Suricata
SURICATA IDS/IPSはネットワーク上の通信を監視し、不審なトラフィックを検知するオープンソースのIDSです。基本的な仕組みはシグネチャ型であるため、あらかじめ設定した不正な通信を検知できます。また、Suricataは検知だけでなく防御も行えることが特徴です。
1.Suricata のインストール
①必須パッケージをインストール
1 2 |
# apt -y install libpcre2-dev libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libjansson4 pkg-config libnspr4-dev libnss3-dev liblz4-dev rustc cargo python3-pip # apt -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 |
➁Suricata のインストール
公式サイトにアクセスし、最新バージョンを確認してください。 2024年5月4日現在のスリカタの最新安定バージョンは7.0.5です
ダウンロード・解凍
1 2 |
# wget https://www.openinfosecfoundation.org/download/suricata-7.0.5.tar.gz # tar xzf suricata-7.0.5.tar.gz |
コンフィグレーション・インストール
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
# cd suricata-7.0.5 # /configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var # make && make install-full You can now start suricata by running as root something like: /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 If a library like libhtp.so is not found, you can run suricata with: LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 The Emerging Threats Open rules are now installed. Rules can be updated and managed with the suricata-update tool. For more information please see: https://docs.suricata.io/en/latest/rule-management/index.html make[1]: Leaving directory '/root/suricata-7.0.5' |
バージョン確認
1 2 |
# suricata -V This is Suricata version 7.0.5 RELEASE |
Suricataサービスを最初に構成する必要があるため、サービスを停止します。
1 |
# systemctl stop suricata |
2.Suricataを構成
①Suricataがネットワークパケットを検査するインターフェースとIPアドレスを決定
1 2 3 |
# ip --brief add lo UNKNOWN 127.0.0.1/8 ::1/128 ens33 UP 192.168.11.83/24 fe80::xxx:xxxx:xxxx:xxxx/64 |
/etc/suricata/suricata.yamlファイル編集
1 2 3 4 5 6 7 8 9 10 11 12 |
# vi /etc/suricata/suricata.yaml # 18行目 : 変更 HOME_NET: "[192.168.11.0/24]" # 136行目 : 変更 community-id: false → community-id: true # 615行目 : 変更 af-packet: - interface: eth0 ↓ af-packet: - interface: ens33 ←各自のインターフェース名に変更 |
➁suricataアップデート
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# suricata-update -o /etc/suricata/rules -------omission------- 2/5/2024 -- 11:39:42 - <Info> -- Loaded 48910 rules. 2/5/2024 -- 11:39:42 - <Info> -- Disabled 14 rules. 2/5/2024 -- 11:39:42 - <Info> -- Enabled 0 rules. 2/5/2024 -- 11:39:42 - <Info> -- Modified 0 rules. 2/5/2024 -- 11:39:42 - <Info> -- Dropped 0 rules. 2/5/2024 -- 11:39:42 - <Info> -- Enabled 136 rules for flowbit dependencies. 2/5/2024 -- 11:39:42 - <Info> -- Backing up current rules. 2/5/2024 -- 11:39:42 - <Info> -- Writing rules to /etc/suricata/rules/suricata.rules: total: 48910; enabled: 37185; added: 48910; removed 0; modified: 0 2/5/2024 -- 11:39:42 - <Info> -- Writing /etc/suricata/rules/classification.config 2/5/2024 -- 11:39:43 - <Info> -- Testing with suricata -T. 2/5/2024 -- 11:40:07 - <Info> -- Done. |
処理されたルールの数を示し、この例では48910が追加され、そのうち37185が有効になりました。
➂設定ファイルをチェック
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# suricata -T -c /etc/suricata/suricata.yaml -v Notice: suricata: This is Suricata version 7.0.5 RELEASE running in SYSTEM mode Info: cpu: CPUs/cores online: 2 Info: suricata: Running suricata under test mode Info: suricata: Setting engine mode to IDS mode by default Info: exception-policy: master exception-policy set to: auto Info: logopenfile: fast output device (regular) initialized: fast.log Info: logopenfile: eve-log output device (regular) initialized: eve.json Info: logopenfile: stats output device (regular) initialized: stats.log Info: detect: 1 rule files processed. 37236 rules successfully loaded, 0 rules failed, 0 Info: threshold-config: Threshold config parsed: 0 rule(s) found Info: detect: 37239 signatures processed. 1137 are IP-only rules, 4877 are inspecting packet payload, 31013 inspect application layer, 108 are decoder event only Notice: suricata: Configuration provided was successfully loaded. Exiting |
④サービスが起動することを確認
各自のネットワークインターフェース名を入力(今回はens33)
1 |
# suricata -c /etc/suricata/suricata.yaml -i ens33 |
次のように表示される
1 2 |
