Suricata IDS am Switch: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
(Die Seite wurde neu angelegt: „=Suricata Konfiguration= *cat /etc/suricata/suricata.yaml <pre> %YAML 1.1 --- # Variablen für die Adressgruppen festlegen vars: address-groups: LAN: "[…“)
 
 
(2 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
 +
=Idee=
 +
;Managment Schnittstelle
 +
enp0s3
 +
;SniffingSchnittstelle
 +
enp0s8
 +
=Netzwerk=
 +
*cat /etc/network/interfaces
 +
<pre>
 +
# This file describes the network interfaces available on your system
 +
# and how to activate them. For more information, see interfaces(5).
 +
 +
source /etc/network/interfaces.d/*
 +
 +
auto lo
 +
iface lo inet loopback
 +
 +
auto enp0s8
 +
iface enp0s8 inet manual
 +
post-up ip link set enp0s8 promisc on
 +
post-up ethtool -K enp0s8 gro off lro off tso off gso off
 +
 +
auto enp0s3
 +
iface enp0s3 inet static
 +
address 192.168.16.99/24
 +
gateway 192.168.16.1
 +
</pre>
 
=Suricata Konfiguration=
 
=Suricata Konfiguration=
 
*cat  /etc/suricata/suricata.yaml
 
*cat  /etc/suricata/suricata.yaml
 
<pre>
 
<pre>
 +
*cat /etc/resolv.conf
 +
search sec-labs.de
 +
nameserver 1.1.1.1
 +
*cat /etc/hostname
 +
ids.sec-labs.de
 +
 +
 
%YAML 1.1
 
%YAML 1.1
 
---
 
---
Zeile 112: Zeile 145:
 
