CentOS 7安装IDS/IPS安全监测工具(Snorby+Barnyard2+Suricata)

网友投稿 716 2022-10-24


CentOS 7安装IDS/IPS安全监测工具(Snorby+Barnyard2+Suricata)

部署参考:和 Barnyard2 工具.

IDS:英文“Intrusion Detection Systems”的缩写,中文意思是“入侵检测系统”。依照一定的安全策略,通过软、硬件,对网络、系统的运行状况进行监视,尽可能发现各种攻击企图、攻击行为或者攻击结果,以保证网络系统资源的机密性、完整性和可用性。Barnyard:知名的开源IDS的日志工具,具有快速的响应速度,优异的数据库写入功能,是做自byebug定义的入侵检测系统不可缺少的插件。

IPS:入侵预防系统(IPS: Intrusion Prevention System)是电脑网络安全设施,是对防病毒软件(Antivirus Programs)和防火墙(Packet Filter, Application Gateway)的补充。 入侵预防系统(Intrusion-prevention system)是一部能够监视网络或网络设备的网络资料传输行为的计算机网络安全设备,能够即时的中断、调整或隔离一些不正常或是具有伤害性的网络资料传输行为。是新一代的侵入检测系统(IDS)。

IDS和IPS的区别:IDS只是发现攻击、产生报警,而IPS不但可以发现攻击,更重要的是针对攻击采取行动。

一、部署Suricata、Barnyard 2、Snorby服务器1、mysql安装yum install -y mysql-community-server启动mysqlsystemctl start mysqld.service给mysql赋权限,设置密码,允许登录的主机,省略,

2、安装相关的依赖yum install epel-release#mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup#wget -O /etc/yum.repos.d/CentOS-Base.repo clean all#yum makecache

安装依赖包yum -y install ImageMagickgcc-c++ patch readline readline-devel zlib zlib-devel git-core libyaml-devel libffi-devel openssl-devel make libpcap-devel pcre-devel libyaml-devel file-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar libnetfilter_queue-devel lua-devel mysql-devel fontconfig-devel libX11-devel libXrender-devel libxml2-devel libxslt-devel qconf

cd /opt/wget -O libhtp-0.5.20.tar.gz tar zxvf libhtp-0.5.20.tar.gz && cd libhtp-0.5.20./autogen.sh./configure && make && make install

3、安装Ruby on railscurl -L get.rvm.io | bash -s stablecommand curl -sSL | gpg2 --import -#导入证书source /etc/profile.d/rvm.shrvm install 2.0.0

rvm use 2.0.0--default 如果有多个ruby 版本,才使用这条语句。ruby -v

gem install bundler # 安装bundler

cd /opt/git clone git://github.com/Snorby/snorby.gitcd /opt/snorby

创建snorby_config.yml和database.yml两个文件cp config/snorby_config.yml.example config/snorby_config.ymlcp config/database.yml.example config/database.yml修改文件参考:'rake', '0.9.2' 改成 gem 'rake', '> 0.9.2'sed -i '/dm-postgres-adapter/d' Gemfile

设置iptables/etc/init.d/iptables stop #关闭防火墙,其他主机可以访问-I INPUT -p tcp --dport 3000 -mstate --state=NEW,ESTABLISHED,RELATED -j ACCEPT

初始化railsbundle installcd /opt/snorbyrake snorby:setup

启动服务snory:rails server -e production &[1] 1519[david-dai@dep006 snorby]$ syck has been removed, psych is used instead=> Booting Thin=> Rails 3.2.22 application starting in production on Call with -d to detach=> Ctrl-C to shutdown server

4、安装suricatayum install suricata

编辑suricata.yaml文件touch /var/log/suricata/suricata.waldo

修改日志格式文件:sed -i -e '/default-log-format/a\ default-log-format: "[%i] %t -(%f:%l) <%d> (%n) -- "' /etc/suricata/suricata.yaml

