Difference between revisions of "Bp"
(→Logstash) |
(→Logstash) |
||
(5 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
=blaclists= | =blaclists= | ||
− | + | /etc/shorewall/makeblacklist : | |
<code> | <code> | ||
− | + | #!/bin/sh | |
+ | cd /etc/shorewall | ||
+ | echo "#ADDRESS/SUBNET PROTOCOL PORT" > /tmp/blacklist | ||
+ | wget -q -O - http://www.malwaredomainlist.com/hostslist/ip.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\// { print $1;}' >> /tmp/blacklist | ||
+ | wget -q -O - https://www.openbl.org/lists/base.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\// { print $1;}' >> /tmp/blacklist | ||
+ | wget -q -O - http://feeds.dshield.org/block.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.0\t/ { print $1 "/24";}' >> /tmp/blacklist | ||
+ | wget -q -O - http://www.spamhaus.org/drop/drop.lasso | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\// { print $1;}' >> /tmp/blacklist | ||
+ | #http://www.malwaredomainlist.com/hostslist/hosts.txt | ||
+ | #DNS!!wget -q -O - http://www.malwaredomainlist.com/hostslist/hosts.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\// { print $1;}' >> /tmp/blacklist | ||
+ | #http://www.omeglewarden.com/ip-lists.html + SUOMI | ||
+ | cat dns.p2p >> /tmp/blacklist | ||
+ | echo "#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE" >> /tmp/blacklist | ||
+ | mv /tmp/blacklist /etc/shorewall/blacklist | ||
+ | shorewall refresh &>/dev/null | ||
</code> | </code> | ||
=saricato - intrusion detection= | =saricato - intrusion detection= | ||
+ | |||
+ | sudo suricata -c /etc/suricata/suricata-debian.yaml -q 0<br> | ||
+ | |||
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster<br> | https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster<br> | ||
http://samiux.blogspot.fi/2013/01/howto-suricata-on-ubuntu-1204-lts-server.html<br> | http://samiux.blogspot.fi/2013/01/howto-suricata-on-ubuntu-1204-lts-server.html<br> | ||
+ | https://home.regit.org/2014/02/suricata-and-nftables/<br> | ||
+ | https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/<br> | ||
+ | |||
+ | HOWTO : Suricata on Ubuntu 12.04 LTS Server | ||
+ | Suricata is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field. | ||
+ | |||
+ | There is an Ubuntu PPA of Suricata for Ubuntu 10.04 to 13.04 and the Ubuntu 13.04 is included Suricata in her repositories too. Meanwhile, those packages have IPS mode through NFQUEUE enabled. In addition, Suricata supports nVidia CUDA which requires to recompile the source code with suitable parameter. | ||
+ | |||
+ | Suricata not only can installed on servers but also on desktops and laptops. It performs quiet well on an Intel Atom ITX machine. | ||
+ | |||
+ | For the features, please read here for details. | ||
+ | |||
+ | The following is a basic and general setup of Suricata. For more advanced settings, please refer to the Reference below. | ||
+ | |||
+ | |||
+ | Step 1 : | ||
+ | |||
+ | sudo apt-get install python-software-properties | ||
+ | sudo add-apt-repository ppa:oisf/suricata-stable | ||
+ | sudo apt-get update | ||
+ | sudo apt-get install suricata htp | ||
+ | |||
+ | Step 2 : | ||
+ | |||
+ | To get the Emerging Threats rules : | ||
+ | |||
+ | cd /etc/suricata/ | ||
+ | |||
+ | sudo wget https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz | ||
+ | |||
+ | sudo tar -xvzf emerging.rules.tar.gz | ||
+ | |||
+ | sudo ln -s /etc/suricata/rules/reference.config /etc/suricata/reference.config | ||
+ | |||
+ | sudo ln -s /etc/suricata/UbuntuPPA-configs/classification.config /etc/suricata/classification.config | ||
