Suricata IDS am Switch Ubuntu

Aus Xinux Wiki
Version vom 27. Februar 2026, 07:48 Uhr von Maximilian.pottgiesser (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „=Idee= ;Managment Schnittstelle enp0s3 ;SniffingSchnittstelle enp0s8 =Netzwerk= *sudo vim /etc/netplan/50-cloud-init.yaml <pre> network: version: 2 etherne…“)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Zur Navigation springen Zur Suche springen

Idee

Managment Schnittstelle

enp0s3

SniffingSchnittstelle

enp0s8

Netzwerk

  • sudo vim /etc/netplan/50-cloud-init.yaml
network:
  version: 2
  ethernets:
    enp0s3:
      addresses:
      - "172.26.54.25/24"
      nameservers:
        addresses:
        - 1.1.1.1
        search:
        - sec-labs.de
      routes:
      - to: "default"
        via: "172.26.54.1"
    enp0s8:
      optional: true
      addresses: []
      dhcp4: false
      dhcp6: false

Promiscuous Mode

cat <<'EOF' | sudo tee /etc/systemd/system/suricata-nic.service
[Unit]
Description=Configure enp0s8 for Suricata sniffing
After=network-online.target
Wants=network-online.target

[Service]
Type=oneshot
ExecStart=/sbin/ip link set enp0s8 promisc on
ExecStart=/sbin/ethtool -K enp0s8 gro off lro off tso off gso off
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
EOF
  • sudo systemctl daemon-reload
  • sudo systemctl enable --now suricata-nic.service

prüfen

  • ethtool -k enp0s8 | grep -E "generic-receive|tcp-segmentation|generic-segmentation"
  • ip link show enp0s8 | grep -i promisc

Suricata Konfiguration

  • cat /etc/suricata/suricata.yaml
*cat /etc/resolv.conf 
 search sec-labs.de
 nameserver 1.1.1.1
*cat /etc/hostname 
 ids.sec-labs.de


%YAML 1.1
---
# Variablen für die Adressgruppen festlegen
vars:
  address-groups:
    LAN: "[172.26.53.0/24]"
    DMZ: "[10.0.10.0/24]"
    SERVER: "[172.26.54.0/24]"
    INT: "[$LAN,$DMZ,$SERVER]"
    HOME_NET: "$INT"
    EXTERNAL_NET: "!$INT"

# Standard-Log-Verzeichnis
default-log-dir: /var/log/suricata/

# Statistiken aktivieren
stats:
  enabled: yes
  interval: 8

# Ausgaben konfigurieren
outputs:
  - fast:
      enabled: yes
      filename: fast.log
      append: yes
  - alert-debug:
      enabled: yes
      filename: alert-debug.log
      append: yes
  - stats:
      enabled: yes
      filename: stats.log
      append: yes
      totals: yes
      threads: no
  - eve-log:
      enabled: yes
      filename: eve.json
      types:
        - alert
        - dns
        - http
        - tls
        - flow
        - ssh
        - stats

# Logging-Einstellungen
logging:
  default-log-level: notice
  outputs:
  - console:
      enabled: yes
  - file:
      enabled: yes
      level: info
      filename: suricata.log

# Netzwerkschnittstellen konfigurieren
af-packet:
  - interface: enp0s8
    threads: auto
    cluster-id: 98
    cluster-type: cluster_flow
    defrag: yes

# PID-Datei
pid-file: /var/run/suricata.pid

# Coredump-Einstellungen
coredump:
  max-dump: unlimited

# Host-Modus
host-mode: auto

# Unix-Befehlseingabe konfigurieren
unix-command:
  enabled: yes
  filename: /var/run/suricata-command.socket

# Engine-Analyse-Einstellungen
engine-analysis:
  rules-fast-pattern: yes
  rules: yes

# Defragmentierungseinstellungen
defrag:
  memcap: 32mb
  hash-size: 65536
  trackers: 65535
  max-frags: 65535
  prealloc: yes
  timeout: 60

# Standardregelverzeichnis
default-rule-path: /etc/suricata/rules

# Regel-Dateien
rule-files:
  - local.rules

# Klassifikationsdatei
classification-file: /etc/suricata/classification.config

# Referenzkonfigurationsdatei
reference-config-file: /etc/suricata/reference.config

Eigene Regeln

  • cat /etc/suricata/rules/local.rules
# ICMP: einfacher Ping/Traceroute (schneller Funktionstest)
# Test: ping -c1 <ZIEL>
alert icmp any any -> any any (msg:"ICMP Test"; classtype:misc-activity; sid:41;)

# HTTP: mögliches Command-Injection-Merkmal (Semikolon) in POST-Body
# Test: curl -X POST http://<ZIEL>/ -d "q=test%3Bls"
alert http any any -> any any (msg:"Command Injection - Semicolon in POST DATA"; classtype:web-application-attack; flow:established; content:"%3B"; nocase; http_client_body; sid:2;)