开启syslog 功能, 在/etc/suricata/suricata.yaml , 找到:sed -i -e '\/var\/log\/suricata\/suricata.log/,/Step 4/s/no/yes/g' /etc/suricata/suricata.yaml

开启unified2 logging in the suricata yaml:sed -i -e '/unified2-alert/,/unified2.alert/s/no/yes/g' /etc/suricata/suricata.yaml

找到#pid-file: /var/run/suricata.pid把前面的#号去掉sed -i -e '/pid-file/a\pid-file: /var/run/suricata.pid' /etc/suricata/suricata.yaml

找到rule-files,把下面的emerging-icmp.rules 和emerging-virus.rules删除掉。(unfinished)

启用 threshold,找到#threshold-file: /etc/suricata/threshold.configsed -i -e '/threshold-file/a\threshold-file: /etc/suricata/threshold.config' /etc/suricata/suricata.yaml

首次配置 Suricata IDS 参考:vim /etc/suricata/suricata.yaml (1)所有的interface:etho 修改为:interface:em2 因为我只有em1和em2 网卡,这里监测公网ip的em2网卡流量,ye可以监测em1网卡流量。(2)现在到了配置 Suricata 的时候了。配置文件的位置是 /etc/suricata/suricata.yaml。参照以下命令,用文本编辑器打开这个文件。为default-log-dir关键字指定 Suricata 日志文件所在的位置。default-log-dir: /var/log/suricata/(3)在vars部分下方,你会发现几项对 Suricata 来说很重要变量。HOME_NET变量需要指定 Suricata 检查的网络。被分配给 EXTERNAL_NET 变量的 !$HOME_NET 代表除本地网络之外的其他网络。XXX_PORTS变量用来辨别不同服务所用到的端口号。需要注意的是无论使用什么端口,Suricata 都可以自动检测 HTTP 流量。所以是不是正确指定端口就显得没那么重要了。vars:address-groups:HOME_NET: "[221.228.208.0/24,172.22.66.0/24]"(4)host-os-policy 部分用于防御利用操作系统网络栈的自身行为来逃避检测的一些知名攻击手段(例如:TCP reassembly)。作为对策,通过针对目标操作系统而对检测引擎算法进行微调,现代 IDC 提供了“基于目标”的检测手段。因此,如果你知道某台主机运行了什么操作系统的话,将这个信息提供给 Suricata 就可以大幅提高检测的成功率。这就是 host-os-policy 存在的意义。本例中,默认的 IDC 策略是 Linux 系统。如果针对某个 IP 地址没有指定操作系统信息,Suricata 会默认应用基于 Linux 系统的检测策略。如下,当捕获到对 192.168.122.0/28 和 192.168.122.155通讯时,Suricata 就会应用基于 Windows 系统的检测策略。host-os-policy:windows: [0.0.0.0/0]bsd: []bsd-right: []old-linux: []linux: [0.0.0.0/0]old-solaris: []solaris: []hpux10: []hpux11: []irix: []macos: []vista: []windows2k3: []

按照以下方法关闭 em 接口的 LRO/GRO 功能。sudo ethtool -K em1 gro off lro off sudo ethtool -K em2 gro off lro off

Suricata 支持许多运行模式。运行模式决定着 IDC 会使用何种线程。以下命令可以查看所有 可用的运行模式。sudo /usr/local/bin/suricata --list-runmodes

安装规则,也可以从其他服务器上拷贝过来到/etc/suricata/rules目录即可:root@deptest34:/home/david/suricata-2.0.8# make install-rulesinstall -d "/etc/suricata/rules"/usr/bin/wget -qO - | tar -x -z -C "/etc/suricata/" -f -You can now start suricata by running as root something like '/usr/local/bin/suricata -c /etc/suricata//suricata.yaml -i eth0'.If a library like libhtp.so is not found, you can run suricata with:'LD_LIBRARY_PATH=/usr/local/lib /usr/local/bin/suricata -c /etc/suricata//suricata.yaml -i eth0'.While rules are installed now, it's highly recommended to use a rule manager for maintaining rules.The two most common are Oinkmaster and Pulledpork. For a guide see:echo $?0

