我在'云'上的日子 - Suricata(部署)

发表于 2019-10-14 更新于 2021-05-17 分类于 NIDS

本文字数： 5.7k 阅读时长 ≈ 5 分钟

安装

PF_RING

1. pf_ring

二进制安装

# 18.04 LTS
$ apt-get install software-properties-common wget
$ add-apt-repository universe [ unless you have done it previously ]
$ wget http://apt-stable.ntop.org/18.04/all/apt-ntop-stable.deb
$ apt install ./apt-ntop-stable.deb

$ apt-get clean all
$ apt-get update
$ apt-get install pfring

编译安装

# 依赖
$ apt install git make gcc libelf-dev build-essential subversion flex libnuma-dev bison pkg-config libtool rustc cargo libjansson-dev ethtool autoconf autogen liblzma-dev libpcre3-dev libyaml-dev libpcap-dev zlib1g-dev

# 下载
$ git clone https://github.com/ntop/PF_RING.git

# 安装
$ cd PF_RING/kernel
$ make
$ sudo make install

# 加载 pf_ring.ko
$ sudo insmod pf_ring.ko min_num_slots=65536 transparent_mode=2 enable_tx_capture=0

# 查看 pf_ring 信息
$ cat /proc/net/pf_ring/info
PF_RING Version          : 7.5.0 (dev:14f62e0edb2b54cd614ab9d1f6467ccb8c6c9c32)
Total rings              : 0

Standard (non ZC) Options
Ring slots               : 65536
Slot version             : 17
Capture TX               : No [RX only]
IP Defragment            : No
Socket Mode              : Standard
Cluster Fragment Queue   : 0
Cluster Fragment Discard : 0

# 卸载 pf_ring.ko
$ sudo rmmod pf_ring

2. libpfring、libpcap

# 安装
$ cd PF_RING/userland/lib
$ ./configure && make
$ sudo make install
$ cd ../libpcap
$ ./configure && make
$ sudo make install

# 验证
$ cd PF_RING/userland/examples
$ make

# 接收数据包
root@ubuntu:/opt/PF_RING/userland/examples# ./pfcount -i ens33
Using PF_RING v.7.5.0
Capturing from ens33 [mac: 00:0C:29:D5:B9:8F][if_index: 2][speed: 0Mb/s]
# Device RX channels: 1
# Polling threads:    1
Dumping statistics on /proc/net/pf_ring/stats/51441-ens33.3
=========================
Absolute Stats: [2 pkts total][0 pkts dropped][0.0% dropped]
[2 pkts rcvd][424 bytes rcvd]
=========================

# 发送数据包
root@ubuntu:/opt/PF_RING/userland/examples# sudo ./pfsend -f 64byte_packets.pcap -n 0 -i ens33 -r 5
Sending packets on ens33
Using PF_RING v.7.5.0
Estimated CPU freq: 2429795000 Hz
Unable to open file 64byte_packets.pcap

3. tcpdump

# 安装
$ cd PF_RING/userland/tcpdump/
$ ./configure && make
$ sudo make install

参考:

LuaJIT

# 安装
$ wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
$ tar -zxf LuaJIT-2.0.5.tar.gz
$ cd LuaJIT-2.0.5/
$ make && make install
$ ldconfig

# 验证
$ ldconfig -p | grep lua
	liblua5.1.so.0 (libc6,x86-64) => /usr/lib/x86_64-linux-gnu/liblua5.1.so.0
	liblua5.1.so (libc6,x86-64) => /usr/lib/x86_64-linux-gnu/liblua5.1.so
	liblua5.1-c++.so.0 (libc6,x86-64) => /usr/lib/x86_64-linux-gnu/liblua5.1-c++.so.0
	liblua5.1-c++.so (libc6,x86-64) => /usr/lib/x86_64-linux-gnu/liblua5.1-c++.so

Hyperscan

1. boost

# 依赖
$ apt install cmake

# 下载
$ wget https://dl.bintray.com/boostorg/release/1.69.0/source/boost_1_69_0.tar.gz

# 安装
$ tar -xvf boost_1_69_0.tar.gz
$ cd boost_1_69_0/
$ ./bootstrap.sh
$ sudo ./b2 --with-iostreams --with-random install
$ ldconfig

