Jump to content

Suricata: Difference between revisions

From Wiki
← Older edit
Kangtain (talk | contribs)
Bureaucrats, Interface administrators, Suppressors, Administrators
9,154 edits
VisualWikitext
m Kangtain moved page Software/Suricata to Suricata over redirect
 
(12 intermediate revisions by the same user not shown)
Line 1: Line 1:
==Installasi==
==Installasi dengan Soure Code==
===Install Required Dependencies===
===Install Required Dependencies===
First, you will need to install some dependencies required to compile Suricata from the source. You can install all of them with the following command:
First, you will need to install some dependencies required to compile Suricata from the source. You can install all of them with the following command:


apt-get install rustc cargo make libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libjansson4 pkg-config -y
<syntaxhighlight lang="shell">
apt-get install rustc cargo make libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libjansson4 pkg-config -y
</syntaxhighlight>


By default, Suricata functions as an intrusion detection system (IDS). If you want to include intrusion prevention system (IPS) functionality, then you will need to install some more packages in your system. You can install them with the following command:
By default, Suricata functions as an intrusion detection system (IDS). If you want to include intrusion prevention system (IPS) functionality, then you will need to install some more packages in your system. You can install them with the following command:


apt-get install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 -y
<syntaxhighlight lang="shell">
apt-get install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 -y
</syntaxhighlight>


Once all the packages are installed, you will need to install the suricata-update tool to update the Suricata rules. You can install it with the following commands:
Once all the packages are installed, you will need to install the suricata-update tool to update the Suricata rules. You can install it with the following commands:


apt-get install python3-pip
<syntaxhighlight lang="shell">
apt-get install python3-pip
</syntaxhighlight>


pip3 install --upgrade suricata-update
<syntaxhighlight lang="shell">
pip3 install --upgrade suricata-update
</syntaxhighlight>


ln -s /usr/local/bin/suricata-update /usr/bin/suricata-update
<syntaxhighlight lang="shell">
ln -s /usr/local/bin/suricata-update /usr/bin/suricata-update
</syntaxhighlight>


Once you are finished, you can proceed to the next step.
Once you are finished, you can proceed to the next step.
===Update rules===
<syntaxhighlight lang="shell">
sudo suricata-update -o /etc/suricata/rules/
</syntaxhighlight>


===Install Suricata===
===Install Suricata===
First, download the latest version of Suricata from their official website with the following command:
First, download the latest version of Suricata from their official website with the following command:


wget <nowiki>https://www.openinfosecfoundation.org/download/suricata-5.0.3.tar.gz</nowiki>
<syntaxhighlight lang="shell">
wget https://www.openinfosecfoundation.org/download/suricata-5.0.3.tar.gz
</syntaxhighlight>


Once the download is completed, extract the downloaded file with the following command:
Once the download is completed, extract the downloaded file with the following command:


tar -xvzf suricata-5.0.3.tar.gz
<syntaxhighlight lang="shell">
tar -xvzf suricata-5.0.3.tar.gz
</syntaxhighlight>


Next, change the directory to the extracted directory and configure it with the following command:
Next, change the directory to the extracted directory and configure it with the following command:


cd suricata-5.0.3
<syntaxhighlight lang="shell">
cd suricata-5.0.3
</syntaxhighlight>


./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var
<syntaxhighlight lang="shell">
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var
</syntaxhighlight>


Next, install the Suricata with the following command:
Next, install the Suricata with the following command:


make
<syntaxhighlight lang="shell">
make
</syntaxhighlight>


make install-full
<syntaxhighlight lang="shell">
<blockquote>Note: This process will take over 10 minutes</blockquote>Next, install all rules with the following command:
make install-full
</syntaxhighlight>


make install-rules
<blockquote>
Note: This process will take over 10 minutes
</blockquote>
 
Next, install all rules with the following command:
 
<syntaxhighlight lang="shell">
make install-rules
</syntaxhighlight>


By default, all rules are located at <code>/var/lib/suricata/rules/suricata.rules</code>:
By default, all rules are located at <code>/var/lib/suricata/rules/suricata.rules</code>:
Line 47: Line 81:
You can see it with the following command:
You can see it with the following command:


cat /var/lib/suricata/rules/suricata.rules
<syntaxhighlight lang="shell">
cat /var/lib/suricata/rules/suricata.rules
</syntaxhighlight>


