| |
With the continued security threats, intrusion detection system (IDS) is particularly necessary in today's data center environments. However, as more and more servers to upgrade their card to 10GB / 40GB Ethernet hardware on the line so the calculation-intensive intrusion detection more difficult. Wherein a way to enhance the performance of intrusion detection system intrusion detection system is a multi-threaded, deep packet inspection work will CPU-intensive parallel assigned to multiple concurrent tasks to complete. Such parallel detection can take full advantage of multi-core hardware advantages to easily enhance the throughput of intrusion detection system. There are two well-known open source projects in this regard, namely Suricata and Bro.
For this tutorial, I will show you how to install and configure Suricata IDS on a Linux server.
Suricata IDS installation on Linux
Let us from the source files to build Suricata, but before that, you need to install several as follows dependencies.
Install dependencies on Debian, Ubuntu or Linux Mint operating system
$ Sudoapt-get install wget build-essential libpcre3-dev libpcre3-dbg automake autoconf libtool libpcap-dev libnet1-dev libyaml-dev zlib1g-dev libcap-ng-dev libjansson-dev
Install dependencies on CentOS, Fedora or RHEL operating system
$ Sudoyum install wget libpcap-devel libnet-devel pcre-devel gcc-c ++ automake autoconf libtool make libyaml-devel zlib-devel file-devel jansson-devel nss-devel
Once all the dependencies installed, we can proceed with the installation of Suricata.
First, download the source code from Suricata http://suricata-ids.org/download/, then build it. The time of this writing, the latest version number is 2.0.8.
$ Wget http://www.openinfosecfoundation.org/download/suricata-2.0.8.tar.gz
$ Tar-xvf suricata-2.0.8.tar.gz
$ Cd suricata-2.0.8
$ ./configure --sysconfdir = / Etc --localstatedir = / var
The following is a sample configuration information.
SuricataConfiguration:
AF_PACKET support: yes
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: no
DAG enabled: no
Napatech enabled: no
Unix socket enabled: yes
Detection enabled: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
Prelude support: no
PCRE jit: yes
LUA support: no
libluajit: no
libgeoip: no
Non-bundled htp: no
Old barnyard2 support: no
CUDA enabled: no
You can now compile installed.
$ Make
$ Sudomake install
Suricata source code with the default configuration file. These default installation configuration files as follows.
$ Sudomake install-conf
As you would expect, if not the words of IDS rule sets, Suricata what did not. Fortunately Makefile provides us with the option to install IDS rule sets. Installation is as follows.
$ Sudomake install-rules
Rules above installation command downloads available from EmergingThreats.net Community Rules set snapshot, and stored in the / etc / suricata / rules directory.
First Time Suricata IDS
Now the configuration Suricata time. Location profile is /etc/suricata/suricata.yaml. Reference to the following command to open the file with a text editor.
$ Sudovi / etc / suricata / suricata.yaml
There are a number of files needed to run the basic configuration.
Suricata specify the location where the log files for the default-log-dir keywords.
default-log-dir: / var / log / suricata /
Vars section below, you will find a number of very important variables for Suricata. HOME_NET variables need to specify Suricata check network. Is assigned to the variable EXTERNAL_NET! $ HOME_NET representatives of other networks in addition to the local network. XXX_PORTS variable is used to distinguish the different services used by the port number. Note that regardless of what port, Suricata can automatically detect HTTP traffic. It is not correctly specified port becomes less important.
vars:
HOME_NET: "[192.168.122.0/24]"
EXTERNAL_NET: "! $ HOME_NET"
HTTP_PORTS: "80"
SHELLCODE_PORTS: "! 80"
SSH_PORTS: 22
host-os-policy section for defense use operating system network stack of its own behavior to avoid some of the well-known means of attack detection (for example: TCP reassembly). As a countermeasure, by the target operating system and fine-tune the algorithm for the detection engine, IDC provides a modern means of detection, "based on objectives". So, if you know what running a host operating system, it will provide this information to Suricata can significantly improve the success rate of detection. This is the host-os-policy exists. In this example, the default policy is to IDC Linux systems. If you do not specify the operating system for information about an IP address, Suricata default application-based detection strategies Linux system. As follows, when captured on 192.168.122.0/28 and 192.168.122.155 communications, Suricata policy will be applied based on the detection of the Windows system.
host-os-policy:
#These Are Windows machines.
windows: [192.168.122.0/28,192.168.122.155]
bsd: []
bsd-right: []
old-linux: []
#Make The default policy Linux.