i: suricata: This is Suricata version 7.0.5 RELEASE running in SYSTEM mode i: threads: Threads created -> W: 2 FM: 1 FR: 1 Engine started |
3.Suricataサービスの自動起動
①systemdサービスを作成
1 2 3 4 5 6 7 8 9 10 11 |
# vi /etc/systemd/system/suricata.service [Unit] Description=Suricata IDS/IPS After=network.target [Service] ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml -i ens33 [Install] WantedBy=default.target |
➁Suricataを有効
1 2 |
# systemctl enable suricata Created symlink /etc/systemd/system/default.target.wants/suricata.service → /etc/systemd/system/suricata.service |
➂Suricataを起動
1 2 |
# systemctl daemon-reload # systemctl start suricata |
④Suricataのステータスをチェック
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# systemctl status suricata ● suricata.service - Suricata IDS/IPS Loaded: loaded (/etc/systemd/system/suricata.service; enabled; preset: enabled) Active: active (running) since Fri 2024-05-03 12:46:02 JST; 30s ago Main PID: 23182 (Suricata-Main) Tasks: 8 (limit: 4556) Memory: 776.9M (peak: 812.1M) CPU: 3.049s CGroup: /system.slice/suricata.service mq23182 /usr/bin/suricata -c /etc/suricata/suricata.yaml -i ens33 May 03 12:46:02 lepard systemd[1]: Started suricata.service - Suricata IDS/IPS. May 03 12:46:02 lepard suricata[23182]: i: suricata: This is Suricata version 7.0.5 RELEASE running in SYSTEM mode May 03 12:46:05 lepard suricata[23182]: i: threads: Threads created -> W: 2 FM: 1 FR: 1 Engine started |
4.Suricataルールのテスト
①ET Openルール番号2100498をテスト
1 2 |
# curl http://testmynids.org/uid/index.html uid=0(root) gid=0(root) groups=0(root) |
ルール番号を指定してログファイルを確認
1 2 |
# grep 2100498 /var/log/suricata/fast.log 05/03/2024-12:54:12.517864 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 99.86.199.74:80 -> 192.168.11.83:47068 |
➁/var/log/suricata/eve.log のイベント確認
jq をインストール
1 |
# apt install jq |
2100498シグネチャを検索して、EVEログのイベントをフィルタリング
2100498の値と一致するsignature_idキーを持つalertオブジェクトを表示
1 |
# jq 'select(.alert .signature_id==2100498)' /var/log/suricata/eve.json |
次のように表示される
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
{ "timestamp": "2024-05-03T12:54:12.517864+0900", "flow_id": 1259841387789651, "in_iface": "ens33", "event_type": "alert", "src_ip": "99.86.199.74", "src_port": 80, "dest_ip": "192.168.11.83", "dest_port": 47068, "proto": "TCP", "pkt_src": "wire/pcap", "community_id": "1:b6Z5YOjKiLOagLna2F8gX75pnDM=", "alert": { "action": "allowed", "gid": 1, "signature_id": 2100498, "rev": 7, "signature": "GPL ATTACK_RESPONSE id check returned root", "category": "Potentially Bad Traffic", "severity": 2, "metadata": { "created_at": [ "2010_09_23" ], "updated_at": [ "2019_07_26" ] } }, |
5.Custom Rulesの作成と適用
①Custom Rulesファイルにカスタム署名を作成
1 2 3 |
# vi /etc/suricata/rules/local.rules 下記内容を記載 alert icmp any any -> $HOME_NET any (msg:"ICMP Ping"; sid:10001; rev:1;) |
➁設定ファイルを編集(上記local.rulesのパスを定義)
1 2 3 4 5 6 7 8 |
# vi /etc/suricata/suricata.yaml # 2155行目あたりに追記 default-rule-path: /var/lib/suricata/rules rule-files: - suricata.rules - /etc/suricata/rules/local.rules |
③設定ファイルのテスト
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# suricata -T -c /etc/suricata/suricata.yaml -v Notice: suricata: This is Suricata version 7.0.5 RELEASE running in SYSTEM mode Info: cpu: CPUs/cores online: 2 Info: suricata: Running suricata under test mode Info: suricata: Setting engine mode to IDS mode by default Info: exception-policy: master exception-policy set to: auto Info: logopenfile: fast output device (regular) initialized: fast.log Info: logopenfile: eve-log output device (regular) initialized: eve.json Info: logopenfile: stats output device (regular) initialized: stats.log Info: detect: 2 rule files processed. 37237 rules successfully loaded, 0 rules failed, 0 Info: threshold-config: Threshold config parsed: 0 rule(s) found Info: detect: 37240 signatures processed. 1138 are IP-only rules, 4877 are inspecting packet payload, 31013 inspect application layer, 108 are decoder event only Notice: suricata: Configuration provided was successfully loaded. Exiting |
