IDS是什么
IDS分两类,一种是NIDS(NetWork Instruction Detection System),一种是HIDS(Host Instruction Detection System)
- 基于主机的入侵检测系统(HIDS)–该系统将检查网络中计算机上的事件
- 基于网络的入侵检测系统(NIDS)–该系统将检查您网络上的流量恶意问题。
本篇就来介绍两个开源的NIDS系统:Snort和Suricata
Snort
一个开源的网络入侵检测系统(IDS)和入侵防御系统(IPS),它可以捕获通讯流量并对其做协议解析,识别或防御通讯流量中可疑或恶意的行为。
国内大部分厂商基于流量的IDS的数据包捕获、协议解析、检测引擎等关键模块都是在此基础上做修改和扩展优化。
官网地址:
Snort - Network Intrusion Detection & Prevention System
Snort3环境搭建
sudo apt-get update && sudo apt-get dist-upgrade -y
sudo apt-get install -y libpcap-dev libpcre3-dev libdumbnet-dev zlib1g-dev
sudo apt-get install -y build-essential autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev zlib1g-dev pkg-config libhwloc-dev cmake liblzma-dev openssl libssl-dev cpputest libsqlite3-dev libtool uuid-dev git autoconf bison flex libcmocka-dev libnetfilter-queue-dev libunwind-dev libmnl-dev ethtoolsudo dpkg-reconfigure tzdatamkdir ~/snort_src
cd ~/snort_srccd ~/snort_src
wget https://github.com/rurban/safeclib/releases/download/v02092020/libsafec-02092020.tar.gz
tar -xzvf libsafec-02092020.tar.gz
cd libsafec-02092020.0-g6d921f
./configure
make
sudo make install安装Hyperscan
Snort 3使用Hyperscan进行快速模式匹配。可以从Ubuntu存储库安装一个旧版本的Hyperscan,但是Hyperscan对Snort的操作和性能至关重要,最好编译Hyperscan的最新稳定版本。Hyperscan有一个需求数量,包括PCRE、gper工具、ragel和Boost库。
cd ~/snort_src/
wget https://nchc.dl.sourceforge.net/project/pcre/pcre/8.45/pcre-8.45.tar.gz
tar -xzvf pcre-8.45.tar.gz
cd pcre-8.45
./configure
make
sudo make installcd ~/snort_src
wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.9.1/gperftools-2.9.1.tar.gz
tar -xzvf gperftools-2.9.1.tar.gz
cd gperftools-2.9.1
./configure
make
sudo make installcd ~/snort_src
wget http://www.colm.net/files/ragel/ragel-6.10.tar.gz
tar -xzvf ragel-6.10.tar.gz
cd ragel-6.10
./configure
make
sudo make installcd ~/snort_src
wget https://boostorg.jfrog.io/artifactory/main/release/1.78.0/source/boost_1_78_0.tar.gz
tar -xvzf boost_1_78_0.tar.gzcd ~/snort_src
wget https://github.com/intel/hyperscan/archive/refs/tags/v5.4.0.tar.gz
tar -xvzf v5.4.0.tar.gz
mkdir ~/snort_src/hyperscan-5.4.0-build
cd hyperscan-5.4.0-build/
cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort_src/boost_1_78_0/ ../hyperscan-5.4.0
make
sudo make install安装flatbuffers
cd ~/snort_src
wget https://github.com/google/flatbuffers/archive/refs/tags/v2.0.0.tar.gz -O flatbuffers-v2.0.0.tar.gz
tar -xzvf flatbuffers-v2.0.0.tar.gz
mkdir flatbuffers-build
cd flatbuffers-build
cmake ../flatbuffers-2.0.0
make
sudo make install安装DAQ
安装数据采集库(DAQ),Snort3使用的数据采集卡与Snort 2.9.0系列不同
cd ~/snort_src
# 可以根据自身下载最新的库
wget https://github.com/snort3/libdaq/archive/refs/tags/v3.0.5.tar.gz
tar -xzvf v3.0.5.tar.gz
cd libdaq-3.0.5
./bootstrap
./configure
make
sudo make installsudo ldconfig最后源码安装Snort 3
如果对启用其他编译时功能感兴趣,例如处理大型(超过2GB)PCAP文件的能力,或者新的命令行shell:
运行./configure cmake.sh--帮助列出所有可选功能,并将它们附加到下面的./configure\u cmake.sh命令中。在Snort网站上查看Snort3的更新版本
cd ~/snort_src
wget https://github.com/snort3/snort3/archive/refs/tags/3.1.20.0.tar.gz
tar -xzvf 3.1.20.0.tar.gz
cd snort3-3.1.20.0
./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc
cd build
