suricata 是跟snort差不多的一个入侵检测工具,加上elk的图形界面,非常的好看。
原理是suricata的log发到elk里,这样就能通过kibana进行分析了
环境:
1、物理机需要开16G内存,16CPU,都不太够 2、物理机172.18.30.2的br3是交换机的Mirror口,进入的全部流量都被镜像了一份 3、suricata-18-31-31是虚机,需要将30.2的br3挂进来
1virsh attach-interface --domain suricata-18-31-31 --type bridge --source br3 --model e1000 --config --live
2同时在31.31里,ifconfig up eth1把网卡起起来
3tcpdump -i eth1有数据即可
4、首先安装java
1rpm -ivh jdk-8u201-linux-x64.rpm
安装: 一、编译安装suricata
1yum -y install epel-release
2
3yum -y install jq cargo openssl-devel PyYAML lz4-devel gcc libpcap-devel pcre-devel libyaml-devel file-devel zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar make libnetfilter_queue-devel lua-devel GeoIP-devel
4
5wget https://www.openinfosecfoundation.org/download/suricata-4.1.8.tar.gz
6tar zxvf suricata-4.1.8.tar.gz
7cd suricata
8./configure --libdir=/usr/lib64 --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua --enable-geoip --enable-profiling
9make
10make install-full
11
12验证一下
13suricata -V
14This is Suricata version 4.1.8 RELEASE
15
16查看build参数
17suricata --build-info
suricata就装好了,还需要配一下suricata-update,规则才是最主要的,装好后最好每天更新一下规则
1suricata-update update-sources
2suricata-update list-sources
3
4suricata-update enable-source ptresearch/attackdetection
5suricata-update enable-source oisf/trafficid
6suricata-update enable-source sslbl/ssl-fp-blacklist
7
8suricata-update
suricata-update的用法
1suricata-update list-enabled-sources
2suricata-update disable-source et/pro
3suricata-update remove-source et/pro
测试规则:
1suricata -T
/etc/suricata/suricata.yaml的修改部分
1HOME_NET: "[43.231.149.0/25]"
2outputs被改过
3outputs:
4app-layer被改过
5app-layer:
具体看附件中的suricata.yaml
启动:
1/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth1 -D
二、编译安装ELK
1rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
2
3cat <<EOF | sudo tee /etc/yum.repos.d/elasticsearch.repo
4[elasticsearch-7.x]
5name=Elasticsearch repository for 7.x packages
6baseurl=https://artifacts.elastic.co/packages/7.x/yum
7gpgcheck=1
8gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
9enabled=1
10autorefresh=1
11type=rpm-md
12EOF
13
14yum clean all
15yum makecache
16
17yum install -y elasticsearch logstash kibana filebeat
安装的时候最好设一下翻墙,否则下这几个包非常慢!!!
然后一个一个来设置
11、设置elasticsearch
2vi /etc/elasticsearch/jvm.options
3-Xms4g
4-Xmx4g
5vi /etc/elasticsearch/elasticsearch.yml
6indices.query.bool.max_clause_count: 8192
7search.max_buckets: 250000
8
9systemctl enable --now elasticsearch
10
112、设置logstash
12将附件中logstash目录下的synlite_suricata/目录完整挪到/etc/logstash下
13/etc/logstash/synlite_suricata/
14
15将附件中logstash目录下的pipelines.yml拷贝到/etc/logstash下
16/etc/logstash/pipelines.yml
17
18将附件中logstash目录下的logstash.service拷贝覆盖掉/etc/systemd/system/logstast.service
19/etc/systemd/system/logstash.service
20
21vi /etc/logstash/jvm.options
22-Xms4g
23-Xmx4g
24
25systemctl daemon-reload
26systemctl enable --now logstash
27
283、设置filebeat
29vi /etc/filebeat/filebeat.yml
30filebeat.inputs:
31- type: log
32 enabled: true
33 paths:
34 - /var/log/suricata/eve.json
35 fields:
36 event.type: suricata
37
38output.logstash:
39 hosts: ["127.0.0.1:5044"]
40 #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
41 #ssl.certificate: "/etc/pki/client/cert.pem"
42 #ssl.key: "/etc/pki/client/cert.key"
43
44systemctl enable --now logstash
45
464、设置kibana
47vi /etc/kibana/kibana.yml
48server.host: "172.18.31.31"
49
50systemctl enable --new kibana
跑起来以后打开 http://172.18.31.31:5601 就可以看到了
如果不出意外,应该有数据了。需要建立一个suricata*的索引。
去kibana的home –> Stack Management
导入的synlite_suricata.kibana.7.1.x.json
然后在dashboard里就可以看到了
可以清楚的看到各种ipflow,流量分布。
