实验说明
- 提前准备好测试用pcap文件,存放在/root/area2pcap目录下
[root@localhost area2pcap]# pwd
/root/area2pcap
[root@localhost area2pcap]# ls
train_area2_00000_20210104202426.pcap train_area2_00076_20210104205411.pcap train_area2_00152_20210104210529.pcap
train_area2_00001_20210104202441.pcap train_area2_00077_20210104205419.pcap train_area2_00153_20210104210536.pcap
train_area2_00002_20210104202459.pcap train_area2_00078_20210104205428.pcap train_area2_00154_20210104210542.pcap
train_area2_00003_20210104202522.pcap train_area2_00079_20210104205436.pcap train_area2_00155_20210104210549.pcap
train_area2_00004_20210104202549.pcap train_area2_00080_20210104205444.pcap train_area2_00156_20210104210557.pcap
train_area2_00005_20210104202619.pcap train_area2_00081_20210104205451.pcap train_area2_00157_20210104210605.pcap
train_area2_00006_20210104202649.pcap train_area2_00082_20210104205457.pcap train_area2_00158_20210104210614.pcap
train_area2_00007_20210104202714.pcap train_area2_00083_20210104205504.pcap train_area2_00159_20210104210623.pcap
train_area2_00008_20210104202748.pcap train_area2_00084_20210104205514.pcap train_area2_00160_20210104210632.pcap
train_area2_00009_20210104202815.pcap train_area2_00085_20210104205523.pcap train_area2_00161_20210104210640.pcap
train_area2_00010_20210104202903.pcap train_area2_00086_20210104205534.pcap train_area2_00162_20210104210647.pcap
train_area2_00011_20210104203043.pcap train_area2_00087_20210104205547.pcap train_area2_00163_20210104210653.pcap
train_area2_00012_20210104203219.pcap train_area2_00088_20210104205601.pcap train_area2_00164_20210104210659.pcap
- 这些pcap文件记录了某集群内部terminal之间的tcp连接数据,每个terminal都有固定的服务端口,terminal的IP地址以及port组成一个白名单。
- 但是上述pcap文件中混杂了很多外部IP地址的访问行为,实验目的在于,通过suricata将这些白名单以外的IP以及port过滤出来。具体来说,需要过滤出三类信息:
- 试图访问内部terminal的白名单外IP(源IP不在白名单内,目的IP却在白名单内)
- 内部terminal试图访问的白名单外IP(源IP在白名单内,目的IP却不在白名单内)
- 内部terminal上有哪些端口本不该被访问,却被访问了
环境准备
- 已安装suricata,支持lua脚本扩展,本次实验中suricata安装在/home/nsa/suricata/目录下
[root@localhost scripts]# cd /home/nsa/suricata/
[root@localhost suricata]# ll
total 4176
-rw-r--r-- 1 root root 4269492 Feb 27 10:25 eve.json
drwxr-xr-x. 2 root root 22 Feb 17 22:45 log
drwxr-xr-x. 15 root root 4096 Feb 17 22:45 suricata-4.1.4
[root@localhost suricata]# pwd
/home/nsa/suricata
[root@localhost suricata]# ls suricata-4.1.4/
aclocal.m4 COPYING Makefile.in
ChangeLog depcomp missing
classification.config doc python
compile ebpf qa
config.guess etc reference.config
config.h install-sh rules
config.h.in libhtp rust
config.log libtool src
config.rpath LICENSE stamp-h1
config.status ltmain.sh suricata-update
config.sub lua suricata.yaml
configure m4 suricata.yaml.in
configure.ac Makefile threshold.config
contrib Makefile.am
- /etc/suricata目录下,存放了suricata.yaml配置文件,以及lua-output文件夹(该文件夹需要手动创建)
[root@localhost ~]# cd /etc/suricata/
[root@localhost suricata]# ll
total 80
drwxr-xr-x. 2 root root 25 Feb 25 17:15 lua-output
-rw-r--r-- 1 root root 74745 Feb 26 15:52 suricata.yaml
-rw-r--r--. 1 root root 1644 Feb 17 14:13 threshold.config
- suricata.yaml中,修改部分配置,如下所示
classification-file: /var/lib/suricata/update/cache/rules/classification.config
reference-config-file: /var/lib/suricata/update/cache/rules/reference.config
