rule file /etc/suricata/rules/ipsec-events.rules 19/6/2023 -- 16:52:53 - <Info> -- Loading distribution rule file /etc/suricata/rules/kerberos-events.rules 19/6/2023 -- 16:52:53 - <Info> -- Loading distribution rule file /etc/suricata/rules/modbus-events.rules 19/6/2023 -- 16:52:53 - <Info> -- Loading distribution rule file /etc/suricata/rules/nfs-events.rules 19/6/2023 -- 16:52:53 - <Info> -- Loading distribution rule file /etc/suricata/rules/ntp-events.rules 19/6/2023 -- 16:52:53 - <Info> -- Loading distribution rule file /etc/suricata/rules/smb-events.rules 19/6/2023 -- 16:52:53 - <Info> -- Loading distribution rule file /etc/suricata/rules/smtp-events.rules 19/6/2023 -- 16:52:53 - <Info> -- Loading distribution rule file /etc/suricata/rules/stream-events.rules 19/6/2023 -- 16:52:53 - <Info> -- Loading distribution rule file /etc/suricata/rules/tls-events.rules 19/6/2023 -- 16:52:53 - <Info> -- Ignoring file rules/emerging-deleted.rules 19/6/2023 -- 16:52:55 - <Info> -- Loaded 43002 rules. 19/6/2023 -- 16:52:55 - <Info> -- Disabled 14 rules. 19/6/2023 -- 16:52:55 - <Info> -- Enabled 0 rules. 19/6/2023 -- 16:52:55 - <Info> -- Modified 0 rules. 19/6/2023 -- 16:52:55 - <Info> -- Dropped 0 rules. 19/6/2023 -- 16:52:55 - <Info> -- Enabled 131 rules for flowbit dependencies. 19/6/2023 -- 16:52:55 - <Info> -- Backing up current rules. 19/6/2023 -- 16:52:55 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 43002; enabled: 34210; added: 43002; removed 0; modified: 0 19/6/2023 -- 16:52:56 - <Info> -- Writing /var/lib/suricata/rules/classification.config 19/6/2023 -- 16:52:56 - <Info> -- Testing with suricata -T. 19/6/2023 -- 16:53:17 - <Info> -- Done |
⑤Suricata startup confirmation
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
# systemctl status suricata ● suricata.service - Suricata IDS/IDP daemon Loaded: loaded (/lib/systemd/system/suricata.service; enabled; preset: ena> Active: active (running) since Mon 2023-06-19 16:54:35 JST; 42s ago Docs: man:suricata(8) man:suricatasc(8) https://suricata-ids.org/docs/ Process: 1941 ExecStart=/usr/bin/suricata -D --af-packet -c /etc/suricata/s> Main PID: 1942 (Suricata-Main) Tasks: 10 (limit: 2265) Memory: 70.8M CPU: 437ms CGroup: /system.slice/suricata.service mq1942 /usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.> Jun 19 16:54:34 Lepard systemd[1]: Starting suricata.service - Suricata IDS/IDP> Jun 19 16:54:35 Lepard suricata[1941]: 19/6/2023 -- 16:54:35 - <Notice> - This > Jun 19 16:54:35 Lepard systemd[1]: Started suricata.service - Suricata IDS/IDP |
Check Log
|
1 2 3 4 5 6 7 8 9 10 11 |
# tail /var/log/suricata/suricata.log 19/6/2023 -- 16:54:35 - <Info> - eve-log output device (regular) initialized: eve.json 19/6/2023 -- 16:54:35 - <Info> - stats output device (regular) initialized: stats.log 19/6/2023 -- 16:54:35 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/suricata.rules 19/6/2023 -- 16:54:35 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rules were loaded! 19/6/2023 -- 16:54:35 - <Info> - Threshold config parsed: 0 rule(s) found 19/6/2023 -- 16:54:35 - <Info> - 0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only 19/6/2023 -- 16:54:35 - <Info> - Going to use 4 thread(s) 19/6/2023 -- 16:54:35 - <Info> - Using unix socket file '/var/run/suricata-command.socket' 19/6/2023 -- 16:54:35 - <Notice> - all 4 packet processing threads, 4 management threads initialized, engine started. 19/6/2023 -- 16:54:35 - <Info> - All AFP capture threads are running. |
Check the stats.log file for statistics (updated every 8 seconds by default)
|
1 |
# tail -f /var/log/suricata/stats.log |
A more advanced output, EVE JSON, can be generated with the following command
|
1 |
# tail -f /var/log/suricata/eve.json |
2.Suricata Testing
①Run ping test with curl utility
|
1 2 |
# curl http://testmynids.org/uid/index.html uid=0(root) gid=0(root) groups=0(root) |
②Check the alert log to see if it has been logged
|
1 2 3 4 |
# cat /var/log/suricata/fast.log 06/19/2023-21:30:28.268725 [**] [1:2027863:5] ET INFO Observed DNS Query to .biz TLD [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.11.22:50307 -> 192.168.11.1:53 06/19/2023-21:35:03.490358 [**] [1:2013028:7] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.11.83:41924 -> 18.65.159.60:80 06/19/2023-21:35:03.502956 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 18.65.159.60:80 -> 192.168.11.83:41924 |
3.Setting Suricata Rules