make
sudo make install
/usr/local/bin/snort -V
使用默认配置文件测试Snrot
snort -c /usr/local/etc/snort/snort.lua
减少IDS的数据包
eth0是我要监听的网卡,根据自己的网卡设置
# 检查这些接口的large-receive-o load(LRO)和generic-receive-offload(GRO)的状态,使用ethtool检查状态
sudo ethtool -k eth0 | grep receive-offload
sudo vi /lib/systemd/system/ethtool.service##内容,输入以下信息
[Unit]
Description=Ethtool Configration for Network Interface
[Service]
Requires=network.target
Type=oneshot
ExecStart=/sbin/ethtool -K eth0 gro off
ExecStart=/sbin/ethtool -K eth0 lro off
[Install]
WantedBy=multi-user.targetsudo systemctl enable ethtool
sudo service ethtool start
创建一些配置Snort策略的文件夹
sudo mkdir /usr/local/etc/rules
sudo mkdir /usr/local/etc/so_rules/
sudo mkdir /usr/local/etc/lists/
sudo touch /usr/local/etc/rules/local.rules
sudo touch /usr/local/etc/lists/default.blocklist
sudo mkdir /var/log/snortsudo vim /usr/local/etc/rules/local.rulesalert icmp any any -> any any (msg:"ICMP Traffic Detected"; sid:10000001;rev:1;)/usr/local/etc/snort/snort.lua
snort -c /usr/local/etc/snort/snort.lua -A alert_fast -i eth0 -l /var/log/snort/ -R /usr/local/etc/rules/local.rules
Snort运行帮助
snort [-options] <filter options>Options:
-A
设置报警模式
Set alert mode: fast, full, console, test or none (alert file alerts only)
"unsock" enables UNIX socket logging (experimental).
-b
以tcpdump格式记录Log包,用该格式速度快
Log packets in tcpdump format (much faster!)
-B <mask>
使用CIDR掩码混淆警报和包转储中的IP地址
Obfuscated IP addresses in alerts and packet dumps using CIDR mask
-c <rules>
指定snort配置文件所在的路径,如 `snort -c /etc/snort/snort.conf`
Use Rules File <rules>
-C
只打印带有字符数据的有效负载(没有十六进制)
Print out payloads with character data only (no hex)
-d
显示应用层数据
Dump the Application Layer
-D
在后台(守护进程)模式下运行Snort
Run Snort in background (daemon) mode
-e
显示数据链路层头部信息
Display the second layer header info
-f
在二进制日志写之后,不进行fflush()调用
Turn off fflush() calls after binary log writes
-F <bpf>
读取伯克利包过滤器文件
Read BPF filters from file <bpf>
-g <gname>
指定运行snort的组
Run snort gid as <gname> group (or gid) after initialization
-G <0xid>
Log Identifier (to uniquely id events for multiple snorts)
-h <hn>
指定snort.conf里面定义的变量HOME_NET的值。对于-l -B一起使用且运行模式为IDS时,不能更改HONE_NET
Set home network = <hn>
(for use with -l or -B, does NOT change $HOME_NET in IDS mode)
-H
Make hash tables deterministic.
-i <if>
监听<if>指定的网络接口
Listen on interface <if>
-I
将网络接口名添加到警报输出中
Add Interface name to alert output
-k <mode>
检验模式
Checksum mode (all,noip,notcp,noudp,noicmp,none)
-K <mode>
日志模式
Logging mode (pcap[default],ascii,none)
-l <ld>
指定日志存储的目录
Log to directory <ld>
-L <file>
记录日志到指定的文件中
Log to this tcpdump file
-M
将消息记录到syslog,不包含警报消息
Log messages to syslog (not alerts)
-m <umask>
Set umask = <umask>
-n <cnt>
接收到<cnt>指定的包数后退出snort
Exit after receiving <cnt> packets
-N
关闭日志记录(报警仍然会记录)
Turn off logging (alerts still work)
-O
混淆已记录的IP地址
Obfuscate the logged IP addresses
-p
禁用混杂模式嗅探
Disable promiscuous mode sniffing
-P <snap>
设置snort的抓包截断长度,默认为1514
Set explicit snaplen of packet (default: 1514)
-q
退出程序时,屏幕不显示初始化信息和最后的汇总统计信息
Quiet. Don't show banner and status report
-Q
以内联模式运行
Enable inline mode operation.