# HTTP: mögliches SQLi-Merkmal (einfaches Hochkomma) in POST-Body
# Test: curl -X POST http://<ZIEL>/login -d "u=a&p='%20OR%201=1"
alert http any any -> any any (msg:"Possible SQL Injection (singlequote in POST)"; classtype:web-application-attack; flow:established,to_server; content:"%27"; nocase; http_client_body; sid:3;)

# DNS: Policy – verbietet "google" in DNS-Queries
# Test: dig google.com @<FW>
alert dns any any -> any any (msg:"Kein Googlen"; dns.query; content:"google"; nocase; classtype:policy-violation; sid:43;)

# DoS: viele identische kurze HTTP-GETs (LOIC-ähnlich)
# Test: ab -n 1000 -c 500 http://<ZIEL>/
alert tcp any any -> any any (msg:"ET DOS Terse HTTP GET Likely LOIC"; flow:to_server,established; dsize:18; content:"GET / HTTP/1.1|0d 0a 0d 0a|"; depth:18; threshold:type both,track by_dst,count 500,seconds 60; classtype:own-dos; sid:54; rev:2; metadata:created_at 2014_10_03, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

# Scan: TCP SYN-Sweep (viele SYN in kurzer Zeit)
# Test: nmap -sS -p1-100 <ZIEL>
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN TCP SYN sweep"; flow:stateless,to_server; flags:S; detection_filter:track by_src,count 20,seconds 5; classtype:attempted-recon; sid:60; rev:1;)

# Scan: TCP NULL-Scan (keine Flags gesetzt)
# Test: nmap -sN -p1-100 <ZIEL>
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN TCP NULL scan"; flow:stateless,to_server; flags:0; detection_filter:track by_src,count 5,seconds 10; classtype:attempted-recon; sid:61; rev:1;)

# Scan: TCP FIN-Scan (nur FIN)
# Test: nmap -sF -p1-100 <ZIEL>
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN TCP FIN scan"; flow:stateless,to_server; flags:F; detection_filter:track by_src,count 5,seconds 10; classtype:attempted-recon; sid:62; rev:1;)

# Scan: TCP XMAS-Scan (FIN+PSH+URG)
# Test: nmap -sX -p1-100 <ZIEL>
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN TCP XMAS scan"; flow:stateless,to_server; flags:FPU; detection_filter:track by_src,count 5,seconds 10; classtype:attempted-recon; sid:63; rev:1;)

# Scan: UDP-Sweep mit leerer Payload
# Test: nmap -sU --min-rate=1000 <ZIEL>
alert udp $EXTERNAL_NET any -> $HOME_NET 1:65535 (msg:"OWN SCAN UDP sweep (empty probes)"; flow:to_server; dsize:0; detection_filter:track by_src,count 15,seconds 10; classtype:attempted-recon; sid:64; rev:1;)

# Scan: ICMP Ping-Sweep (viele Echo-Requests)
# Test: nmap -sn <NETZ>/24
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN ICMP ping sweep"; itype:8; detection_filter:track by_src,count 10,seconds 5; classtype:attempted-recon; sid:65; rev:1;)
# --- ICMP Flood / Ping Flood (klassischer DDos) ---
alert icmp any any -> $HOME_NET any (msg:"ICMP Flood Potential Detected"; threshold: type both, track by_dst, count 100, seconds 10; sid:1000001; rev:1;)

# --- UDP Flood ---
alert udp any any -> $HOME_NET any (msg:"UDP Flood Potential Detected"; threshold: type both, track by_dst, count 200, seconds 5; sid:1000002; rev:1;)

# --- TCP SYN Flood (Sehr häufiger DDos-Typ) ---
alert tcp any any -> $HOME_NET any (flags:S; msg:"TCP SYN Flood Potential Detected"; threshold: type both, track by_dst, count 150, seconds 10; sid:1000003; rev:1;)

# --- HTTP Flood (Layer 7 Attacke) ---
alert http any any -> $HOME_NET any (msg:"HTTP Flood Potential Detected"; threshold: type both, track by_dst, count 300, seconds 10; sid:1000004; rev:1;)

# --- DNS Amplification / große DNS Antworten ---
alert udp any 53 -> $HOME_NET any (msg:"Possible DNS Amplification Attack"; dnsize: > 512; threshold: type both, track by_src, count 50, seconds 5; sid:1000005; rev:1;)

# --- (Optional) Einfacher "Hello World" Treffer für Tests ---
alert tcp any any -> $HOME_NET any (msg:"TEST - SSH Connection Attempt"; content:"SSH"; nocase; sid:1000006; rev:1;)

Starten

  • systemctl enable suricata --now
Abgerufen von „http://wiki.ixheim.de/index.php?title=Suricata_IDS_am_Switch_Ubuntu&oldid=67211