===Configure Suricata===
===Configure Suricata===
The default Suricata configuration file is located at /etc/suricata/suricata.yaml. You will need to configure it to protect your internal network. You can do it by editing the file:
The default Suricata configuration file is located at /etc/suricata/suricata.yaml. You will need to configure it to protect your internal network. You can do it by editing the file:


nano /etc/suricata/suricata.yaml
<syntaxhighlight lang="shell">
vim /etc/suricata/suricata.yaml
</syntaxhighlight>


Change the following lines:
Change the following lines:


<syntaxhighlight lang="shell">
     HOME_NET: "[192.168.1.0/24]"
     HOME_NET: "[192.168.1.0/24]"
     EXTERNAL_NET: "!$HOME_NET"
     EXTERNAL_NET: "!$HOME_NET"
</syntaxhighlight>
Save and close the file when you are finished.
<blockquote>
Note: In the command above, replace <code>192.168.1.0/24</code> with your internal network.
</blockquote>
==Installasi dengan PPA==


Save and close the file when you are finished.<blockquote>Note: In the command above, replace <code>192.168.1.0/24</code> with your internal network.</blockquote>
<syntaxhighlight lang="shell">
sudo add-apt-repository ppa:oisf/suricata-stable
</syntaxhighlight>


===Test Suricata Against DDoS===
<syntaxhighlight lang="shell">
sudo apt update
</syntaxhighlight>
 
<syntaxhighlight lang="shell">
sudo apt install suricata jq
</syntaxhighlight>
 
Repositori PPA khusus ditambahkan, dan setelah memperbarui indeks, Suricata dapat diinstal. Kami merekomendasikan untuk menginstal alat jq saat ini karena akan membantu menampilkan informasi dari output EVE JSON Suricata (dijelaskan nanti dalam panduan ini).
 
==Test Suricata Against DDoS==
Before starting, you will need to disable packet offload features on the network interface on which Suricata is listening.
Before starting, you will need to disable packet offload features on the network interface on which Suricata is listening.


First, install ethtool package with the following command:
First, install ethtool package with the following command:


apt-get install ethtool -y
<syntaxhighlight lang="shell">
apt-get install ethtool -y
</syntaxhighlight>


Next, disable packet offload with the following command:
Next, disable packet offload with the following command:


ethtool -K eth0 gro off lro off
<syntaxhighlight lang="shell">
ethtool -K eth0 gro off lro off
</syntaxhighlight>


Next, run the Suricata in NFQ mode with the following command:
Next, run the Suricata in NFQ mode with the following command:


suricata -c /etc/suricata/suricata.yaml -q 0 &
<syntaxhighlight lang="shell">
suricata -c /etc/suricata/suricata.yaml -q 0 &
</syntaxhighlight>


Next, go to the remote system and perform a simple DDoS attack test against the Suricata server using the hping3 tool as shown below:
Next, go to the remote system and perform a simple DDoS attack test against the Suricata server using the hping3 tool as shown below:


hping3 -S -p 80 --flood --rand-source your-server-ip
<syntaxhighlight lang="shell">
hping3 -S -p 80 --flood --rand-source your-server-ip
</syntaxhighlight>


On the Suricata server, check the Suricata logs with the following command:
On the Suricata server, check the Suricata logs with the following command:


tail -f /var/log/suricata/fast.log
<syntaxhighlight lang="shell">
tail -f /var/log/suricata/fast.log
</syntaxhighlight>


You should see the following output:
You should see the following output:


09/17/2020-07:29:52.934009  [**] [1:2402000:5670] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 167.248.133.70:18656 -> your-server-ip:9407
<syntaxhighlight lang="shell">
09/17/2020-07:29:52.934009  [**] [1:2402000:5670] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 167.248.133.70:18656 -> your-server-ip:9407
</syntaxhighlight>
 
==Terkait==
*[[Installing Suricata with Oinkmaster]]
*[[Suricata:Konfigurasi Rules]]


