0x01 需求描述
需要一个旧版本suricata规则测试环境,能够做到轻量部署,方便移植和看结果以及历史记录,参考Suricata+ELK(Docker化部署)数据展示搭建台单机测试环境(centos7+suricata-4.1.3)。
0x02 基础环境
1. 系统组件
# 安装目录/root/suricata_vulnTest
[root@centos7 ~]# yum install epel-release -y
[root@centos7 ~]# sudo yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar make libnetfilter_queue-devel lua-devel PyYAML libmaxminddb-devel rustc cargo lz4-devel
[root@centos7 ~]# ntpdate cn.pool.ntp.org && date && systemctl stop firewalld.service && systemctl disable firewalld.service 2. 依赖组件
docker
[root@centos7 ~]# sudo yum install -y yum-utils \ device-mapper-persistent-data \ lvm2 [root@centos7 ~]# sudo yum-config-manager \ --add-repo \ https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo [root@centos7 ~]# sudo yum install docker-ce -y [root@centos7 ~]# sudo mkdir -p /etc/docker [root@centos7 ~]# sudo tee /etc/docker/daemon.json <<-'EOF' { "registry-mirrors": ["https://780urbjd.mirror.aliyuncs.com"] } EOF [root@centos7 ~]# sudo systemctl start docker && sudo systemctl enable dockerdocker-compose
[root@centos7 ~]# curl -L https://get.daocloud.io/docker/compose/releases/download/1.24.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose [root@centos7 ~]# sudo chmod +x /usr/local/bin/docker-compose && ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose3. 运行组件
suricata
[root@centos7 ~]# wget https://openinfosecfoundation.org/download/suricata-4.1.3.tar.gz && tar -xvzf suricata-4.1.3.tar.gz && cd suricata-4.1.3 && ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua && make && make install-full && ldconfig && suricata --build-info && suricata -T [root@centos7 ~]# vim /etc/suricata/suricata.yaml default-rule-path: /root/suricata_vulnTest/ruleshack.rules
[root@centos7 ~]# ls /var/log/suricata/eve.json && sudo ethtool -K eth0 gro off lro offelk
[root@centos7 ~]# docker pull logstash:7.5.1 && docker pull kibana:7.5.1 && docker pull elasticsearch:7.5.1 [root@centos7 ~]# chmod -R 777 /root/suricata_vulnTest/elasticsearch/data [root@centos7 ~]# cd /root/suricata_vulnTest/envi && docker-compose up -d && docker ps # 如果logstash没起来可能性较大内存问题filebeat
[root@centos7 ~]# wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.5.1-x86_64.rpm && rpm -ivh filebeat-7.5.1-x86_64.rpm [root@centos7 ~]# chmod go-w /root/suricata_vulnTest/synesis_lite_suricata-1.1.0/filebeat/filebeat.yml [root@centos7 ~]# vim /lib/systemd/system/filebeat.service [Unit] Description=Filebeat sends log files to Logstash or directly to Elasticsearch. Documentation=https://www.elastic.co/products/beats/filebeat Wants=network-online.target After=network-online.target [Service] User=root ExecStart=filebeat -e -c /root/suricata_vulnTest/synesis_lite_suricata-1.1.0/filebeat/filebeat.yml Restart=always [Install] WantedBy=multi-user.target
0x03 运行测试
1. 开机自启
[root@centos7 ~]# cd /root/suricata_vulnTest && docker-compose up -d
[root@centos7 ~]# systemctl daemon-reload && systemctl start filebeat && systemctl enable filebeat
[root@centos7 ~]# reboot
[root@centos7 ~]# ps -ef |grep filebeat && docker ps 2. 配置界面
配置数据源
http://<ip>:5601 discover --- suricata* --- @timestamp management --- saved objects --- synlite_suricata.dashboards.json3. 监控测试
# 添加规则 [root@centos7 ~]# vim /root/suricata_vulnTest/hack.rules # 监听流量(直接网卡或者pcap流,参数-D 后台运行) [root@centos7 ~]# suricata -c /etc/suricata/suricata.yaml -i eth0 -v [root@centos7 ~]# suricata -c /etc/suricata/suricata.yaml -r data.pcap -v # 查看告警 [root@centos7 ~]# tail -f /var/log/suricata/fast.log http://<ip>:5601配置个页面自动刷新,更方便些。
0x04 参考引用
---The END---
1
1
1
1
1
1
1