+ | |||
+ | sudo cp /etc/suricata/UbuntuPPA-configs/suricata-ppa-1.4-6ubuntu6.yaml /etc/suricata/suricata.yaml | ||
+ | |||
+ | *** You can use reference.config and classification.config at /etc/suricata/rules. | ||
+ | |||
+ | sudo mkdir /var/log/suricata | ||
+ | sudo touch /etc/suricata/threshold.config | ||
+ | |||
+ | Step 3 : | ||
+ | |||
+ | sudo nano /etc/suricata/suricata.yaml | ||
+ | |||
+ | Locate the following lines : | ||
+ | |||
+ | default-log-dir: /usr/local/var/log/suricata/ | ||
+ | default-rule-path: /usr/local/etc/suricata/rules | ||
+ | classification-file: /usr/local/etc/suricata/classification.config | ||
+ | reference-config-file: /usr/local/etc/suricata/reference.config | ||
+ | #pid-file: /var/run/suricata.pid | ||
+ | #- rule-reload: true | ||
+ | #threshold-file: /usr/local/etc/suricata/threshold.config | ||
+ | |||
+ | - drop | ||
+ | enable: no | ||
+ | |||
+ | Replace with the following lines : | ||
+ | |||
+ | default-log-dir: /var/log/suricata/ | ||
+ | default-rule-path: /etc/suricata/rules | ||
+ | classification-file: /etc/suricata/classification.config | ||
+ | reference-config-file: /etc/suricata/reference.config | ||
+ | pid-file: /var/run/suricata.pid | ||
+ | - rule-reload: true | ||
+ | threshold-file: /usr/local/etc/suricata/threshold.config | ||
+ | |||
+ | - drop | ||
+ | enable: yes | ||
+ | |||
+ | To test if it work or not : | ||
+ | |||
+ | sudo suricata -c /etc/suricata/suricata.yaml -i eth0 | ||
+ | |||
+ | Several minutes later, check the /var/log/suricata/stats.log and /var/log/suricata/http.log to see if there are some entries or not. | ||
+ | |||
+ | Step 4 : | ||
+ | |||
+ | sudo iptables -A INPUT -j NFQUEUE | ||
+ | sudo iptables -A OUTPUT -j NFQUEUE | ||
+ | sudo iptables -A FORWARD -j NFQUEUE | ||
+ | |||
+ | To test if it work or not : | ||
+ | |||
+ | sudo suricata -c /etc/suricata/suricata.yaml -q 0 | ||
+ | |||
+ | Step 5 : | ||
+ | |||
+ | sudo apt-get install oinkmaster | ||
+ | |||
+ | sudo nano /etc/oinkmaster.conf | ||
+ | |||
+ | Append the following line : | ||
+ | |||
+ | url = https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz | ||
+ | |||
+ | sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules | ||
+ | |||
+ | Step 6 : | ||
+ | |||
+ | When everything is working fine, you can put them in the /etc/rc.local just right above "exit 0" : | ||
+ | |||
+ | #iptables -F | ||
+ | iptables -A INPUT -j NFQUEUE | ||
+ | iptables -A OUTPUT -j NFQUEUE | ||
+ | iptables -A FORWARD -j NFQUEUE | ||
+ | |||
+ | /etc/suricata/ips | ||
+ | |||
+ | Then create a file /etc/suricata/ips : | ||
+ | |||
+ | sudo nano /etc/suricata/ips | ||
+ | suricata -D -c /etc/suricata/suricata.yaml -q 0 | ||
+ | oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules | ||
+ | kill -USR2 `pidof suricata` | ||
+ | |||
+ | chmod +x /etc/suricata/ips | ||
+ | |||
+ | Then you can write a cron job to update Emerging Threats Rules everyday. | ||
+ | |||
+ | sudo crontab -e | ||
+ | |||
+ | Append the following : | ||
+ | |||
+ | @daily /etc/suricata/update-rules | ||
+ | |||
+ | Then create the update-rule | ||
+ | |||
+ | sudo nano /etc/suricata/update-rules | ||
+ | |||
+ | oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules | ||
+ | kill -USR2 `pidof suricata` | ||
+ | |||
+ | sudo chmod +x /etc/suricata/update-rules | ||
+ | |||
+ | |||
+ | Remarks : | ||
+ | |||
+ | If you want to create a user-interface for the IPS, you can refer to the "Reference" item [12]. | ||