①Display of rule sets packaged in Suricata
|
1 2 3 4 5 6 |
# ls -al /var/lib/suricata/rules/ total 24816 drwxr-xr-x 2 root root 4096 Jun 19 16:52 . drwxr-xr-x 4 root root 4096 Jun 19 16:52 .. -rw-r--r-- 1 root root 3228 Jun 19 16:52 classification.config -rw-r--r-- 1 root root 25397078 Jun 19 16:52 suricata.rules |
②Index list of sources providing rule sets
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
# suricata-update list-sources Name: et/open Vendor: Proofpoint Summary: Emerging Threats Open Ruleset License: MIT Name: et/pro Vendor: Proofpoint Summary: Emerging Threats Pro Ruleset License: Commercial Replaces: et/open Parameters: secret-code Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset Name: oisf/trafficid Vendor: OISF Summary: Suricata Traffic ID ruleset License: MIT Name: scwx/enhanced Vendor: Secureworks Summary: Secureworks suricata-enhanced ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/malware Vendor: Secureworks Summary: Secureworks suricata-malware ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/security Vendor: Secureworks Summary: Secureworks suricata-security ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: sslbl/ssl-fp-blacklist Vendor: Abuse.ch Summary: Abuse.ch SSL Blacklist License: Non-Commercial Name: sslbl/ja3-fingerprints Vendor: Abuse.ch Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset License: Non-Commercial Name: etnetera/aggressive Vendor: Etnetera a.s. Summary: Etnetera aggressive IP blacklist License: MIT Name: tgreen/hunting Vendor: tgreen Summary: Threat hunting rules License: GPLv3 Name: malsilo/win-malware Vendor: malsilo Summary: Commodity malware rules License: MIT Name: stamus/lateral Vendor: Stamus Networks Summary: Lateral movement rules License: GPL-3.0-only |
③Enable source (if et/open is enabled)
|
1 2 3 4 5 6 7 |
# suricata-update enable-source et/open 19/6/2023 -- 17:45:10 - <Info> -- Using data-directory /var/lib/suricata. 19/6/2023 -- 17:45:10 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml 19/6/2023 -- 17:45:10 - <Info> -- Using /etc/suricata/rules for Suricata provided rules. 19/6/2023 -- 17:45:10 - <Info> -- Found Suricata version 6.0.10 at /usr/bin/suricata. 19/6/2023 -- 17:45:10 - <Info> -- Creating directory /var/lib/suricata/update/sources 19/6/2023 -- 17:45:10 - <Info> -- Source et/open enabled |
Perform update
|
1 |
# suricata-update -o /etc/suricata/rules |
Suricata service restart
|
1 |
# systemctl restart suricata |
4.Creating Suricata Custom Rules
①Create files containing customer rules
|
1 2 3 |
# vi /etc/suricata/rules/local.rules Include the following information alert icmp any any -> $HOME_NET any (msg:"ICMP Ping"; sid:1; rev:1;) |
②Edit configuration file (define new rule paths)
|
1 2 3 4 5 6 7 8 |
# vi /etc/suricata/suricata.yaml # Per Line 1924 : add default-rule-path: /var/lib/suricata/rules rule-files: - suricata.rules - /etc/suricata/rules/local.rules |
③Testing the configuration file
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# suricata -T -c /etc/suricata/suricata.yaml -v 19/6/2023 -- 19:03:41 - <Info> - Running suricata under test mode 19/6/2023 -- 19:03:41 - <Notice> - This is Suricata version 6.0.10 RELEASE running in SYSTEM mode 19/6/2023 -- 19:03:41 - <Info> - CPUs/cores online: 4 19/6/2023 -- 19:03:41 - <Info> - fast output device (regular) initialized: fast.log 19/6/2023 -- 19:03:41 - <Info> - eve-log output device (regular) initialized: eve.json 19/6/2023 -- 19:03:41 - <Info> - stats output device (regular) initialized: stats.log 19/6/2023 -- 19:03:52 - <Info> - 2 rule files processed. 34211 rules successfully loaded, 0 rules failed 19/6/2023 -- 19:03:52 - <Info> - Threshold config parsed: 0 rule(s) found 19/6/2023 -- 19:03:53 - <Info> - 34214 signatures processed. 1281 are IP-only rules, 5222 are inspecting packet payload, 27501 inspect application layer, 108 are decoder event only 19/6/2023 -- 19:04:00 - <Notice> - Configuration provided was successfully loaded. Exiting. 19/6/2023 -- 19:04:00 - <Info> - cleaning up signature grouping structure... complete |
