とても遅まきながら、暇なのでIPS/IDSをこのサイトに組み込んでみます。
Suricata
SuricataというOSSのIPSがあるそうなのでインストールしてみます。
環境
- CentOS7(7.9)
インストール
以下でインストールしています。
$ sudo yum install epel-release yum-plugin-copr
$ sudo yum copr enable @oisf/suricata-6.0
$ sudo yum --enablerepo=epel install suricata
設定
IPを自分のに指定します。
$ sudo cp /etc/suricata/suricata.yaml /etc/suricata/suricata.yaml.org
$ sudo vi /etc/suricata/suricata.yaml
vars:
# more specific is better for alert accuracy and performance
address-groups:
HOME_NET: "[XXX.XX.XXX.XXX/XX]"
af-packetセクションのインタフェースも変更する必要がありますが、たまたま設定と一緒だったので変更してません。
Rule更新
日々Ruleは変わるので更新する手順も整えておきます。
ルールを取ってくるのは
sudo suricata-update
のようなのでcronを仕掛けておきます。
$ vi /etc/cron.daily/suricata-rule-update.sh
#!/bin/bash
bin/suricata-update 2>&1 | logger -t suricata
/usr/bin/systemctl restart suricata
$ chmod +x /etc/cron.daily/suricata-rule-update.sh
起動
起動は以下のとおりです。
# sudo systemctl restart suricata
# sudo systemctl status suricata
● suricata.service - Suricata Intrusion Detection Service
Loaded: loaded (/usr/lib/systemd/system/suricata.service; disabled; vendor preset: disabled)
Active: active (running) since 土 2022-10-29 15:12:14 JST; 4s ago
Docs: man:suricata(1)
Process: 32298 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
Main PID: 32300 (Suricata-Main)
CGroup: /system.slice/suricata.service
mq32300 /sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -i eth0 --user suricata
10月 29 15:12:14 suricata[32300]: 29/10/2022 -- 15:12:14 - <Notice> - This is Suricata version 6.0.8 RELEASE running in SYSTEM mode
10月 29 15:12:14 suricata[32300]: 29/10/2022 -- 15:12:14 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by defau... more details.
10月 29 15:12:14 suricata[32300]: 29/10/2022 -- 15:12:14 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by defa... more details.
10月 29 15:12:14 suricata[32300]: 29/10/2022 -- 15:12:14 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by defau... more details.
Hint: Some lines were ellipsized, use -l to show in full.
ログ
ログは以下のように出てきます。
$ sudo tail /var/log/suricata/suricata.log
29/10/2022 -- 15:12:14 - <Info> - stats output device (regular) initialized: stats.log
29/10/2022 -- 15:12:14 - <Info> - Running in live mode, activating unix socket
29/10/2022 -- 15:12:16 - <Info> - 1 rule files processed. 28755 rules successfully loaded, 0 rules failed
29/10/2022 -- 15:12:16 - <Info> - Threshold config parsed: 0 rule(s) found
29/10/2022 -- 15:12:16 - <Info> - 28758 signatures processed. 1183 are IP-only rules, 5166 are inspecting packet payload, 22205 inspect application layer, 108 are decoder event only
29/10/2022 -- 15:12:19 - <Info> - Going to use 2 thread(s)
29/10/2022 -- 15:12:19 - <Info> - Running in live mode, activating unix socket
29/10/2022 -- 15:12:19 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
29/10/2022 -- 15:12:19 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
29/10/2022 -- 15:12:19 - <Info> - All AFP capture threads are running.
ここらへんに攻撃検知結果が出てくるそうです。
# tail -f /var/log/suricata/fast.log
10/29/2022-15:48:35.788882 [**] [1:2403369:78422] ET CINS Active Threat Intelligence Poor Reputation IP group 70 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 66.240.236.109:60702 -> 133.18.208.111:1900
10/29/2022-15:48:35.788882 [**] [1:2525026:594] ET 3CORESec Poor Reputation IP group 27 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 66.240.236.109:60702 -> 133.18.208.111:1900
10/29/2022-15:48:45.978911 [**] [1:2403353:78422] ET CINS Active Threat Intelligence Poor Reputation IP group 54 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 51.15.52.121:51238 -> 133.18.208.66:25600
10/29/2022-15:48:58.238421 [**] [1:2403311:78422] ET CINS Active Threat Intelligence Poor Reputation IP group 12 [**] [Classification: Misc Attack] [Priority: 2] {UDP} 23.138.80.42:5060 -> 133.18.208.111:5353
10/29/2022-15:49:07.702771 [**] [1:2100366:8] GPL ICMP_INFO PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 133.18.75.33:8 -> 133.18.208.111:0
10/29/2022-15:49:07.903656 [**] [1:2100366:8] GPL ICMP_INFO PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 133.18.75.33:8 -> 133.18.208.111:0
10/29/2022-15:49:08.103746 [**] [1:2100366:8] GPL ICMP_INFO PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 133.18.75.33:8 -> 133.18.208.111:0
10/29/2022-15:49:08.303670 [**] [1:2100366:8] GPL ICMP_INFO PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 133.18.75.33:8 -> 133.18.208.111:0
10/29/2022-15:49:08.503821 [**] [1:2100366:8] GPL ICMP_INFO PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 133.18.75.33:8 -> 133.18.208.111:0
10/29/2022-15:49:36.181054 [**] [1:2403344:78422] ET CINS Active Threat Intelligence Poor Reputation IP group 45 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 46.161.27.47:47112 -> 133.18.208.111:18000
終わりに
なかなか面白そうなので、次は、ログの解析とかもしてみたいです。
攻撃側のIPとかを世界地図にするとかも面白そうです。
参考
https://suricata.readthedocs.io/en/suricata-6.0.8/
https://forum.suricata.io/t/guide-suricata-rpms-for-centos-and-fedora/752
http://www2.itkiban.net/index.php/rhel-centos-7/ips/21-suricata-install.html