linux: [0.0.0.0/0]
old-solaris: []
solaris: [ ":: 1"]
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []
In threading section, you can specify the CPU affinity for different Suricata threads. By default, CPU association is prohibited (set-cpu-affinity: no), which means that its thread Suricata assigned to all of the available CPU core. Suricata default for each CPU core to create a detection thread. You can specify the detect-thread-ratio: N to adjust this behavior. Here it will create N * M detectors threads, M representative of the total number of CPU cores.
threading:
set-cpu-affinity: no
detect-thread-ratio: 1.5
Through the above set of threads, Suricata creates 1.5 * M detectors threads, M is the total number of CPU core system.
If you want to know more about Suricata configuration, you can go read the default configuration file. Inside with a large number of comments for your clear understanding.
Use Suricata intrusion monitoring
Now is the time Suricata run up, but before that there is a step needs to be done.
When you use the pcap capture mode, it is strongly advised to turn off any uninstalled packages (such as LRO / GRO) Suricata monitor function on the card. These features can interfere with the behavior of real-time capture packets.
According to the following method to close the eth0 interface LRO / GRO function.
$ Sudo ethtool -K eth0 gro off lro off
Here we must note that in the case of certain network cards, you will see the following warning message. Ignore them on the line, this information just to tell you that your card does not support the LRO function only.
Can not change large-receive-offload
Suricata supports a number of operating modes. Operating mode determines which IDC uses threads. Following command to see all the available operating modes.
$ Sudo / usr / local / bin / suricata --list-runmodes
The default operating mode Suricata using autofp (auto flow pinned load balancing (automatic flow bound load balancing) Abbreviation). In this mode, packets from a particular stream will be assigned to a separate detection thread. These streams will be allocated according to the corresponding thread minimum number of packets unprocessed.
Finally, let Suricata up and running, to see how it appears.
$ Sudo / usr / local / bin / suricata -c /etc/suricata/suricata.yaml -i eth0 --init-errors-fatal
In this example, we monitor the eth0 network interface in an 8-core system. As shown above, Suricata creates 13 threads and three packet processing thread management. Packet processing threads includes a PCAP packet capture thread 12 to detect thread (derived from 8 * 1.5). This indicates that a packet capture thread IDS load balancing within 12 to detect thread. Thread management includes a workflow management and 2 count / statistics related thread.
The following is a screenshot on Suricata processing threads (drawn by htop).
Suricata detection logs are stored in / var / log under / suricata directory.
$ Tail-f /var/log/suricata/fast.log
04/01 / 2015-15: 47: 12.559075 [**] [1: 2200074: 1] SURICATA TCPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {TCP} 172.16.253.158:22 -> 172.16.253.1:46997
04/01 / 2015-15: 49: 06.565901 [**] [1: 2200074: 1] SURICATA TCPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {TCP} 172.16.253.158:22 -> 172.16.253.1:46317
04/01 / 2015-15: 49: 06.566759 [**] [1: 2200074: 1] SURICATA TCPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {TCP} 172.16.253.158:22 -> 172.16.253.1:46317
Logs can also provide Json format for import:
$ Tail-f /var/log/suricata/eve.json
{ "Timestamp": "2015-04-01T15: 49: 06.565901", "event_type": "alert", "src_ip": "172.16.253.158", "src_port": 22, "dest_ip": "172.16.253.1" , "dest_port": 46317, "proto": "TCP", "alert": { "action": "allowed", "gid": 1, "signature_id": 2200074, "rev": 1, "signature": "SURICATA TCPv4 invalid checksum", "category": "", "severity": 3}}
{ "Timestamp": "2015-04-01T15: 49: 06.566759", "event_type": "alert", "src_ip": "172.16.253.158", "src_port": 22, "dest_ip": "172.16.253.1" , "dest_port": 46317, "proto": "TCP", "alert": { "action": "allowed", "gid": 1, "signature_id": 2200074, "rev": 1, "signature": "SURICATA TCPv4 invalid checksum", "category": "", "severity": 3}}
Sum up
For this tutorial, I show you how to install Linux on a multi-core server Suricata intrusion detection system. Unlike the benefits of single-threaded Snort IDS, Suricata can easily from the multi-process multi-core hardware brings benefit. Custom Suricata to maximize its effectiveness and detection range is a good idea. Suricata fans maintains an online Wiki, if you intend to deploy Suricata to your environment, I strongly suggest you go to learn to take there. |
|
|
|