reference-config-file: /etc/suricata/reference.config
 
reference-config-file: /etc/suricata/reference.config
 
</pre>
 
</pre>
 +
=Eigene Regeln=
 +
*cat /etc/suricata/rules/local.rules
 +
<pre>
 +
# ICMP: einfacher Ping/Traceroute (schneller Funktionstest)
 +
# Test: ping -c1 <ZIEL>
 +
alert icmp any any -> any any (msg:"ICMP Test"; classtype:misc-activity; sid:41;)
 +
 +
# HTTP: mögliches Command-Injection-Merkmal (Semikolon) in POST-Body
 +
# Test: curl -X POST http://<ZIEL>/ -d "q=test%3Bls"
 +
alert http any any -> any any (msg:"Command Injection - Semicolon in POST DATA"; classtype:web-application-attack; flow:established; content:"%3B"; nocase; http_client_body; sid:2;)
 +
 +
# HTTP: mögliches SQLi-Merkmal (einfaches Hochkomma) in POST-Body
 +
# Test: curl -X POST http://<ZIEL>/login -d "u=a&p='%20OR%201=1"
 +
alert http any any -> any any (msg:"Possible SQL Injection (singlequote in POST)"; classtype:web-application-attack; flow:established,to_server; content:"%27"; nocase; http_client_body; sid:3;)
 +
 +
# DNS: Policy – verbietet "google" in DNS-Queries
 +
# Test: dig google.com @<FW>
 +
alert dns any any -> any any (msg:"Kein Googlen"; dns.query; content:"google"; nocase; classtype:policy-violation; sid:43;)
 +
 +
# DoS: viele identische kurze HTTP-GETs (LOIC-ähnlich)
 +
# Test: ab -n 1000 -c 500 http://<ZIEL>/
 +
alert tcp any any -> any any (msg:"ET DOS Terse HTTP GET Likely LOIC"; flow:to_server,established; dsize:18; content:"GET / HTTP/1.1|0d 0a 0d 0a|"; depth:18; threshold:type both,track by_dst,count 500,seconds 60; classtype:own-dos; sid:54; rev:2; metadata:created_at 2014_10_03, confidence Medium, signature_severity Major, updated_at 2019_07_26;)
 +
 +
# Scan: TCP SYN-Sweep (viele SYN in kurzer Zeit)
 +
# Test: nmap -sS -p1-100 <ZIEL>
 +
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN TCP SYN sweep"; flow:stateless,to_server; flags:S; detection_filter:track by_src,count 20,seconds 5; classtype:attempted-recon; sid:60; rev:1;)
 +
 +
# Scan: TCP NULL-Scan (keine Flags gesetzt)
 +
# Test: nmap -sN -p1-100 <ZIEL>
 +
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN TCP NULL scan"; flow:stateless,to_server; flags:0; detection_filter:track by_src,count 5,seconds 10; classtype:attempted-recon; sid:61; rev:1;)
 +
 +
# Scan: TCP FIN-Scan (nur FIN)
 +
# Test: nmap -sF -p1-100 <ZIEL>
 +
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN TCP FIN scan"; flow:stateless,to_server; flags:F; detection_filter:track by_src,count 5,seconds 10; classtype:attempted-recon; sid:62; rev:1;)
 +
 +
# Scan: TCP XMAS-Scan (FIN+PSH+URG)
 +
# Test: nmap -sX -p1-100 <ZIEL>
 +
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN TCP XMAS scan"; flow:stateless,to_server; flags:FPU; detection_filter:track by_src,count 5,seconds 10; classtype:attempted-recon; sid:63; rev:1;)
 +
 +
# Scan: UDP-Sweep mit leerer Payload
 +
# Test: nmap -sU --min-rate=1000 <ZIEL>
 +
alert udp $EXTERNAL_NET any -> $HOME_NET 1:65535 (msg:"OWN SCAN UDP sweep (empty probes)"; flow:to_server; dsize:0; detection_filter:track by_src,count 15,seconds 10; classtype:attempted-recon; sid:64; rev:1;)
 +
 +
# Scan: ICMP Ping-Sweep (viele Echo-Requests)
 +
# Test: nmap -sn <NETZ>/24
 +
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN ICMP ping sweep"; itype:8; detection_filter:track by_src,count 10,seconds 5; classtype:attempted-recon; sid:65; rev:1;)
 +
# --- ICMP Flood / Ping Flood (klassischer DDos) ---
 +
alert icmp any any -> $HOME_NET any (msg:"ICMP Flood Potential Detected"; threshold: type both, track by_dst, count 100, seconds 10; sid:1000001; rev:1;)
 +
 +
# --- UDP Flood ---
 +
alert udp any any -> $HOME_NET any (msg:"UDP Flood Potential Detected"; threshold: type both, track by_dst, count 200, seconds 5; sid:1000002; rev:1;)
 +
 +
# --- TCP SYN Flood (Sehr häufiger DDos-Typ) ---
 +
alert tcp any any -> $HOME_NET any (flags:S; msg:"TCP SYN Flood Potential Detected"; threshold: type both, track by_dst, count 150, seconds 10; sid:1000003; rev:1;)
 +
 +
# --- HTTP Flood (Layer 7 Attacke) ---
 +
alert http any any -> $HOME_NET any (msg:"HTTP Flood Potential Detected"; threshold: type both, track by_dst, count 300, seconds 10; sid:1000004; rev:1;)
 +
 +
# --- DNS Amplification / große DNS Antworten ---
 +
alert udp any 53 -> $HOME_NET any (msg:"Possible DNS Amplification Attack"; dnsize: > 512; threshold: type both, track by_src, count 50, seconds 5; sid:1000005; rev:1;)
 +
 +
# --- (Optional) Einfacher "Hello World" Treffer für Tests ---
 +
alert tcp any any -> $HOME_NET any (msg:"TEST - SSH Connection Attempt"; content:"SSH"; nocase; sid:1000006; rev:1;)
 +
</pre>
 +
=Starten=
 +
*systemctl enable suricata --now

Aktuelle Version vom 23. Februar 2026, 19:32 Uhr

Idee

Managment Schnittstelle

enp0s3

SniffingSchnittstelle

enp0s8

Netzwerk

  • cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

auto enp0s8
iface enp0s8 inet manual
 post-up ip link set enp0s8 promisc on
 post-up ethtool -K enp0s8 gro off lro off tso off gso off

auto enp0s3
iface enp0s3 inet static
 address 192.168.16.99/24
 gateway 192.168.16.1