更新规则命令:suricatasc -c reload-rules

启动suricata:LD_LIBRARY_PATH=/usr/local/lib /usr/sbin/suricata -c /etc/suricata/suricata.yaml -i em2 -D &tailf /var/log/suricata/stats.log

5、安装barnyard2cd /opt/wget xvfz barnyard2-2-1.13.tar.gz && cd barnyard2-2-1.13/./autogen.sh./configure --with-mysql-libraries=/usr/lib64/mysql/ --with-mysql=/usr/bin/mysqlmake && make installvim /etc/suricata/barnyard2.conf

配置Barnyard 2#把Barnyard 2安装源文件中的etc/barnyard2.conf文件拷贝到Suricata的配置目录下cd /opt/barnyard2-2-1.13cp ./etc/barnyard2.conf /etc/suricata/

#创建barnyard2日志目录/var/log/barnyard2mkdir /var/log/barnyard2

修改barnyard2.conf把 默认的snort文件配置改成 suricatased -i 's/snort/suricata/g' /etc/suricata/barnyard2.confsed -i 's/gen-msg.map/\/rules\/gen-msg.map/g' /etc/suricata/barnyard2.confsed -i 's/sid-msg.map/\/rules\/sid-msg.map/g' /etc/suricata/barnyard2.conf

把数据库信息添加到barnyard2.conf sed -i '$a output database: log, mysql, user=root password=1q2w3e4r dbname=snorby host=localhost' /etc/suricata/barnyard2.conf

#找到“config hostname”和“config interface”,em2是镜像端口所在的网卡,按照你的实际情况修改sed -i -e '/#config hostname: thor/\a/config hostname: $hostname/' /etc/suricata/barnyard2.confsed -i -e '/#config interface: eth0/\a/config interface: em2/' /etc/suricata/barnyard2.confsed -i -e '/config waldo_file/a\config waldo_file: /var/log/suricata/suricata.waldo' /etc/suricata/barnyard2.conf

启动barnyard2:sudo /usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo –D &

到目前为止,一台服务器ids/ips 监测部署好监测客户端和展示服务端,如果需要监测其他服务器,怎么办?好像网络上把流量镜像拷贝到这台服务器上,是一种方法。这里采用C/S方法,部署suricata客户端。

二、ubuntu 服务器上安装Suricata、Barnyard 2客户端这里在每台服务器上部署Suricata,保存为waldo格式,Barnyard2把日志全部推送到snorby服务器上,统一展示。1、安装依赖包apt-get install libpcre3 libpcre3-dbg libpcre3-dev libpcap*\build-essential autoconf automake libtool pkg-config\libpcap-dev libnet1-dev mysql-client libmysqlclient16 flex software-properties-common python-software-properties

2、这里采用ppa方式安装suricata,也可以使用编译安装suricata,编译安装barnyard2sudo add-apt-repository ppa:oisf/suricata-stablesudo apt-get updatesudo apt-get install suricata

wget -zxvf libpcap-1.2.1.tar.gz cd libpcap-1.2.1apt-get install flex./configure && make && make installroot@TS-DEP-CENTER01:/tmp/barnyard2-2-1.13# /sbin/ldconfig

cd /tmp/wget -zxvf suricata-3.2.4.tar.gz cd suricata-3.2.4make clean./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/make make installmkdir -p /var/log/barnyard2mkdir -p /var/log/suricata

cd /tmp/wget v2-1.13 barnyard2-2-1.13.tar.gzcd /tmp/barnyard2-2-1.13./configure --with-mysql && make && make installcp ./etc/barnyard2.conf /etc/suricata/

