■Suricataを導入する。
毎回リンクを辿ると(私が)迷子になるので、
今回は淡々とSnort -> PostgreSQL -> Snort-Pgsql -> Suricataを導入していきます。
Snortに「Emerging Threats(ET)」ルールを導入する。
http://d.hatena.ne.jp/labunix/20121224
■snortとpostgresqlの導入
$ sudo apt-get install -y snort
$ sudo apt-get install -y postgresql-client postgresql
$ sudo /etc/init.d/postgresql status > /dev/null 2>&1 && echo "ok."
ok
■snortユーザ、snortデータベースの作成
$ su root -c 'sudo -u postgres createuser snort'
パスワード:
新しいロールをスーパーユーザとしますか? (y/n)y
$ su root -c 'sudo -u snort createdb snort'
パスワード:
■snort-pgsqlの導入
$ sudo apt-get install -y snort-pgsql
$ cd /usr/share/doc/snort-pgsql/
$ zcat create_postgresql.gz | sudo -u snort psql
■localhostの接続許可
$ grep "#listen_address" /etc/postgresql/8.4/main/postgresql.conf
$ sudo cp -pi /etc/postgresql/8.4/main/postgresql.conf /etc/postgresql/8.4/main/postgresql.conf.org
$ sudo sed -i s/"#\(listen_address\)"/"\1"/ /etc/postgresql/8.4/main/postgresql.conf
$ grep "listen_address" /etc/postgresql/8.4/main/postgresql.conf
$ netstat -an | grep "\:5432" | sed s/" *"/","/g
tcp,0,0,127.0.0.1:5432,0.0.0.0:*,LISTEN,
■パスワード設定、確認、snort-pgsqlの再設定
$ DBPASS='XXXXX'; \
echo "ALTER USER snort with encrypted password '"$DBPASS"';" | sudo -u snort psql -U snort -d snort
ALTER ROLE
$ echo "select * from signature" | sudo -u snort psql -U snort -d snort -h localhost -A -F\,
ユーザ snort のパスワード:
sig_id,sig_name,sig_class_id,sig_priority,sig_rev,sig_sid
$ sudo dpkg-reconfigure snort-pgsql
■「apt-get build-dep snort-pgsql」か以下のどちらか。
$ echo "
iptables-dev
libltdl-dev
libnet1
libnet1-dev
libpcap0.8-dev
libpcre3-dev
libpcrecpp0
libpq-dev
libprelude-dev
libtool
" | xargs echo -n | sudo apt-get install -y
■「local.rules」の設定
$ echo 'alert icmp any any -> any any (msg:"ICMP Test"; sid:200003851; rev:1;)' | \
sudo tee -a /etc/snort/rules/local.rules
alert icmp any any -> any any (msg:"ICMP Test"; sid:200003851; rev:1;)
$ TARGET=192.168.1.1; \
ping -c 1 TARGET
$ echo 'alert tcp any 80 -> any any (
msg:"applet.jar";
uricontent:"applet.jar";
nocase;
sid:202014155;
rev:2;
)' | xargs echo -n | sudo tee -a /etc/snort/rules/local.rules;echo
alert tcp any 80 -> any any ( msg:applet.jar; uricontent:applet.jar; nocase; sid:202014155; rev:2; )
■suricataの導入
$ sudo apt-get install -y suricata
$ sudo grep -A 4 syslog /etc/suricata/suricata-debian.yaml
- syslog:
enabled: no
facility: local5
format: "[%i] <%d> -- "
$ sudo vim /etc/suricata/suricata-debian.yaml
$ sudo grep -A 4 syslog /etc/suricata/suricata-debian.yaml
- syslog:
enabled: yes
facility: local5
format: "[%i] <%d> -- "
$ sudo suricata -D -c /etc/suricata/suricata-debian.yaml -i eth1
$ ps -ef | grep suricata | grep -v grep
root 13989 1 67 23:30 ? 00:00:08 suricata -D -c /etc/suricata/suricata-debian.yaml -i eth1
■優先度が出るのが良いですね。
「192.168.1.[12]」はダミーIPですのであしからず。
$ sudo nmap -sT 192.168.1.1
$ sudo tail -f /var/log/suricata/fast.log
12/25/12-14:36:50.785546 [**]
[1:620:10]
SCAN Proxy Port 8080 attempt [**]
[Classification: Attempted Information Leak]
[Priority: 3]
{6} 192.168.1.2:40259 -> 192.168.1.1:8080
12/25/12-14:36:50.788020 [**]
[1:1227:5]
X11 outbound client connection detected [**]
[Classification: Misc activity]
[Priority: 3]
{6} 192.168.1.1:6004 -> 192.168.1.2:53169 [Xref => http://www.whitehats.com/info/IDS126]
12/25/12-14:36:50.792164 [**]
[1:1418:11]
SNMP request tcp [**]
[Classification: Attempted Information Leak]
[Priority: 3]
{6} 192.168.1.2:40019 -> 192.168.1.1:161 [Xref => http://www.securityfocus.com/bid/4088]
[Xref => http://www.securityfocus.com/bid/4089]
[Xref => http://www.securityfocus.com/bid/4132]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013]
12/25/12-14:36:50.803803 [**]
[1:1421:11]
SNMP AgentX/tcp request [**]
[Classification: Attempted Information Leak]
[Priority: 3]
{6} 192.168.1.2:52724 -> 192.168.1.1:705 [Xref => http://www.securityfocus.com/bid/4088]
[Xref => http://www.securityfocus.com/bid/4089]
[Xref => http://www.securityfocus.com/bid/4132]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013]
12/25/12-14:36:50.806858 [**]
[1:1227:5]
X11 outbound client connection detected [**]
[Classification: Misc activity]
[Priority: 3]
{6} 192.168.1.1:6001 -> 192.168.1.2:51441 [Xref => http://www.whitehats.com/info/IDS126]
12/25/12-14:36:50.809156 [**]
[1:1227:5]
X11 outbound client connection detected [**]
[Classification: Misc activity]
[Priority: 3]
{6} 192.168.1.1:6002 -> 192.168.1.2:35363 [Xref => http://www.whitehats.com/info/IDS126]
12/25/12-14:36:50.810004 [**]
[1:1227:5]
X11 outbound client connection detected [**]
[Classification: Misc activity]
[Priority: 3]
{6} 192.168.1.1:6003 -> 192.168.1.2:43713 [Xref => http://www.whitehats.com/info/IDS126]
12/25/12-14:36:50.811007 [**]
[1:1227:5]
X11 outbound client connection detected [**]
[Classification: Misc activity]
[Priority: 3]
{6} 192.168.1.1:6005 -> 192.168.1.2:45364 [Xref => http://www.whitehats.com/info/IDS126]
12/25/12-14:36:50.820777 [**]
[1:615:9]
SCAN SOCKS Proxy attempt [**]
[Classification: Attempted Information Leak]
[Priority: 3]
{6} 192.168.1.2:43261 -> 192.168.1.1:1080 [Xref => http://help.undernet.org/proxyscan/]
12/25/12-14:36:50.823243 [**]
[1:618:9]
SCAN Squid Proxy attempt [**]
[Classification: Attempted Information Leak]
[Priority: 3]
{6} 192.168.1.2:58202 -> 192.168.1.1:3128