Suricata Konfiguration

  • cat /etc/suricata/suricata.yaml
*cat /etc/resolv.conf 
 search sec-labs.de
 nameserver 1.1.1.1
*cat /etc/hostname 
 ids.sec-labs.de


%YAML 1.1
---
# Variablen für die Adressgruppen festlegen
vars:
  address-groups:
    LAN: "[172.17.113.0/24]"
    DMZ: "[10.88.113.0/24]"
    SERVER: "[172.16.113.0/24]"
    INT: "[$LAN,$DMZ,$SERVER]"
    HOME_NET: "$INT"
    EXTERNAL_NET: "!$INT"

# Standard-Log-Verzeichnis
default-log-dir: /var/log/suricata/

# Statistiken aktivieren
stats:
  enabled: yes
  interval: 8

# Ausgaben konfigurieren
outputs:
  - fast:
      enabled: yes
      filename: fast.log
      append: yes
  - alert-debug:
      enabled: yes
      filename: alert-debug.log
      append: yes
  - stats:
      enabled: yes
      filename: stats.log
      append: yes
      totals: yes
      threads: no
  - eve-log:
      enabled: yes
      filename: eve.json
      types:
        - alert
        - dns
        - http
        - tls
        - flow
        - ssh
        - stats

        # Logging-Einstellungen
logging:
  default-log-level: notice
  outputs:
  - console:
      enabled: yes
  - file:
      enabled: yes
      level: info
      filename: suricata.log

# Netzwerkschnittstellen konfigurieren
af-packet:
  - interface: enp0s8
    threads: auto
    cluster-id: 98
    cluster-type: cluster_flow
    defrag: yes


# PID-Datei
pid-file: /var/run/suricata.pid

# Coredump-Einstellungen
coredump:
  max-dump: unlimited

# Host-Modus
host-mode: auto

# Unix-Befehlseingabe konfigurieren
unix-command:
  enabled: yes
  filename: /var/run/suricata-command.socket

# Engine-Analyse-Einstellungen
engine-analysis:
  rules-fast-pattern: yes
  rules: yes

# Defragmentierungseinstellungen
defrag:
  memcap: 32mb
  hash-size: 65536
  trackers: 65535
  max-frags: 65535
  prealloc: yes
  timeout: 60

# Standardregelverzeichnis
default-rule-path: /etc/suricata/rules

# Regel-Dateien
rule-files:
  - local.rules

# Klassifikationsdatei
classification-file: /etc/suricata/classification.config

# Referenzkonfigurationsdatei
reference-config-file: /etc/suricata/reference.config

Eigene Regeln

  • cat /etc/suricata/rules/local.rules
# ICMP: einfacher Ping/Traceroute (schneller Funktionstest)
# Test: ping -c1 <ZIEL>
alert icmp any any -> any any (msg:"ICMP Test"; classtype:misc-activity; sid:41;)

# HTTP: mögliches Command-Injection-Merkmal (Semikolon) in POST-Body
# Test: curl -X POST http://<ZIEL>/ -d "q=test%3Bls"
alert http any any -> any any (msg:"Command Injection - Semicolon in POST DATA"; classtype:web-application-attack; flow:established; content:"%3B"; nocase; http_client_body; sid:2;)

# HTTP: mögliches SQLi-Merkmal (einfaches Hochkomma) in POST-Body
# Test: curl -X POST http://<ZIEL>/login -d "u=a&p='%20OR%201=1"
alert http any any -> any any (msg:"Possible SQL Injection (singlequote in POST)"; classtype:web-application-attack; flow:established,to_server; content:"%27"; nocase; http_client_body; sid:3;)

# DNS: Policy – verbietet "google" in DNS-Queries
# Test: dig google.com @<FW>
alert dns any any -> any any (msg:"Kein Googlen"; dns.query; content:"google"; nocase; classtype:policy-violation; sid:43;)

