cctg: Install Suricata in CentOS 7

2021/5/10

Install Suricata in CentOS 7

Suricata 是 IDS (Intrusion Detection System)，也是 IPS (Intrusion Prevention System)，由 Open Security Foundation (OISF) 開發。

IDS 系統是監控網路，檢查並偵測是否有特殊可疑的活動。 IDS 只有監看與記錄的功能。

IPS 是入侵預防系統，是 IDS 的強化產品，可即時偵測並主動防禦。能夠直接把可疑封包移除，中斷連線，發送 email 示警。

以往 IDS 系統都會提到 Snort，而 Suricata 跟 Snort 的主要差異是性能，Suricata 以 multithread 運作。

安裝 suricata

安裝 library

yum install epel-release
sudo yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel \
  zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar make \
  libnetfilter_queue-devel lua-devel PyYAML libmaxminddb-devel rustc cargo \
  lz4-devel

編譯最新的 6.0.0 stable 版

cd /usr/src

wget https://www.openinfosecfoundation.org/download/suricata-6.0.0.tar.gz

tar -xvzf suricata-6.0.0.tar.gz

cd suricata-6.0.0

./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua

make

make install
ldconfig

# make install-conf
# make install-rules
make install-full

查詢版本

# suricata -V
This is Suricata version 6.0.0 RELEASE

注意 suricata.yaml 的設定

HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"

直接測試(先以 ifconfig 查詢網路卡的名稱 enp2s0)

# suricata -c /etc/suricata//suricata.yaml -i enp2s0

設定自動啟動

vim /etc/init.d/suricatad

#!/bin/sh
# $Id$
#
# suricatad         Start/Stop the suricata IDS daemon.
#
# chkconfig: 2345 40 60
# description:  Suricata is a lightweight network intrusion detection tool that \
#                currently detects more than 1100 host and network \
#                vulnerabilities, portscans, backdoors, and more.
#

# Source function library.
. /etc/rc.d/init.d/functions

# See how we were called.
case "$1" in
start)
    echo -n "Starting Suricata: "
    daemon PCAP_FRAMES=max /usr/bin/suricata -D -c /etc/suricata/suricata.yaml -i enp2s0
    ;;
stop)
    echo -n "Stopping Suricata: "
    killproc suricata
    echo
    ;;
restart)
    $0 stop
    $0 start
    ;;
status)
    status suricata
    ;;
*)
    echo "Usage: $0 {start|stop|restart|status|}"
    exit 1
esac

exit 0

chmod +x /etc/init.d/suricatad
chkconfig --add suricatad
service suricatad start
service suricatad status

設定 log rorate

vi /etc/logrotate.d/suricata.logrotate

/var/log/suricata/*.log /var/log/suricata/*.json
{
    rotate 30
    missingok
    nocompress
    create
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/suricata.pid 2>/dev/null` 2>/dev/null || true
    endscript
}

nikto 攻擊測試

在另一台機器，以 nikto 作攻擊測試

Nikto 是 web server scanner 可測試 67000 潛在可能有問題的檔案，檢查 webserver index files 及 HTTP server options。

wget https://github.com/sullo/nikto/archive/master.zip -O nikto.zip
unzip nikto.zip
cd nikto-master/program
chmod +x nikto.pl
./nikto.pl -h 192.168.1.5 -p 80