-r <tf>
读取并处理指定的tcpdump文件(snort的二进制日志文件)
Read and process tcpdump file <tf>
-R <id>
Include 'id' in snort_intf<id>.pid file name
-s
将警报消息记录到syslog
Log alert messages to syslog
-S <n=v>
设置规则文件的变量n的值为v
Set rules file variable n equal to value v
-t <dir>
Chroots process to <dir> after initialization
-T
测试并报告当前Snort的配置是否有问题
Test and report on the current Snort configuration
-u <uname>
初始化后以<uname>用户的身份运行snort
Run snort uid as <uname> user (or uid) after initialization
-U
使用UTC作为时间戳
Use UTC for timestamps
-v
终端显示打印
Be verbose
-V
显示snort版本
Show version number
-X
从链路层开始存储原始数据包数据
Dump the raw packet data starting at the link layer
-x
如果Snort出现配置问题,则退出
Exit if Snort configuration problems occur
-y
在警报和日志文件中包含年份时间戳
Include year in timestamp in the alert and log files
-Z <file>
设置预处理器文件路径和名称
Set the performonitor preprocessor file path and name
-?
显示snort详细用法
Show this information
<Filter Options> are standard BPF options, as seen in TCPDump
Longname options and their corresponding single char version
--logid <0xid>
Same as -G
--perfmon-file <file>
Same as -Z
--pid-path <dir>
Specify the directory for the Snort PID file
--snaplen <snap>
Same as -P
--help
Same as -?
--version
Same as -V
--alert-before-pass
Process alert, drop, sdrop, or reject before pass, default is pass before alert, drop,...
--treat-drop-as-alert
在启动期间将drop、sdrop和reject规则转换为警报规则
Converts drop, sdrop, and reject rules into alert rules during startup
--treat-drop-as-ignore
Use drop, sdrop, and reject rules to ignore session traffic when not inline.
--process-all-events
Process all queued events (drop, alert,...), default stops after 1st action group
--enable-inline-test
Enable Inline-Test Mode Operation
--dynamic-engine-lib <file>
加载指定动态检测引擎
Load a dynamic detection engine
--dynamic-engine-lib-dir <path>
从指定目录中加载所有动态引擎
Load all dynamic engines from directory
--dynamic-detection-lib <file>
加载指定动态规则库
Load a dynamic rules library
--dynamic-detection-lib-dir <path>
从指定目录中加载所有动态规则库
Load all dynamic rules libraries from directory
--dump-dynamic-rules <path>
Creates stub rule files of all loaded rules libraries
--dynamic-preprocessor-lib <file>
加载指定动态预处理器库
Load a dynamic preprocessor library
--dynamic-preprocessor-lib-dir <path>
从指定目录中加载所有动态预处理器库
Load all dynamic preprocessor libraries from directory
--dynamic-output-lib <file>
加载指定动态输出库
Load a dynamic output library
--dynamic-output-lib-dir <path>
从指定目录中加载所有动态输出库
Load all dynamic output libraries from directory
--create-pidfile
Create PID file, even when not in Daemon mode
--nolock-pidfile
Do not try to lock Snort PID file
--no-interface-pidfile
Do not include the interface name in Snort PID file
--disable-attribute-reload-thread
不创建一个线程来重新加载属性表
Do not create a thread to reload the attribute table
--pcap-single <tf>
Same as -r.
--pcap-file <file>
指定要读取的pcaps文件名称
file that contains a list of pcaps to read - read mode is implied.
--pcap-list "<list>"
指定要读取的pcaps文件列表,通过空格分隔
a space separated list of pcaps to read - read mode is implied.
--pcap-dir <dir>
递归查找pcaps的目录,即指定目录,该目录下的pcaps文件都将被读取
a directory to recurse to look for pcaps - read mode is implied.
--pcap-filter <filter>
filter to apply when getting pcaps from file or directory.
--pcap-no-filter
reset to use no filter when getting pcaps from file or directory.
--pcap-loop <count>
this option will read the pcaps specified on command line continuously.
for <count> times. A value of 0 will read until Snort is terminated.
--pcap-reset
if reading multiple pcaps, reset snort to post-configuration state before reading next pcap.