# DoS: viele identische kurze HTTP-GETs (LOIC-ähnlich)
# Test: ab -n 1000 -c 500 http://<ZIEL>/
alert tcp any any -> any any (msg:"ET DOS Terse HTTP GET Likely LOIC"; flow:to_server,established; dsize:18; content:"GET / HTTP/1.1|0d 0a 0d 0a|"; depth:18; threshold:type both,track by_dst,count 500,seconds 60; classtype:own-dos; sid:54; rev:2; metadata:created_at 2014_10_03, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

# Scan: TCP SYN-Sweep (viele SYN in kurzer Zeit)
# Test: nmap -sS -p1-100 <ZIEL>
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN TCP SYN sweep"; flow:stateless,to_server; flags:S; detection_filter:track by_src,count 20,seconds 5; classtype:attempted-recon; sid:60; rev:1;)

# Scan: TCP NULL-Scan (keine Flags gesetzt)
# Test: nmap -sN -p1-100 <ZIEL>
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN TCP NULL scan"; flow:stateless,to_server; flags:0; detection_filter:track by_src,count 5,seconds 10; classtype:attempted-recon; sid:61; rev:1;)

# Scan: TCP FIN-Scan (nur FIN)
# Test: nmap -sF -p1-100 <ZIEL>
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN TCP FIN scan"; flow:stateless,to_server; flags:F; detection_filter:track by_src,count 5,seconds 10; classtype:attempted-recon; sid:62; rev:1;)

# Scan: TCP XMAS-Scan (FIN+PSH+URG)
# Test: nmap -sX -p1-100 <ZIEL>
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN TCP XMAS scan"; flow:stateless,to_server; flags:FPU; detection_filter:track by_src,count 5,seconds 10; classtype:attempted-recon; sid:63; rev:1;)

# Scan: UDP-Sweep mit leerer Payload
# Test: nmap -sU --min-rate=1000 <ZIEL>
alert udp $EXTERNAL_NET any -> $HOME_NET 1:65535 (msg:"OWN SCAN UDP sweep (empty probes)"; flow:to_server; dsize:0; detection_filter:track by_src,count 15,seconds 10; classtype:attempted-recon; sid:64; rev:1;)

# Scan: ICMP Ping-Sweep (viele Echo-Requests)
# Test: nmap -sn <NETZ>/24
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN ICMP ping sweep"; itype:8; detection_filter:track by_src,count 10,seconds 5; classtype:attempted-recon; sid:65; rev:1;)
# --- ICMP Flood / Ping Flood (klassischer DDos) ---
alert icmp any any -> $HOME_NET any (msg:"ICMP Flood Potential Detected"; threshold: type both, track by_dst, count 100, seconds 10; sid:1000001; rev:1;)

# --- UDP Flood ---
alert udp any any -> $HOME_NET any (msg:"UDP Flood Potential Detected"; threshold: type both, track by_dst, count 200, seconds 5; sid:1000002; rev:1;)

# --- TCP SYN Flood (Sehr häufiger DDos-Typ) ---
alert tcp any any -> $HOME_NET any (flags:S; msg:"TCP SYN Flood Potential Detected"; threshold: type both, track by_dst, count 150, seconds 10; sid:1000003; rev:1;)

# --- HTTP Flood (Layer 7 Attacke) ---
alert http any any -> $HOME_NET any (msg:"HTTP Flood Potential Detected"; threshold: type both, track by_dst, count 300, seconds 10; sid:1000004; rev:1;)

# --- DNS Amplification / große DNS Antworten ---
alert udp any 53 -> $HOME_NET any (msg:"Possible DNS Amplification Attack"; dnsize: > 512; threshold: type both, track by_src, count 50, seconds 5; sid:1000005; rev:1;)

# --- (Optional) Einfacher "Hello World" Treffer für Tests ---
alert tcp any any -> $HOME_NET any (msg:"TEST - SSH Connection Attempt"; content:"SSH"; nocase; sid:1000006; rev:1;)

Starten

  • systemctl enable suricata --now
Abgerufen von „http://wiki.ixheim.de/index.php?title=Suricata_IDS_am_Switch&oldid=67186