3、修改barnyard2 和 suricata的配置文件可以拷贝之前的配置,我直接用salt同步。参考上文,省略

barnyard2配置示例:vim /etc/suricata/barnyard2.confroot@TS-DEP-CENTER01:/opt# grep -v '^#' /etc/suricata/barnyard2.conf | grep -v '^$'config reference_file: /etc/suricata/reference.configconfig classification_file: /etc/suricata/classification.configconfig gen_file: /etc/suricata//rules/gen-msg.mapconfig sid_file: /etc/suricata//rules/sid-msg.mapconfig hostname: TS-DEP-CENTER01-172.22.66.41config interface: em2input unified2output alert_fast: stdoutoutput database: log, mysql, user=root password=1q2w3e4r dbname=snorby host=172.22.66.6

4、启动suricata:suricata -c /etc/suricata/suricata.yaml -i em1 -D &

5、启动barnyard2sudo /usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo –D &打印出来的日志会告诉你是否连接数据库成功,上报的host和网卡信息。然后到系统上查看sensor(host)信息:

问题:depshlt02(ubuntu14.04)The following packages have unmet dependencies:libpcre3-dbg : Depends: libpcrecpp0 (= 1:8.31-2ubuntu2.1) but 1:8.31-2ubuntu2.3 is to be installedlibpcre3-dev : Depends: libpcrecpp0 (= 1:8.31-2ubuntu2.1) but 1:8.31-2ubuntu2.3 is to be installed

问题解决:vim /etc/apt/source.list 添加:deb trusty main universe multiverse restricteddeb trusty-updates main universe multiverse restricted然后执行:apt-get updateapt-get install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev mysql-client

三、salt批量在服务器上安装:1、定义两个salt组一个组包含两个ip (一个内网,一个公网),另一个组仅仅包含一个内网iproot@TS-OP03:/home/david-dai# vim /etc/salt/master.d/group.confnodegroups:suricata_two_ip: 'S@172.22.66.8 or S@172.22.66.9 or S@172.22.66.10 or S@172.22.66.11 or S@172.22.66.12 or S@172.22.66.13 or S@172.22.66.22 or S@172.22.66.23or S@172.22.66.24 or S@172.22.66.29 or S@172.22.66.30 or S@172.22.66.41 or S@172.22.66.42 or S@172.22.66.43 or S@172.22.66.44 or S@172.22.66.45 or S@172.22.66.46 or S@172.22.66.47 or S@172.22.66.50'suricata_one_ip: 'S@172.22.66.21 or S@172.22.66.25 or S@172.22.66.26 or S@172.22.66.27 or S@172.22.66.28 or S@172.22.66.48 or S@172.22.66.49 or S@172.22.66.51 or S@172.22.66.52 or S@172.22.66.53 or S@172.22.66.54 or S@172.22.66.55 or S@172.22.66.56 or S@172.22.66.57 or S@172.22.66.58'

2、针对第一个组two ip,em1是内网ip,em2是公网ip,双网卡只监测公网ip的em2网卡流量。安装依赖包:salt -N suricata_two_ip cmd.run "apt-get install -y bison flex libpcap*"salt -N suricata_two_ip cmd.run 'apt-get install -y --force-yes libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool pkg-config libpcap-dev libnet1-dev mysql-client libmysqlclient16 flex software-properties-common python-software-properties'

3、同步一些必要的配置(suricata.yaml&barnyard.con)salt -N suricata_two_ip cmd.run 'sudo add-apt-repository ppa:oisf/suricata-stable'salt -N suricata_two_ip cmd.run 'sudo apt-get update ' salt -N suricata_two_ip cmd.run 'sudo apt-get install -y suricata ' salt -N suricata_two_ip cmd.run 'dpkg -l | grep suricata'root@TS-OP03:/home/david-dai# cp suricata.yaml /srv/salt/chinadep/salt -N suricata_two_ip cp.get_file salt://chinadep/suricata.yaml /etc/suricata/suricata.yaml

root@TS-OP03:/home/david-dai# cp barnyard2.conf /srv/salt/chinadep/root@TS-OP03:/home/david-dai# cp -pr barnyard2-2-1.13 /srv/salt/chinadep/root@TS-OP03:/home/david-dai# ls -ld /srv/salt/chinadep/salt -N suricata_two_ip cp.get_dir salt://chinadep/barnyard2-2-1.13 /tmp/salt -N suricata_two_ip cp.get_file salt://chinadep/barnyard2.conf /etc/suricata/barnyard2.conf