--pcap-reload
if reading multiple pcaps, reload snort config between pcaps.
--pcap-show
print a line saying what pcap is currently being read.
--exit-check <count>
Signal termination after <count> callbacks from DAQ_Acquire(), showing the time it
takes from signaling until DAQ_Stop() is called.
--conf-error-out
Same as -x
--enable-mpls-multicast
Allow multicast MPLS
--enable-mpls-overlapping-ip
Handle overlapping IPs within MPLS clouds
--max-mpls-labelchain-len
Specify the max MPLS label chain
--mpls-payload-type
Specify the protocol (ipv4, ipv6, ethernet) that is encapsulated by MPLS
--require-rule-sid
Require that all snort rules have SID specified.
--daq <type>
选择数据包采集模块(默认为pcap)
Select packet acquisition module (default is pcap).
--daq-mode <mode>
选择数据采集(DAQ)操作模式
Select the DAQ operating mode.
--daq-var <name=value>
指定额外的DAQ变量
Specify extra DAQ configuration variable.
--daq-dir <dir>
指定DAQ库文件路径
Tell snort where to find desired DAQ.
--daq-list[=<dir>]
列出可用的数据包采集模块。默认是静态模块。
List packet acquisition modules available in dir. Default is static modules only.
--dirty-pig
关机时不要刷新数据包并释放内存
Don't flush packets and release memory on shutdown.
--cs-dir <dir>
Directory to use for control socket.
--ha-peer
Activate live high-availability state sharing with peer.
--ha-out <file>
将高可用性事件写入此文件
Write high-availability events to this file.
--ha-in <file>
在启动(warm-start)时从该文件中读取高可用性事件
Read high-availability events from this file on startup (warm-start).
--suppress-config-log
Suppress configuration information output.Snort规则编写
Snort 3 Rule Writing Guide - Snort 3 Rule Writing Guide
Snort的响应机制
- alert:警报并记录(适用于需要立即采取行动的情况下)
- pass:忽略(适用于明确允许的流量,不进行检测)
- log:记录(适用于需要记录流量但不采取其他行动的情况下)
- activation:报警并启动另一个动态规则链
- dynamic:由其他activate动作的规则调用,在正常情况下,他们不会被用来检测包。一个动态规则仅能被一个"activate"动作激活。
Snort规则组成
规则头(Rule Header)和规则选项(Rule Options)组成Snort规则
- 规则头定义了流量匹配的基本信息,如协议、源和目的地址、端口等。
- 规则选项则包含了更详细的检测条件和响应动作。
规则头
规则头的基本格式如下:<action> <protocol> <src_ip> <src_port> -> <dst_ip> <dst_port>
- action:规则动作,常见的有alert(报警)、log(记录日志)、pass(通过)等。
- protocol:协议类型,如TCP、UDP、ICMP等。
- src_ip:源IP地址,可以是具体的IP,也可以是CIDR表示法的网段,还可以使用any表示任何地址。
- src_port:源端口号,可以是具体端口号,也可以使用any表示任何端口。
- dst_ip:目的IP地址,含义同src_ip。dst_port:目的端口号,含义同src_port。
示例规则头:alert tcp any any -> 192.168.1.0/24 80
当检测到任何源IP和源端口的TCP流量进入192.168.1.0/24网段的80端口时,触发报警
规则选项
规则选项,由一系列键值对组成,使用分号分隔。其格式如下:<key>:<value>
常见的规则选项包括:
- msg:报警信息。
- sid:规则ID,必须唯一。
- rev:规则版本号。
- content:匹配数据包中的内容。
- depth:指定从数据包开始的位置进行匹配。
- offset:指定匹配的起始位置。
- nocase:忽略大小写。
- classtype:分类类型,用于描述规则的性质。
示例规则选项:(msg:"Potential SQL Injection"; sid:1000001; rev:1; content:"' or '1'='1"; nocase;)
这个就是当数据包中出现' or '1'='1的内容时(无论大小写)触发Potential SQL Injection的告警信息,版本号为1
完整示例规则:alert tcp any any -> any 80 (msg:"Potential SQL Injection"; sid:1000001; rev:1; content:"' or '1'='1"; nocase;)
其他示例规则
SQL注入攻击警告:alert tcp any any -> any 80 (msg:"Possible SQL Injection"; content:"' OR 1=1 --"; http_uri; nocase; sid:10000000123; rev:1;)