Suricat service restart
|
1 |
# systemctl restart suricata |
④Testing the application of Custom Rules
Ping another device on the same local network to see if it was logged
|
1 2 3 |
# cat /var/log/suricata/fast.log 06/19/2023-19:05:36.647601 [**] [1:1:1] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.11.22:8 -> 192.168.11.83:0 06/19/2023-19:05:36.647697 [**] [1:1:1] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.11.83:0 -> 192.168.11.22:0 |
To get logs in JSON format, install jq on your system
|
1 |
# apt install jq |
Execute the following command to ping another device on the same local network
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
# tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")' When ping is executed, the following is displayed in the console { "timestamp": "2023-06-19T19:13:06.550164+0900", "flow_id": 1715006919042324, "in_iface": "ens33", "event_type": "alert", "src_ip": "167.94.145.93", "src_port": 51960, "dest_ip": "192.168.11.83", "dest_port": 25, "proto": "TCP", "metadata": { "flowbits": [ "ET.Evil", "ET.DshieldIP" ] }, "community_id": "1:z7XtW6Fg2zOPSQ1yy76yjw6Zijs=", "alert": { "action": "allowed", "gid": 1, "signature_id": 2402000, "rev": 6673, "signature": "ET DROP Dshield Block Listed Source group 1", "category": "Misc Attack", "severity": 2, "metadata": { "affected_product": [ "Any" ], "attack_target": [ "Any" ], "created_at": [ "2010_12_30" ], "deployment": [ "Perimeter" ], "signature_severity": [ "Major" ], "tag": [ "Dshield" ], "updated_at": [ "2023_06_16" ] } }, "flow": { "pkts_toserver": 1, "pkts_toclient": 0, "bytes_toserver": 60, "bytes_toclient": 0, "start": "2023-06-19T19:13:06.550164+0900" } } |
Logwatch
①Install
|
1 |
# apt install logwatch |
②Copy the default configuration file
|
1 |
# cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/ |
➂Change email address, etc.
|
1 2 3 4 5 6 7 8 |
# vi /etc/logwatch/conf/logwatch.conf ● Per Line 52 #MailTo = root ← Comment out and add the following MailTo =<your mailaddress> ← Mailing address ●Per Line 85 #Detail = Low Detail = High |
④Creating Directories
|
1 |
# mkdir /var/cache/logwatch |
⑤Confirmation of Operation
When logwatch is installed, cron is registered by default, so report mail is delivered every day.
Test if the report is delivered to the address you set.
|
1 |
# /etc/cron.daily/00logwatch |
Chkrootkit
①Install chkrootkit
|
1 |
# apt -y install chkrootkit |
➁Check chkrootkit
|
1 2 |
# chkrootkit | grep INFECTED If nothing is displayed, no problem. |
④Create chkrootkit periodic execution script and change permissions
Automatically creates /etc/cron.daily/chkrtootkit based on /usr/sbin/chkrootkit-daily and runs it automatically every day, so no script creation is required
Disk Usage Check Script
1. Scripting
|
1 2 |
# cd /opt/script/ # vi disk_capacity_check.sh |
Contents of disk_capacity_check.sh
Configured to notify when disk usage exceeds 80%.
|
1 2 3 4 5 6 7 8 9 10 |
#!/bin/bash #Email Address for Notification MAIL="<your mailaddress> " DVAL=`/bin/df / | /usr/bin/tail -1 | /bin/sed 's/^.* \([0-9]*\)%.*$/\1/'` if [ $DVAL -gt 80 ]; then echo "Disk usage alert: $DVAL %" | mail -s "Disk Space Alert in `hostname`" $MAIL fi |
|
1 |
# chmod 700 disk_capacity_check.sh |
2. Execution check
①Check current usage
|
1 |
# df -h |
It appears as follows
|
1 2 3 4 5 6 7 |
Filesystem Size Used Avail Use% Mounted on udev 1.5G 0 1.5G 0% /dev tmpfs 294M 776K 294M 1% /run /dev/sda1 19G 1.7G 16G 10% / tmpfs 1.5G 0 1.5G 0% /dev/shm tmpfs 5.0M 0 5.0M 0% /run/lock tmpfs 294M 0 294M 0% /run/user/1000 |
②Create a dummy file (in the example, it is called "dummyfile" and is about 14G) so that the utilization is 80% or more.
|
1 |
# dd if=/dev/zero of=dummyfile bs=1M count=15000 |
③Check again
|
1 |
# df -h |
Run it and make sure it is above 80%.
④Run disk space check script
|
1 |
# /opt/script/disk_capacity_check.sh |
You will receive an e-mail to the e-mail address you have set up with the body of the message as "Disk usage alert : 93%".
⑤Delete the "dummyfile" you created.
|
1 |
# rm dummyfile |
⑥Periodic Execution Setting
|
1 2 |
# crontab -e 30 2 * * * /opt/script/disk_capacity_check.sh |