4、安装suricata&barnaryroot@TS-OP03:/home/david-dai# vim /srv/salt/chinadep/barnyard.sh #!/bin/bashsed -i 's/^config hostname./config hostname: '$(hostname)'/g' /etc/suricata/barnyard2.confapt-get install -y --force-yes libmysqlclient libdbd-mysql-perl mysql-common mysql-client libmysqlapt-get install -y --force-yes bison flex libpcapapt-get install -y --force-yes libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool pkg-config libpcap-dev libnet1-dev mysql-clientt libmysqlclient16 flex software-properties-common python-software-properties

cd /tmptar -zxvf libpcap-1.2.1.tar.gzcd /tmp/libpcap-1.2.1./configuremakemake install/sbin/ldconfigecho $? >/tmp/barnyard_two_ip.txt

cd /tmp/barnyard2-2-1.13/chmod +x autogen.shmake clean./autogen.shln -s /usr/lib/x86_64-linux-gnu/libmysqlclient* /usr/include/mysql/./configure --with-mysql-libraries=/usr/include/mysql --with-mysql=/usr/bin/mysqlmakemake installecho $? >>/tmp/barnyard_two_ip.txt

salt -N suricata_two_ip cp.get_file salt://chinadep/barnyard.sh /tmp/barnyard.shsalt -N suricata_two_ip cmd.run 'chmod +x /tmp/barnyard.sh'salt -N suricata_two_ip cmd.run 'sh -x /tmp/barnyard.sh'

5、检查配置root@TS-OP03:/home/david-dai# salt -N suricata_two_ip cmd.run "grep ^'config hostname' /etc/suricata/barnyard2.conf "CK749X1:config hostname: TS-DEP-CENTER058K649X1:config hostname: TS-DEP-CENTER06

插入一句话:如果登录服务器,想在单台服务器上sed修改hostname,请执行如下命令:sed -i 's/^config hostname./config hostname: 'hostname'/g' /etc/suricata/barnyard2.conf"或者:"sed -i 's/^config hostname./config hostname: '$(hostname)'/g' /etc/suricata/barnyard2.conf"

6、启动suricata和barnary,必须登录单台服务器才能执行启动。root@TS-OP03:/home/david-dai# vim /srv/salt/chinadep/barnyard_start.sh sudo ps aux | grep -v grep | grep suricata | awk -F' ' '{print $2}' | xargs killsleep 5sudo mv /var/run/suricata.pid /tmp/#启动suricatasudo nohup suricata -c /etc/suricata/suricata.yaml -i em2 -D & > nohup.outsleep 5#启动barnyard2sudo nohup /usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo –D & > nohup.out

salt -N suricata_two_ip cp.get_file salt://chinadep/barnyard_start.sh /tmp/barnyard_start.shsalt -N suricata_two_ip cmd.run 'chmod +x /tmp/barnyard_start.sh'#salt -N suricata_two_ip cmd.run 'sh -x /tmp/barnyard_start.sh'salt执行失败,必须登录服务器后执行:sh -x /tmp/barnyard_start.sh

手动执行:suricata -c /etc/suricata/suricata.yaml -i em1 -D & /usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo –D &


版权声明:本文内容由网络用户投稿,版权归原作者所有,本站不拥有其著作权,亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容,请联系我们jiasou666@gmail.com 处理,核实后本网站将在24小时内删除侵权内容。

标签:接口 安全 日志 配置 文件
上一篇:H3C S5560-EI系列交换机系统安装
下一篇:SpringBoot添加SSL证书的方法
相关文章

 发表评论

暂时没有评论,来抢沙发吧~