④Suricat service再起動
1 |
# systemctl restart suricata |
⑤Custom Rulesの適用テスト
同一ローカルネットワーク上の別のPCでpingを実行し、ログに記録されたかどうかを確認する
1 2 3 |
# cat /var/log/suricata/fast.log 05/03/2024-13:06:06.322710 [**] [1:10000:1] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.11.22:8 -> 192.168.11.83:0 05/03/2024-13:06:06.322819 [**] [1:10000:1] ICMP Ping [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.11.83:0 -> 192.168.11.22:0 |
⑥JSON形式のログを取得
jqをインストール
1 2 |
# apt install jq # systemctl restart suricata |
同一ローカルネットワーク上の別のPCでpingを実行
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
# tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")' pingを実行するとコンソールに下記のように表示される { "timestamp": "2024-05-03T13:24:01.134991+0900", "flow_id": 298106683534580, "in_iface": "ens33", "event_type": "alert", "src_ip": "192.168.11.83", "src_port": 0, "dest_ip": "192.168.11.22", "dest_port": 0, "proto": "ICMP", "icmp_type": 0, "icmp_code": 0, "pkt_src": "wire/pcap", "community_id": "1:s8KsUEhci/Nac9CjIft0d/rc2+U=", "alert": { "action": "allowed", "gid": 1, "signature_id": 10001, "rev": 1, "signature": "ICMP Ping", "category": "", "severity": 3 }, "direction": "to_client", "flow": { "pkts_toserver": 2, "pkts_toclient": 1, "bytes_toserver": 148, "bytes_toclient": 74, "start": "2024-05-03T13:24:01.134944+0900", "src_ip": "192.168.11.22", "dest_ip": "192.168.11.83" } } |
6.ルール・セット・プロバイダーの追加
①既定のプロバイダー リストを一覧表示
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
# suricata-update list-sources Name: et/open Vendor: Proofpoint Summary: Emerging Threats Open Ruleset License: MIT Name: et/pro Vendor: Proofpoint Summary: Emerging Threats Pro Ruleset License: Commercial Replaces: et/open Parameters: secret-code Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset Name: etnetera/aggressive Vendor: Etnetera a.s. Summary: Etnetera aggressive IP blacklist License: MIT Name: malsilo/win-malware Vendor: malsilo Summary: Commodity malware rules License: MIT Name: oisf/trafficid Vendor: OISF Summary: Suricata Traffic ID ruleset License: MIT Name: scwx/enhanced Vendor: Secureworks Summary: Secureworks suricata-enhanced ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/malware Vendor: Secureworks Summary: Secureworks suricata-malware ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/security Vendor: Secureworks Summary: Secureworks suricata-security ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: sslbl/ja3-fingerprints Vendor: Abuse.ch Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset License: Non-Commercial Name: sslbl/ssl-fp-blacklist Vendor: Abuse.ch Summary: Abuse.ch SSL Blacklist License: Non-Commercial Name: stamus/lateral Vendor: Stamus Networks Summary: Lateral movement rules License: GPL-3.0-only Name: tgreen/hunting Vendor: tgreen Summary: Threat hunting rules License: GPLv3 |
例としてtgreen/hunting ルールセットを含める場合
1 2 3 4 5 6 7 8 9 10 11 |
# suricata-update enable-source tgreen/hunting 4/5/2024 -- 11:23:57 - <Info> -- Using data-directory /var/lib/suricata. 4/5/2024 -- 11:23:57 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml 4/5/2024 -- 11:23:57 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules. 4/5/2024 -- 11:23:57 - <Info> -- Found Suricata version 7.0.5 at /usr/bin/suricata. 4/5/2024 -- 11:23:57 - <Warning> -- Source index does not exist, will use bundled one. 4/5/2024 -- 11:23:57 - <Warning> -- Please run suricata-update update-sources. 4/5/2024 -- 11:23:57 - <Info> -- Creating directory /var/lib/suricata/update/sources 4/5/2024 -- 11:23:57 - <Info> -- Enabling default source et/open 4/5/2024 -- 11:23:57 - <Info> -- Source tgreen/hunting enabled |
アップデートを実行
1 |
# suricata-update -o /etc/suricata/rules |
Snort3
1.必要なパッケージをインストール
1 |
# apt install build-essential libpcap-dev libpcre3-dev libnet1-dev zlib1g-dev luajit hwloc libdumbnet-dev bison flex liblzma-dev openssl libssl-dev pkg-config libhwloc-dev cmake cpputest libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev libmnl-dev autotools-dev libluajit-5.1-dev libunwind-dev libfl-dev -y |
2. DAQライブラリをインストール
