网络入侵检测suricata+scirius搭建.md

部署

配置PF_RING

#安装pf_ring
apt-get install subversion flex bison -y
apt-get install dkms libpcre3-dev libyaml-dev libjansson-dev libcap-dev libpcap-dev rustc cargo wireshark -y
apt-get install build-essential bison flex linux-headers-$(uname -r) git-core automake autoconf libtool subversion -y
git clone https://github.com/ntop/PF_RING.git
cd PF_RING / kernel
make
sudo insmod ./pf_ring.ko
cd ../userland
make
modprobe pf_ring  transparent_mode=1 enable_tx_capture=0 min_num_slots=65534 quick_mode=1
modinfo pf_ring

安装suricata

wget https://www.openinfosecfoundation.org/download/suricata-6.0.1.tar.gz
cd suricata-6.0.1
./configure --enable-pfring --sysconfdir=/etc --localstatedir=/var

安装scirius

apt install python python-dev
curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
git clone https://github.com/StamusNetworks/scirius.git
cd scirius
pip3 install -r requirements.txt
pip3 install pyinotify
pip3 install gitpython
pip3 install gitdb
 
sudo apt-get install npm
sudo npm install -g npm@latest webpack@3.11
sudo npm install --unsafe-perm -g node-sass
sudo npm cache clean -f
sudo npm install -g n
sudo n stable
cd hunt
npm install
npm run build
 
cd ..
python3 manage.py migrate
python3 manage.py createsuperuser
webpack
python3 manage.py collectstatic
python3 manage.py runserver

配置suricata

default-rule-path: /var/lib/suricata/rules
 
rule-files:
  - scirius.rules
 
reputation-categories-file: /var/lib/suricata/rules/scirius-categories.txt
default-reputation-path: /var/lib/suricata/rules
reputation-files:
 - scirius-iprep.list

使用scirius运维

#访问web前端
Sources -> add public source
#enable需要加载的rule
Sources -> add public source 
rulesets -> add
#新增规则集
suricata -> Ruleset actions -> update+build+push
#suricata规则更新并restart

scirius源码分析

scirius源码分析

部署ELK

git clone https://github.com/deviantony/docker-elk
cd docker-elk
docker-compose up

ps:如果es加了授权认证，则scirius无法成功连上es，需要把es的x-pack关闭

参考

https://suricata.readthedocs.io/en/latest/install.html
https://xz.aliyun.com/t/7263
https://paper.seebug.org/1054/
https://github.com/orright/scirius/tree/master/doc
https://suricata.readthedocs.io/en/latest/quickstart.html