+ | |||
+ | If the Suricata acts as IPS gateway, it requires to bridge 2 NICs and 1 NIC for management purpose. In addition, you need to do some changes on the configure files. | ||
+ | |||
+ | If you have 4-cores CPU, you need to change the settings as the following : | ||
+ | |||
+ | iptables -A INPUT -j NFQUEUE --queue-balance 0:3 | ||
+ | iptables -A OUTPUT -j NFQUEUE --queue-balance 0:3 | ||
+ | iptables -A FORWARD -j NFQUEUE --queue-balance 0:3 | ||
+ | |||
+ | suricata -D -c /etc/suricata/suricata.yaml -q 0 -q 1 -q 2 -q 3 | ||
+ | |||
+ | |||
+ | |||
https://home.regit.org/2013/10/logstash-and-suricata-for-the-old-guys/<br> | https://home.regit.org/2013/10/logstash-and-suricata-for-the-old-guys/<br> | ||
Line 16: | Line 187: | ||
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/_logstash_kibana_and_suricata_json_output<br> | https://redmine.openinfosecfoundation.org/projects/suricata/wiki/_logstash_kibana_and_suricata_json_output<br> | ||
https://github.com/pevma/Suricata-Logstash-Templates<br> | https://github.com/pevma/Suricata-Logstash-Templates<br> | ||
+ | |||
+ | |||
+ | == Config == | ||
+ | |||
+ | https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml<br> | ||
+ | https://redmine.openinfosecfoundation.org/projects/suricata/wiki/EveJSONOutput<br> |
Latest revision as of 19:35, 3 November 2014
blaclists
/etc/shorewall/makeblacklist :
#!/bin/sh
cd /etc/shorewall
echo "#ADDRESS/SUBNET PROTOCOL PORT" > /tmp/blacklist
wget -q -O - http://www.malwaredomainlist.com/hostslist/ip.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\// { print $1;}' >> /tmp/blacklist
wget -q -O - https://www.openbl.org/lists/base.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\// { print $1;}' >> /tmp/blacklist
wget -q -O - http://feeds.dshield.org/block.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.0\t/ { print $1 "/24";}' >> /tmp/blacklist
wget -q -O - http://www.spamhaus.org/drop/drop.lasso | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\// { print $1;}' >> /tmp/blacklist
#http://www.malwaredomainlist.com/hostslist/hosts.txt
#DNS!!wget -q -O - http://www.malwaredomainlist.com/hostslist/hosts.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\// { print $1;}' >> /tmp/blacklist
#http://www.omeglewarden.com/ip-lists.html + SUOMI
cat dns.p2p >> /tmp/blacklist
echo "#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE" >> /tmp/blacklist
mv /tmp/blacklist /etc/shorewall/blacklist
shorewall refresh &>/dev/null
saricato - intrusion detection
sudo suricata -c /etc/suricata/suricata-debian.yaml -q 0
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster
http://samiux.blogspot.fi/2013/01/howto-suricata-on-ubuntu-1204-lts-server.html
https://home.regit.org/2014/02/suricata-and-nftables/
https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/
HOWTO : Suricata on Ubuntu 12.04 LTS Server
Suricata is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field.
There is an Ubuntu PPA of Suricata for Ubuntu 10.04 to 13.04 and the Ubuntu 13.04 is included Suricata in her repositories too. Meanwhile, those packages have IPS mode through NFQUEUE enabled. In addition, Suricata supports nVidia CUDA which requires to recompile the source code with suitable parameter.
Suricata not only can installed on servers but also on desktops and laptops. It performs quiet well on an Intel Atom ITX machine.
For the features, please read here for details.
The following is a basic and general setup of Suricata. For more advanced settings, please refer to the Reference below.