DAQライブラリをダウンロードしてインストール
1 2 3 4 5 6 |
# git clone https://github.com/snort3/libdaq.git # cd libdaq/ ~/libdaq# ./bootstrap ~/libdaq# ./configure ~/libdaq# make ~/libdaq# make install |
3. Gperftoolsをインストール
複数のインスタンスにおけるメモリ処理を改善することで、特定のアプリケーションやサービスのパフォーマンスを向上させるために使用されるプロファイラツール
1 2 3 4 5 6 7 |
# cd # wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.13/gperftools-2.13.tar.gz # tar xzf gperftools-2.13.tar.gz # cd gperftools-2.13 ~/gperftools-2.13# ./configure ~/gperftools-2.13# make ~/gperftools-2.13# make install |
4. SNORT3のインストール
①SNORT3のダウンロードと展開
1 2 3 4 5 |
# cd # wget https://github.com/snort3/snort3/archive/refs/heads/master.zip # apt install unzip # unzip master.zip # cd snort3-master |
➁コンフィグレーション
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
# ./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc ------------------------------------------------------- snort version 3.1.84.0 Install options: prefix: /usr/local includes: /usr/local/include/snort plugins: /usr/local/lib/snort Compiler options: CC: /usr/bin/cc CXX: /usr/bin/c++ CFLAGS: -fvisibility=hidden -DNDEBUG -g -ggdb -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free -O2 -g -DNDEBUG CXXFLAGS: -fvisibility=hidden -DNDEBUG -g -ggdb -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free -O2 -g -DNDEBUG EXE_LDFLAGS: MODULE_LDFLAGS: Feature options: DAQ Modules: Static (afpacket;bpf;dump;fst;gwlb;nfq;pcap;savefile;trace) libatomic: System-provided Hyperscan: OFF ICONV: ON Libunwind: ON LZMA: ON RPC DB: Built-in SafeC: OFF TCMalloc: ON JEMalloc: OFF UUID: ON NUMA: ON LibML: OFF ------------------------------------------------------- -- Configuring done (4.5s) -- Generating done (0.5s) -- Build files have been written to: /root/snort3-master/build |
➂インストール
1 2 3 |
# cd build # make # make install |
④共有ライブラリを更新
1 |
# ldconfig |
⑤バージョンを確認
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# snort -V ,,_ -*> Snort++ <*- o" )~ Version 3.1.84.0 '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using DAQ version 3.0.14 Using LuaJIT version 2.1.1703358377 Using OpenSSL 3.0.13 30 Jan 2024 Using libpcap version 1.10.4 (with TPACKET_V3) Using PCRE version 8.39 2016-06-14 Using ZLIB version 1.3 Using LZMA version 5.4.5 |
⑥デ フォルト設定をテスト
1 |
# snort -c /usr/local/etc/snort/snort.lua |
正常であれば下記のように表示される
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
-------------------------------------------------- o")~ Snort++ 3.1.84.0 -------------------------------------------------- Loading /usr/local/etc/snort/snort.lua: Loading snort_defaults.lua: Finished snort_defaults.lua: ----omission----- -------------------------------------------------- rule counts total rules loaded: 208 text rules: 208 option chains: 208 chain headers: 1 -------------------------------------------------- service rule counts to-srv to-cli file_id: 208 208 total: 208 208 -------------------------------------------------- fast pattern groups to_server: 1 to_client: 1 -------------------------------------------------- search engine (ac_bnfa) instances: 2 patterns: 416 pattern chars: 2508 num states: 1778 num match states: 370 memory scale: KB total memory: 68.5879 pattern memory: 18.6973 match list memory: 27.3281 transition memory: 22.3125 appid: MaxRss diff: 3328 appid: patterns loaded: 300 -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
5. ネットワークインタフェースを特定し、設定
①ネットワーク・イ ンターフェースを確認
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host noprefixroute valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:1c:f2:f6 brd ff:ff:ff:ff:ff:ff altname enp2s1 inet 192.168.11.83/24 brd 192.168.11.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe1c:f2f6/64 scope link valid_lft forever preferred_lft forever |
ネットワーク・イ ンターフェース名はens33
➁ネットワークインターフェースをプロミスキャスモードに設定
1 |
# ip link set dev ens33 promisc on |
設定を確認
1 2 |
# ip addr | grep ens33 | grep mtu 2: ens33: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 |
➂ラージ・レシーブ・オフロード(LRO)とジェネリック・レシーブ・オフロード(GRO)をオフ状態に設定