永恒之蓝特征警告:alert smb any any -> $HOME_NET any (msg:“ET EXPLOIT Possible ETERNALBLUE MS17-010”; flow:to_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 18 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:set,ETPRO.ETERNALBLUE; flowbits:noalert; classtype:trojan-activity; sid:2024220; rev:1;)
参考文章
Snort的使用二:入侵检测与规则编写_snort规则的应用-CSDN博客
Ubuntu22.04安装Snort3并进行网络流量异常检测 - Jikefan - 博客园
手写规则检测SQLMAP工具
SQLMAP工具流量特征
发现UA存在sqlmap关键字
编写规则
alert tcp $EXTERNAL_NET any -> $HOME_NET [80,443,8080] (
msg:"SQLi Attack - Potential sqlmap Activity Detected";
flow:to_server,established;
content:"User-Agent"; http_header;
content:"sqlmap", nocase; http_header;
metadata:service http;
reference:url,github.com/sqlmapproject/sqlmap;
classtype:web-application-attack;
sid:1000001;
rev:1;
)特定端口通讯警告
alert tcp any 7799 -> any any (msg:"SNORT:visit destport tcp 7799"; sid:201900001; rev:1;)
Suricata
一个开源的网络入侵检测系统(IDS)和入侵防御系统(IPS),它可以捕获通讯流量并对其做协议解析,识别或防御通讯流量中可疑或恶意的行为。
国内大部分厂商基于流量的IDS的数据包捕获、协议解析、检测引擎等关键模块都是在此基础上做修改和扩展优化。
项目地址
https://github.com/OISF/suricata
操作手册
2. 快速入门指南 — Suricata 7.0.0-dev 文档
环境搭建
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install suricata配置
ip addr
sudo vim /etc/suricata/suricata.yaml有许多可能的配置选项,我们将重点放在 HOME_NET 变量和网络接口配置。这个 HOME_NET 在大多数情况下,变量应该包括被监视接口的IP地址和正在使用的所有本地网络。默认值已经包括RFC1918网络。
172.26.237.55/20
eth0
Suricata规则下载
https://github.com/al0ne/suricata-rules
GitHub - ptresearch/AttackDetection: Attack Detection
suricata-update日志文件
- suricata.log:包含 Suricata 运行时的日志信息,如启动、关闭、规则加载等,用于故障排除和监视。
- stats.log:包含 Suricata 的统计信息,如流量统计、规则匹配统计等,,用于性能调优和网络活动分析。
- fast.log:就是告警输出日志了,通常看这个就可以。
- eve.json:详细的事件记录,以 JSON 格式呈现,包括有关规则匹配事件的详细信息,包括协议解析、源和目标地址、端口、负载数据等,用于深入分析
cat /var/log/suricata/fast.log
规则检测
suricata -c /etc/suricata/suricata.yaml -i eth0 -s /etc/suricata/rules/suricata.rules
suricata -c /etc/suricata/suricata.yaml -i eth0 -s /etc/suricata/rules/Behinder3.rules
自写规则
alert http any any -> any any (msg:"通达OA-handle.php-SQL注入漏洞"; content:"share/handle.php"; http_uri; content:"select"; content:"and"; reference:url,http://example.com/2023-15672; classtype:web-application-attack; sid:20240908; rev:1;)
alert http any any -> any any (msg:"sqlmap tools attack"; flow:to_server; content:"User-Agent: sqlmap"; http_header; sid:1000016; rev:1;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"SSLBL: Malicious SSL certificate detected (CobaltStrike C&C)"; tls.fingerprint:"6e:ce:5e:ce:41:92:68:3d:2d:84:e2:5b:0b:a7:e0:4f:9c:b7:eb:7c"; reference:url, sslbl.abuse.ch/ssl-certificates/sha1/6ece5ece4192683d2d84e25b0ba7e04f9cb7eb7c/; sid:902202003; rev:1;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Empty SSL Certificate - Observed in Cobalt Strike"; flow:established,to_client; tls.cert_subject; bsize:25; content:"C=, ST=, L=, O=, OU=, CN="; endswith; fast_pattern; classtype:targeted-activity; sid:2023629; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2024_03_27;)集成系统镜像-securityonion
集成snort/suricata、bro(zeek)、elk、ossec等
两者对比
其实按照安装成本和操作的简易程度来说,Suricata相对于Snort3来说更加容易上手,Snort3的安装太过麻烦,建议使用Suricata
评论 (0)