Step 1 :
sudo apt-get install python-software-properties sudo add-apt-repository ppa:oisf/suricata-stable sudo apt-get update sudo apt-get install suricata htp
Step 2 :
To get the Emerging Threats rules :
cd /etc/suricata/
sudo wget https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz
sudo tar -xvzf emerging.rules.tar.gz
sudo ln -s /etc/suricata/rules/reference.config /etc/suricata/reference.config
sudo ln -s /etc/suricata/UbuntuPPA-configs/classification.config /etc/suricata/classification.config
sudo cp /etc/suricata/UbuntuPPA-configs/suricata-ppa-1.4-6ubuntu6.yaml /etc/suricata/suricata.yaml
- You can use reference.config and classification.config at /etc/suricata/rules.
sudo mkdir /var/log/suricata sudo touch /etc/suricata/threshold.config
Step 3 :
sudo nano /etc/suricata/suricata.yaml
Locate the following lines :
default-log-dir: /usr/local/var/log/suricata/ default-rule-path: /usr/local/etc/suricata/rules classification-file: /usr/local/etc/suricata/classification.config reference-config-file: /usr/local/etc/suricata/reference.config
- pid-file: /var/run/suricata.pid
- - rule-reload: true
- threshold-file: /usr/local/etc/suricata/threshold.config
- drop enable: no
Replace with the following lines :
default-log-dir: /var/log/suricata/ default-rule-path: /etc/suricata/rules classification-file: /etc/suricata/classification.config reference-config-file: /etc/suricata/reference.config pid-file: /var/run/suricata.pid - rule-reload: true threshold-file: /usr/local/etc/suricata/threshold.config
- drop enable: yes
To test if it work or not :
sudo suricata -c /etc/suricata/suricata.yaml -i eth0
Several minutes later, check the /var/log/suricata/stats.log and /var/log/suricata/http.log to see if there are some entries or not.
Step 4 :
sudo iptables -A INPUT -j NFQUEUE sudo iptables -A OUTPUT -j NFQUEUE sudo iptables -A FORWARD -j NFQUEUE
To test if it work or not :
sudo suricata -c /etc/suricata/suricata.yaml -q 0
Step 5 :
sudo apt-get install oinkmaster
sudo nano /etc/oinkmaster.conf
Append the following line :
url = https://rules.emergingthreatspro.com/open/suricata/emerging.rules.tar.gz
sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
Step 6 :
When everything is working fine, you can put them in the /etc/rc.local just right above "exit 0" :
- iptables -F
iptables -A INPUT -j NFQUEUE iptables -A OUTPUT -j NFQUEUE iptables -A FORWARD -j NFQUEUE
/etc/suricata/ips
Then create a file /etc/suricata/ips :
sudo nano /etc/suricata/ips suricata -D -c /etc/suricata/suricata.yaml -q 0 oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules kill -USR2 `pidof suricata`
chmod +x /etc/suricata/ips
Then you can write a cron job to update Emerging Threats Rules everyday.
sudo crontab -e
Append the following :
@daily /etc/suricata/update-rules
Then create the update-rule
sudo nano /etc/suricata/update-rules
oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules kill -USR2 `pidof suricata`
sudo chmod +x /etc/suricata/update-rules
Remarks :
If you want to create a user-interface for the IPS, you can refer to the "Reference" item [12].
If the Suricata acts as IPS gateway, it requires to bridge 2 NICs and 1 NIC for management purpose. In addition, you need to do some changes on the configure files.
If you have 4-cores CPU, you need to change the settings as the following :
iptables -A INPUT -j NFQUEUE --queue-balance 0:3 iptables -A OUTPUT -j NFQUEUE --queue-balance 0:3 iptables -A FORWARD -j NFQUEUE --queue-balance 0:3
suricata -D -c /etc/suricata/suricata.yaml -q 0 -q 1 -q 2 -q 3
https://home.regit.org/2013/10/logstash-and-suricata-for-the-old-guys/
Logstash
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/_logstash_kibana_and_suricata_json_output
https://github.com/pevma/Suricata-Logstash-Templates
Config
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/EveJSONOutput