==Source==
==Source==
Line 92: Line 168:
*[https://suricata.readthedocs.io/en/latest/quickstart.html readthedocs.io]
*[https://suricata.readthedocs.io/en/latest/quickstart.html readthedocs.io]
*[https://kifarunix.com/install-and-setup-suricata-on-ubuntu-22-04-ubuntu-20-04/ kifarunix.com]
*[https://kifarunix.com/install-and-setup-suricata-on-ubuntu-22-04-ubuntu-20-04/ kifarunix.com]
*[http://rules.emergingthreats.net/open/suricata/ emergingthreats.net]


[[Category:Server]]
[[Category:Server]]
[[Category:Security]]
[[Category:Security]]
[[Category:Software]]
[[Category:Software]]

Latest revision as of 05:40, 20 November 2022

Installasi dengan Soure Code

Install Required Dependencies

First, you will need to install some dependencies required to compile Suricata from the source. You can install all of them with the following command: 

apt-get install rustc cargo make libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libjansson4 pkg-config -y

By default, Suricata functions as an intrusion detection system (IDS). If you want to include intrusion prevention system (IPS) functionality, then you will need to install some more packages in your system. You can install them with the following command: 

apt-get install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 -y

Once all the packages are installed, you will need to install the suricata-update tool to update the Suricata rules. You can install it with the following commands: 

apt-get install python3-pip

pip3 install --upgrade suricata-update

ln -s /usr/local/bin/suricata-update /usr/bin/suricata-update

Once you are finished, you can proceed to the next step.

Update rules

sudo suricata-update -o /etc/suricata/rules/

Install Suricata

First, download the latest version of Suricata from their official website with the following command: 

wget https://www.openinfosecfoundation.org/download/suricata-5.0.3.tar.gz

Once the download is completed, extract the downloaded file with the following command: 

tar -xvzf suricata-5.0.3.tar.gz

Next, change the directory to the extracted directory and configure it with the following command: 

cd suricata-5.0.3

./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var

Next, install the Suricata with the following command: 

make

make install-full

Note: This process will take over 10 minutes

Next, install all rules with the following command: 

make install-rules

By default, all rules are located at /var/lib/suricata/rules/suricata.rules:

You can see it with the following command: 

cat /var/lib/suricata/rules/suricata.rules

Configure Suricata

The default Suricata configuration file is located at /etc/suricata/suricata.yaml. You will need to configure it to protect your internal network. You can do it by editing the file: 

vim /etc/suricata/suricata.yaml

Change the following lines: 

     HOME_NET: "[192.168.1.0/24]"
     EXTERNAL_NET: "!$HOME_NET"

Save and close the file when you are finished.

Note: In the command above, replace 192.168.1.0/24 with your internal network.

Installasi dengan PPA

sudo add-apt-repository ppa:oisf/suricata-stable

sudo apt update

sudo apt install suricata jq

Repositori PPA khusus ditambahkan, dan setelah memperbarui indeks, Suricata dapat diinstal. Kami merekomendasikan untuk menginstal alat jq saat ini karena akan membantu menampilkan informasi dari output EVE JSON Suricata (dijelaskan nanti dalam panduan ini).

Test Suricata Against DDoS

Before starting, you will need to disable packet offload features on the network interface on which Suricata is listening.

First, install ethtool package with the following command: 

apt-get install ethtool -y

Next, disable packet offload with the following command: 

ethtool -K eth0 gro off lro off

Next, run the Suricata in NFQ mode with the following command: 

suricata -c /etc/suricata/suricata.yaml -q 0 &

Next, go to the remote system and perform a simple DDoS attack test against the Suricata server using the hping3 tool as shown below: 

hping3 -S -p 80 --flood --rand-source your-server-ip

On the Suricata server, check the Suricata logs with the following command: 

tail -f /var/log/suricata/fast.log

You should see the following output: 

09/17/2020-07:29:52.934009  [**] [1:2402000:5670] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 167.248.133.70:18656 -> your-server-ip:9407

Terkait

Source

Retrieved from "https://kangtain.com/wiki/index.php?title=Suricata&oldid=7144"