2. ragle

# 依赖
$ sudo apt-get install autoconf

# 下载
$ wget http://www.colm.net/files/ragel/ragel-6.10.tar.gz

# 安装
$ tar zxvf ragel-6.10.tar.gz
$ cd ragel-6.10
$ ./configure
$ make
$ sudo make install
$ ldconfig

3. hyperscan

# 依赖
$ sudo apt install libpcap-dev

# 下载
$ wget https://github.com/intel/hyperscan/archive/v5.1.0.tar.gz -O hyperscan-5.1.0.tar.gz

# 安装
$ tar -zxvf hyperscan-5.1.0.tar.gz
$ cd hyperscan-5.1.0
$ mkdir cmake-build
$ cd cmake-build
$ cmake -DBUILD_SHARED_LIBS=on -DCMAKE_BUILD_TYPE=Release ..
$ make -j8
$ sudo make install
$ ldconfig

4. 验证

$ ldconfig -p | grep hs
	libhs_runtime.so.5 (libc6,x86-64) => /usr/local/lib/libhs_runtime.so.5
	libhs_runtime.so (libc6,x86-64) => /usr/local/lib/libhs_runtime.so
	libhs.so.5 (libc6,x86-64) => /usr/local/lib/libhs.so.5
	libhs.so (libc6,x86-64) => /usr/local/lib/libhs.so

参考:

Hyperscan - 5.1.0 安装

Suricata

依赖

$ apt-get install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev   \
                libnet1-dev libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev \
                libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev        \
                libnss3-dev libgeoip-dev libhiredis-dev libevent-dev \
                python-yaml rustc cargo libmaxminddb-dev liblzma-dev \
                python3-distutils liblz4-dev

安装方式: 2选1

release

$ wget https://www.openinfosecfoundation.org/download/suricata-5.0.2.tar.gz
$ tar zxvf suricata-5.0.2.tar.gz
$ cd suricata
$ ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-pfring --with-libpfring-includes=/usr/local/include --with-libpfring-libraries=/usr/local/lib --enable-geoip  --enable-luajit --with-libluajit-includes=/usr/local/include/luajit-2.0/ --with-libluajit-libraries=/usr/local/lib/ --with-libhs-includes=/usr/local/include/hs/ --with-libhs-libraries=/usr/local/lib/
$ make && make install-full
$ ldconfig

git clone

$ mkdir suricata
$ cd suricata
$ git clone git://phalanx.openinfosecfoundation.org/oisf.git
$ cd oisf
$ git clone https://github.com/OISF/libhtp.git
$ ./autogen.sh
$ ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-pfring --with-libpfring-includes=/usr/local/include --with-libpfring-libraries=/usr/local/lib --enable-geoip  --enable-luajit --with-libluajit-includes=/usr/local/include/luajit-2.0/ --with-libluajit-libraries=/usr/local/lib/ --with-libhs-includes=/usr/local/include/hs/ --with-libhs-libraries=/usr/local/lib/
$ make && make install-full
$ ldconfig

验证

1. PF_RING

1
2
3

$ suricata --build-info | grep PF_RING
Features: PCAP_SET_BUFF PF_RING AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON PROFILING TLS MAGIC RUST
  PF_RING support:                         yes

2. LuaJit

1
2
3

$ suricata --build-info | grep lua
  LUA support:                             yes, through luajit
  libluajit:                               yes

3. Hyperscan

1 2	$ suricata --build-info \| grep Hyperscan Hyperscan support: yes

启动

1	$ suricata --pfring-int=ens6 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c /etc/suricata/suricata.yaml

规则管理

1	$ pip install --upgrade suricata-update

定时更新

1 2	$ crontab -l 10 0 * * * /usr/bin/suricata-update --no-test && /usr/bin/suricatasc -c reload-rules

优化

https://www.jianshu.com/p/9348e211a6a2