現在の状態を確認
1 2 3 |
# ethtool -k ens33 | grep receive-offload generic-receive-offload: on large-receive-offload: off [fixed] |
LROとGROのオフロードステータスをオフ状態に設定
1 |
# ethtool -K ens33 gro off lro off |
6. ネットワークインターフェース用のsystemdサービスを作成
1 2 |
# touch /etc/systemd/system/snort3-nic.service # vi /etc/systemd/system/snort3-nic.service |
snort3-nic.serviceの内容
1 2 3 4 5 6 7 8 9 10 11 12 13 |
[Unit] Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot After=network.target [Service] Type=oneshot ExecStart=/usr/sbin/ip link set dev ens33 promisc on ExecStart=/usr/sbin/ethtool -K ens33 gro off lro off TimeoutStartSec=0 RemainAfterExit=yes [Install] WantedBy=default.target |
systemd デーモンをリロードし、変更を適用
1 |
# systemctl daemon-reload |
snort3-nic.serviceを起動し、有効にします
1 2 3 |
# systemctl start snort3-nic.service # systemctl enable snort3-nic.service Created symlink /etc/systemd/system/default.target.wants/snort3-nic.service → /etc/systemd/system/snort3-nic.service |
snort3-nic.serviceのステータスを確認
1 2 3 4 5 6 7 8 9 |
# systemctl status snort3-nic.service ● snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot Loaded: loaded (/etc/systemd/system/snort3-nic.service; enabled; preset: enabled) Active: active (exited) since Fri 2024-05-03 17:43:10 JST; 39s ago Main PID: 61473 (code=exited, status=0/SUCCESS) CPU: 6ms May 03 17:43:10 lepard systemd[1]: Starting snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot... May 03 17:43:10 lepard systemd[1]: Finished snort3-nic.service - Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot. |
7. Snort Rulesの追加
7.1 コミュニティ・ルールセットを追加
①Snortルール用のフォルダを作成し、SnortのWebサイトからコミュニティルールセットをダウンロード
1 2 |
# mkdir /usr/local/etc/snort/rules # wget -qO- https://www.snort.org/downloads/community/snort3-community-rules.tar.gz | tar xz -C /usr/local/etc/snort/rules/ |
➁ Snortメイン設定ファイルを編集
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
# vi /usr/local/etc/snort/snort.lua # 24行目 : 自ネットワークに変更 HOME_NET = '192.168.11.0/24' # 28行目 : 変更 EXTERNAL_NET = '!$HOME_NET' 193行目当たりに追加 ips = { -- use this to enable decoder and inspector alerts -- enable_builtin_rules = true, -- use include for rules files; be sure to set your path -- note that rules files can include other rules files -- (see also related path vars at the top of snort_defaults.lua) variables = default_variables, rules = [[ include /usr/local/etc/snort/rules/snort3-community-rules/snort3-community.rules ]] } |
➂ メイン構成の変更をテスト
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
# snort -c /usr/local/etc/snort/snort.lua 正常であれば次のように表示される ... -------------------------------------------------- search engine (ac_bnfa) instances: 338 patterns: 10778 pattern chars: 175278 num states: 123344 num match states: 10498 memory scale: MB total memory: 3.68713 pattern memory: 0.577984 match list memory: 1.33597 transition memory: 1.73192 fast pattern only: 7099 appid: MaxRss diff: 3328 appid: patterns loaded: 300 -------------------------------------------------- pcap DAQ configured to passive. Snort successfully validated the configuration (with 0 warnings). o")~ Snort exiting |
7.2 カスタムルールを追加
①Snort rulesディレクトリにファイルを作成
1 2 3 4 |
# touch /usr/local/etc/snort/rules/local.rules # vi /usr/local/etc/snort/rules/local.rules alert icmp any any -> $HOME_NET any (msg:"Incoming ICMP"; sid:1000001; rev:1;) |
➁Snortメイン構成を編集
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# vi /usr/local/etc/snort/snort.lua 194行目当たりに追加 ips = { -- use this to enable decoder and inspector alerts -- enable_builtin_rules = true, -- use include for rules files; be sure to set your path -- note that rules files can include other rules files -- (see also related path vars at the top of snort_defaults.lua) variables = default_variables, rules = [[ include /usr/local/etc/snort/rules/local.rules include /usr/local/etc/snort/rules/snort3-community-rules/snort3-community.rules ]] } |
➂ メイン構成の変更をテスト
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |