■Suricataを導入する。

　毎回リンクを辿ると(私が)迷子になるので、
　今回は淡々とSnort -> PostgreSQL -> Snort-Pgsql -> Suricataを導入していきます。

　Snortに「Emerging Threats(ET)」ルールを導入する。
　http://d.hatena.ne.jp/labunix/20121224

■snortとpostgresqlの導入

$ sudo apt-get install -y snort
$ sudo apt-get install -y postgresql-client postgresql
$ sudo /etc/init.d/postgresql status > /dev/null 2>&1 && echo "ok."
ok

■snortユーザ、snortデータベースの作成

$ su root -c 'sudo -u postgres createuser snort'
パスワード:
新しいロールをスーパーユーザとしますか?  (y/n)y
$ su root -c 'sudo -u snort createdb snort'
パスワード:

■snort-pgsqlの導入

$ sudo apt-get install -y snort-pgsql
$ cd /usr/share/doc/snort-pgsql/
$ zcat create_postgresql.gz | sudo -u snort psql

■localhostの接続許可

$ grep "#listen_address" /etc/postgresql/8.4/main/postgresql.conf
#listen_addresses = 'localhost'         # what IP address(es) to listen on;
$ sudo cp -pi /etc/postgresql/8.4/main/postgresql.conf /etc/postgresql/8.4/main/postgresql.conf.org
$ sudo sed -i s/"#\(listen_address\)"/"\1"/ /etc/postgresql/8.4/main/postgresql.conf
$ grep "listen_address" /etc/postgresql/8.4/main/postgresql.conf
$ netstat -an | grep "\:5432" | sed s/"  *"/","/g
tcp,0,0,127.0.0.1:5432,0.0.0.0:*,LISTEN,

■パスワード設定、確認、snort-pgsqlの再設定

$ DBPASS='XXXXX'; \
  echo "ALTER USER snort with encrypted password '"$DBPASS"';" | sudo -u snort psql -U snort -d snort
ALTER ROLE
$ echo "select * from signature" | sudo -u snort psql -U snort -d snort -h localhost -A -F\,
ユーザ snort のパスワード:
sig_id,sig_name,sig_class_id,sig_priority,sig_rev,sig_sid
$ sudo dpkg-reconfigure snort-pgsql

■「apt-get build-dep snort-pgsql」か以下のどちらか。

$ echo "
iptables-dev
libltdl-dev
libnet1
libnet1-dev
libpcap0.8-dev
libpcre3-dev
libpcrecpp0
libpq-dev
libprelude-dev
libtool
" | xargs echo -n | sudo apt-get install -y

■「local.rules」の設定

$ echo 'alert icmp any any -> any any (msg:"ICMP Test"; sid:200003851; rev:1;)' | \
  sudo tee -a /etc/snort/rules/local.rules
alert icmp any any -> any any (msg:"ICMP Test"; sid:200003851; rev:1;)

$ TARGET=192.168.1.1; \
  ping -c 1 TARGET

$ echo 'alert tcp any 80 -> any any (
msg:"applet.jar";
uricontent:"applet.jar";
nocase;
 sid:202014155;
 rev:2;
)' | xargs echo -n | sudo tee -a /etc/snort/rules/local.rules;echo
alert tcp any 80 -> any any ( msg:applet.jar; uricontent:applet.jar; nocase; sid:202014155; rev:2; )

■suricataの導入

$ sudo apt-get install -y suricata
$ sudo grep -A 4 syslog /etc/suricata/suricata-debian.yaml
  - syslog:
      enabled: no
      facility: local5
      format: "[%i] <%d> -- "
$ sudo vim /etc/suricata/suricata-debian.yaml
$ sudo grep -A 4 syslog /etc/suricata/suricata-debian.yaml
  - syslog:
      enabled: yes
      facility: local5
      format: "[%i] <%d> -- "
$ sudo suricata -D -c /etc/suricata/suricata-debian.yaml -i eth1
$ ps -ef | grep suricata | grep -v grep
root     13989     1 67 23:30 ?        00:00:08 suricata -D -c /etc/suricata/suricata-debian.yaml -i eth1

■優先度が出るのが良いですね。
　「192.168.1.[12]」はダミーIPですのであしからず。

$ sudo nmap -sT 192.168.1.1

$ sudo tail -f /var/log/suricata/fast.log
12/25/12-14:36:50.785546  [**]
 [1:620:10]
 SCAN Proxy Port 8080 attempt [**]
 [Classification: Attempted Information Leak]
 [Priority: 3]
 {6} 192.168.1.2:40259 -> 192.168.1.1:8080
12/25/12-14:36:50.788020  [**]
 [1:1227:5]
 X11 outbound client connection detected [**]
 [Classification: Misc activity]
 [Priority: 3]
 {6} 192.168.1.1:6004 -> 192.168.1.2:53169 [Xref => http://www.whitehats.com/info/IDS126]

12/25/12-14:36:50.792164  [**]
 [1:1418:11]
 SNMP request tcp [**]
 [Classification: Attempted Information Leak]
 [Priority: 3]
 {6} 192.168.1.2:40019 -> 192.168.1.1:161 [Xref => http://www.securityfocus.com/bid/4088]
[Xref => http://www.securityfocus.com/bid/4089]
[Xref => http://www.securityfocus.com/bid/4132]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013]

12/25/12-14:36:50.803803  [**]
 [1:1421:11]
 SNMP AgentX/tcp request [**]
 [Classification: Attempted Information Leak]
 [Priority: 3]
 {6} 192.168.1.2:52724 -> 192.168.1.1:705 [Xref => http://www.securityfocus.com/bid/4088]
[Xref => http://www.securityfocus.com/bid/4089]
[Xref => http://www.securityfocus.com/bid/4132]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013]

12/25/12-14:36:50.806858  [**]
 [1:1227:5]
 X11 outbound client connection detected [**]
 [Classification: Misc activity]
 [Priority: 3]
 {6} 192.168.1.1:6001 -> 192.168.1.2:51441 [Xref => http://www.whitehats.com/info/IDS126]

12/25/12-14:36:50.809156  [**]
 [1:1227:5]
 X11 outbound client connection detected [**]
 [Classification: Misc activity]
 [Priority: 3]
 {6} 192.168.1.1:6002 -> 192.168.1.2:35363 [Xref => http://www.whitehats.com/info/IDS126]

12/25/12-14:36:50.810004  [**]
 [1:1227:5]
 X11 outbound client connection detected [**]
 [Classification: Misc activity]
 [Priority: 3]
 {6} 192.168.1.1:6003 -> 192.168.1.2:43713 [Xref => http://www.whitehats.com/info/IDS126]

12/25/12-14:36:50.811007  [**]
 [1:1227:5]
 X11 outbound client connection detected [**]
 [Classification: Misc activity]
 [Priority: 3]
 {6} 192.168.1.1:6005 -> 192.168.1.2:45364 [Xref => http://www.whitehats.com/info/IDS126]

12/25/12-14:36:50.820777  [**]
 [1:615:9]
 SCAN SOCKS Proxy attempt [**]
 [Classification: Attempted Information Leak]
 [Priority: 3]
 {6} 192.168.1.2:43261 -> 192.168.1.1:1080 [Xref => http://help.undernet.org/proxyscan/]

12/25/12-14:36:50.823243  [**]
 [1:618:9]
 SCAN Squid Proxy attempt [**]
 [Classification: Attempted Information Leak]
 [Priority: 3]
 {6} 192.168.1.2:58202 -> 192.168.1.1:3128