suricata nat下部署

未分类

Mark:

实验环境:

最好两台真机,至少一台虚拟机一台真机,不推荐两台实验环境都为虚拟机(两台都是虚拟机时, route表中的可能不会生效)

A:172.20.8.42   IPS (功能)

B:172.20.8.8     pc

要求:   B  –>  A  –> inetner      B若访问的地址存在攻击行为,则阻断

A:

#安装suricata 

apt-get install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libjansson4 pkg-config libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0  #解决信赖
wget https://github.com/inliniac/suricata/archive/suricata-3.2.zip
unar suricata-3.2.zip
cd suricata-3.2
git clone https://github.com/OISF/libhtp.git  #suricata 信赖libhtp  放到suricata项目目录中
./configure --enable-nfqueue --enable-pfring --enable-hiredis --prefix=/usr --sysconfdir=/etc --localstatedir=/var
make
make install
make install-conf
make install-rules
ldconfig

#配置转发环境

echo 1 > /proc/sys/net/ipv4/ip_forward

#配置iptables

iptables -I INPUT -j NFQUEUE && iptables -I OUTPUT -j NFQUEUE &&iptables -I FORWARD -j NFQUEUE && iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j NFQUEUE   #若以ids模式运行,则把 NFQUEUE 换成 ACCEPT


iptables -t nat -A POSTROUTING -s 172.20.8.5 -j SNAT --to 172.20.8.42 #转发的源地址转换 ,作此步骤才能抓到数据包

ifconfig eth0 -promisc  #网卡混杂模式

#修改suricata配置

#suricata.yaml
HOME_NET: "![172.20.0.0/16]"  #HOME_NET 把外部地址当成目标为自己的就能匹配rules

#启动

suricata -c /etc/suricata/suricata.yaml -q 0

B:

把电脑的网关设置为 172.20.8.42  就行了

#测试注意

最好用浏览器测试:http://xxx.com/xxx.php?id=1 and 1=2 union select id from test where id=1      在/var/log/suricata/fast.log  文件出行记录表示成功

若用curl命令行测试  则应为  curl “http://xxx.com/xxx.php?id=1%20and%201=2%20union%20select%20id%20from%20test%20where%20id=1”  #命令行下不会自动把空格转义为%20   若不添加  suricata 识别不了 匹配不了rules

#更新

功能尽量装全 

apt-get install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libjansson4 pkg-config libprelude-dev liblua5.1-dev libgeoip-dev libhiredis-dev libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0


./configure --enable-nfqueue --enable-pfring --enable-hiredis --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-unittests --enable-python --enable-debug --enable-debug-validation --enable-profiling --enable-profiling-locks --enable-lua --enable-geoip --enable-pie --enable-prelude

另在NAT转发下会导致服务端丢失真实源ID,所以另拿一台机器做分析,用iptables做端口镜像(或者daemonlogger) 

iptables -A INPUT -i eth0 -p tcp -m tcp --sport 80 -j TEE --gateway 172.20.8.147
iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -j TEE --gateway 172.20.8.147

#注意,input output 都得镜像过来, 就像nat下不添加iptables的源地址转换,就相当于只有input,suricate 在此种情况下不进行protocol分析。

#若只镜像注入的流量,则在suricata.yaml文件中 不过功能会有BUG,建议镜像双向流量 

--set stream.async-oneside=true

#另附suricata snort 一键安装脚本 

apt-get install wkhtmltopdf gcc g++ build-essential libssl-dev libreadline6-dev zlib1g-dev libsqlite3-dev libxslt-dev libxml2-dev imagemagick git-core libmysqlclient-dev libmagickwand-dev default-jre ruby ruby-dev libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libjansson4 pkg-config libprelude-dev liblua5.1-dev libgeoip-dev libhiredis-dev mysql-server apache2 apache2-dev libapr1-dev libaprutil1-dev libcurl4-openssl-dev libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev git pkg-config libnss3-dev libnspr4-dev wget mysql-client libmysqlclient-dev libdumbnet-dev libmysqlclient18 flex bison libpq-dev postgresql-server-dev-all libdnet-dev unar



#install suricata begin
cd /tmp
wget https://github.com/inliniac/suricata/archive/suricata-3.2.zip
unar suricata-3.2.zip
cd suricata-suricata-3.2
git clone https://github.com/OISF/libhtp.git  #suricata 信赖libhtp  放到suricata项目目录中
./autogen.sh
./configure --enable-nfqueue --enable-pfring --enable-hiredis --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-unittests --enable-python --enable-debug --enable-debug-validation --enable-profiling --enable-profiling-locks --enable-lua --enable-geoip --enable-pie --enable-prelude
make
make install
make install-conf
make install-rules
ldconfig

sed -i "s|windows: [0.0.0.0/0].*|#windows: [0.0.0.0/0]|g" /etc/suricata/suricata.yaml
perl -0777 -i -pe  "s/- unified2-alert:\s*enabled:.*/- unified2-alert:\n      enabled: yes/g" /etc/suricata/suricata.yaml