default-log-dir: /home/nsa/suricata
#记录suricata检测结果的eve.json文件存放在上述目录中
default-rule-path: /var/lib/suricata/update/cache/rules
rule-files:
- custom.rules
#自定义规则文件custom.rules,存放在default-rule-path目录下
#classification.config文件,也存放在default-rule-path目录下
- lua:
enabled: yes
- 提前准备好实验用pcap文件
- 手动创建目录/var/lib/suricata/update/cache/rules/scripts,并准备terminal IP地址及端口的白名单,将其json文件形式存放在刚刚创建的目录下(terminal.json)。
[root@localhost scripts]# pwd
/var/lib/suricata/update/cache/rules/scripts
[root@localhost scripts]# ll
total 20
-rw-r--r-- 1 root root 508 Feb 25 21:13 abnormal_dst_ip.lua
-rw-r--r-- 1 root root 707 Feb 25 21:00 abnormal_port.lua
-rw-r--r-- 1 root root 508 Feb 25 21:10 abnormal_src_ip.lua
-rw-r--r-- 1 root root 79 Feb 25 18:05 server.json
-rw-r--r-- 1 root root 124 Feb 25 21:04 terminal.json
[root@localhost scripts]# cat terminal.json
{"ip":"10.79.10.87","port":[]}
{"ip":"10.79.59.247","port":[]}
{"ip":"10.79.39.8","port":[]}
{"ip":"10.79.39.9","port":[]}
编写自定义规则
#以第一类信息为样例进行说明,也即试图访问内部terminal的白名单外IP(源IP不在白名单内,目的IP却在白名单内)
cd /var/lib/suricata/update/cache/rules/
vi custom.rules
#编辑内容如下
alert tcp any any -> $HOME_NET any (msg:"Suspicious external IP trying to access internal service terminal"; lua:scripts/abnormal_src_ip.lua; sid:20210225; rev:1; classtype:src-ip-violation;)
#在自定义的规则中,lua:scripts/*.lua的方式嵌入自定义的lua脚本
修改classification文件
[root@localhost rules]# pwd
/var/lib/suricata/update/cache/rules
[root@localhost rules]# vi classification.config
#在该文件最后追加一行,内容如下
config classification: src-ip-violation, IP_VIOLATION,1
编写自定义脚本
[root@localhost scripts]# pwd
/var/lib/suricata/update/cache/rules/scripts
[root@localhost scripts]# vi abnormal_src_ip.lua
#编辑内容如下
function init(args)
local needs = {}
needs["packet"] = tostring(true)
return needs
end
function match(args)
ipver, srcip, dstip, proto, sp, dp = SCPacketTuple()
local cjson = require("cjson")
local file = io.open("/var/lib/suricata/update/cache/rules/scripts/terminal.json")
for line in file:lines()
do
local line_json = cjson.decode(line)
terminal_ip = line_json.ip
--terminal_port = line_json.port
if srcip == terminal_ip then return 0 end
end
return 1
end
return 0
运行suricata
suricata -c /etc/suricata/suricata.yaml -r area2pcap/*.pcap
#上述指令运行完毕之后,查看eve.json文件,判断是否实现过滤
tail -F /home/nsa/suricata/eve.json
#eve.json文件内容如下:
{"timestamp":"2021-01-04T20:24:41.500337+0800","flow_id":981015779183716,"pcap_cnt":993,"event_type":"alert","src_ip":"10.79.83.55","src_port":9001,"dest_ip":"10.79.69.9","dest_port":36773,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":20210225,"rev":1,"signature":"Suspicious external IP trying to access internal service terminal","category":"IP_VIOLATION","severity":1},"flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":74,"bytes_toclient":74,"start":"2021-01-04T20:24:41.494692+0800"},"payload":"","payload_printable":"","stream":0,"packet":"hFsSS6QOZNgU3LtCCABFAAA8AABAADsGkt4KT1M3Ck9FCSMpj6WjLt78HEL\/iqASFqCRlwAAAgQFtAEBCAoAcp+NeD+M3AEDAwA=","packet_info":{"linktype":1}}
# 观察上述检测结果
#"signature":"Suspicious external IP trying to access internal service terminal"
#"category":"IP_VIOLATION",说明检测到了,试图访问内部terminal的白名单外IP