#install suricata end

#install snorby begin
gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
curl -sSL https://get.rvm.io | bash -s stable

source /etc/profile.d/rvm.sh

rvm install ruby-2.2.4
rvm use ruby-2.2.4 --default

gem sources --add https://gems.ruby-china.org/ --remove https://rubygems.org/

gem install thor i18n bundler tzinfo builder memcache-client rack rack-test erubis mail rack-mount rails sqlite3 arel ezprint rake activesupport minitest

bundle config mirror.https://rubygems.org https://gems.ruby-china.org

git clone http://github.com/Snorby/snorby.git --depth=1 /var/www/snorby
cp /var/www/snorby/config/database.yml.example /var/www/snorby/config/database.yml
cp /var/www/snorby/config/snorby_config.yml.example /var/www/snorby/config/snorby_config.yml
sed -i "s/password: .*\$/password: \"123456\"/" /var/www/snorby/config/database.yml
sed -i "s/domain: .*\$/domain: 'localhost:3000'/" /var/www/snorby/config/snorby_config.yml
sed -i "s/wkhtmltopdf: .*\$/wkhtmltopdf: wkhtmltopdf/" /var/www/snorby/config/snorby_config.yml
sed -i "s#rules:#rules: \n    - \"/etc/suricata/rules/\"#g" /var/www/snorby/config/snorby_config.yml


cd /var/www/snorby/ && bundle update activesupport railties rails
cd /var/www/snorby/ && bundle install
cd /var/www/snorby/ && bundle exec rake snorby:setup RAILS_ENV=production

chown www-data:www-data /var/www/snorby -R
cat <<EOT >> /etc/apache2/sites-available/snorby.conf
<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/snorby/public

        <Directory "/var/www/snorby/public">
                AllowOverride all
                Order deny,allow
                Allow from all
                Options -MultiViews
        </Directory>

</VirtualHost>
EOT

a2dissite 000-default.conf
a2ensite snorby.conf

gem install --no-ri --no-rdoc passenger
cd /var/www/snorby/ && passenger-install-apache2-module -a 2> /tmp/.passenger_error.txt 1> /tmp/.passenger_compile_out
sed -n '/LoadModule passenger_module \/usr\//,/<\/IfModule>/p' /tmp/.passenger_compile_out > /etc/apache2/mods-available/passenger.load
a2enmod passenger 
a2enmod rewrite
service apache2 restart
cd /var/www/snorby/ && bundle pack
cd /var/www/snorby/ && bundle install --path vender/cache
service apache2 restart
#install snorby end

#install barnyard2 begin
cd /tmp
wget -q https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
if [ -d "/tmp/daq-2.0.6" ]; then
  rm -r /tmp/daq-2.0.6
fi
tar xzf daq-2.0.6.tar.gz
cd daq-2.0.6
./configure && make && make install

ln -s /usr/include/dumbnet.h /usr/include/dnet.h
cd /tmp/ && git clone https://github.com/firnsy/barnyard2 --depth=1
cd barnyard2
./autogen.sh
autoreconf --force --install
./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu/
make && make install
cp /tmp/barnyard2/etc/barnyard2.conf /etc/suricata/
sed -i "s/#config interface:\s\+eth0/config interface:  eth0/g" /etc/suricata/barnyard2.conf
sed -i "s/#config daemon/config daemon/g" /etc/suricata/barnyard2.conf
sed -i "s/#config verbose/config verbose/g" /etc/suricata/barnyard2.conf
sed -i "s;#config waldo_file:.*;config waldo_file: /var/log/suricata/suricata.waldo;" /etc/suricata/barnyard2.conf
sed -i "s#config reference_file:\s\+/etc/.*#config reference_file:      /etc/suricata/reference.config#g" /etc/suricata/barnyard2.conf
sed -i "s#config classification_file:\s\+/etc/.*#config classification_file: /etc/suricata/classification.config#g" /etc/suricata/barnyard2.conf
sed -i "s#config gen_file:\s\+/etc/.*#config gen_file:            /etc/suricata/rules/gen-msg.map#g" /etc/suricata/barnyard2.conf
sed -i "s#config sid_file:\s\+/etc/.*#config sid_file:            /etc/suricata/rules/sid-msg.map#g" /etc/suricata/barnyard2.conf
echo "output database: log, mysql, user=root password=123456 dbname=snorby host=localhost sensor_name=sensor1" >> /etc/suricata/barnyard2.conf
mkdir /var/log/barnyard2
cat << 'EOT' >> /etc/init.d/barnyard2
#!/bin/sh
case $1 in
    start)
        echo "starting $0..."
        sudo barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo
        echo -e 'done.'
    ;;
    stop)
        echo "stopping $0..."
        killall barnyard2
        echo -e 'done.'
    ;;
    restart)
        $0 stop
        $0 start
    ;;
    *)
        echo "usage: $0 (start|stop|restart)"
    ;;
esac

EOT

chmod 700 /etc/init.d/barnyard2
update-rc.d barnyard2 defaults 21 00
#install end begin


cd /var/www/snorby
bundle exec rake snorby:update RAILS_ENV=production


 


suricata -c /etc/suricata/suricata.yaml -i eth0 -D
barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo -D

#开机启动snorby worker 

source /etc/profile.d/rvm.sh
rvm use ruby-2.2.4 --default

cd /var/www/snorby
bundle exec rake snorby:update RAILS_ENV=production

#mark

发表评论

邮箱地址不会被公开。 必填项已用*标注