What is Suricata
Suricata是一个免费,开源,成熟,高性能,稳定的网络威胁检测引擎系统功能包括:实时入侵检测(IDS)、内联入侵预防(IPS)、网络安全监控(NSM)和离线pcap处理Suricata依靠强大的可扩展性的规则和特征语言过滤网络流量,并支持LUA脚本语言输出文件格式为YAML或JSON,方便与其他数据库或安全数据分析平台集成 Suricata采用社区驱动开发,有利于版本的维护和新特性的迭代Features
IDS / IPS完善的特征语言用于描述已知的威胁和恶意行为,并兼容Emerging Threats Suricata ruleset(Proofpoint和Intel规则)和VRT ruleset(snort规则),支持 Barnyard 和 Barnyard2 工具
High Performance
单个suricata示例可检测千兆网络流量,该引擎基于多线程编码和硬件加速(pf_ring,af_packet)
Automatic protocol detection
自动对端口协议扫描,有利于发现恶意软件和通信信道
NSM: More than an IDS
Suricata可记录所有的http请求链接,DNS请求和tls密钥交换,并支持从流中提取信息存储到磁盘中。
Lua scripting
LUA脚本可以弥补规则集中无法描述的特征
Industry standard outputs
主要日志输出格式为Eve,即所有的协议事件,警报输出(可单独指定主机或子网段,可配置全局规则或单独规则),流量记录
Operation System
Linux、FreeBSD、OpenBSD、macOS / Mac OS X、Windows
Configuration
YAML作为规则文件格式,可读性好
TCP/IP engine
支持IPV6,支持隧道解码包括:Teredo、IP-IP、IP6-IP4、IP4-IP6、GRE、VXLAN、Geneve,支持会话跟踪和流重组,IP分片重组,支持多种协议解码包括IPv4, IPv6, TCP, UDP, SCTP, ICMPv4, ICMPv6, GRE,Ethernet, PPP, PPPoE, Raw, SLL, VLAN, QINQ, MPLS, ERSPAN, VXLAN, Geneve,HTTP, HTTP/2, SSL, TLS, SMB, DCERPC, SMTP, FTP, SSH, DNS, Modbus, ENIP/CIP, DNP3, NFS, NTP, DHCP, TFTP, KRB5, IKEv2, SIP, SNMP, RDP, RFB, MQTT
HTTP engine
实现基于libhtp有状态的http解析器,可解析URL,请求和响应首部,cookie,user-agent,request body and response body,请求方法和状态码,host
Detection engine
可基于多特征进行检测匹配,包括:协议关键字,正则(Hyperscan),快速模式和预处理,文件匹配,JA3 / JA3S / HASSH匹配。规则方面支持实时加载规则而不重启suricata,规则延迟初始化
Packet acquire
高性能捕获模式:AF_PACKET,PF_RING,NETMAP标准模式:NFLOG ,PCAPIPS模式:Netfilter ,NETMAP,AF_PACKET (Linux),ipfw (reeBSD and NetBSD)
Muti threading
线程支持可配,一个到几十个都可以;互斥操作采用原子函数提高性能;
Architecture
Packet Capture
AF_PACKET and PF_RING通过flow (5 tuple)对称哈希到线程上
RSS技术通过分发到网卡上不同队列来分发流量,但缺点是非对称加密这会使类似TCP的双向流量检测有误
所以通常我们配置一个rss队列或用对称哈希算法,并且不启用网卡流量卸载,卸载会会无法跟踪某些流状态,举个配置例子:
PF_RING: 1 RSS queue and use cluster-type ‘cluster_flflow’. Disable NIC offlfloading except the rx/tx csum
Hyperscan
Hyperscan is a high-performance multiple regex matching library, In Suricata it can be used to perform multi pattern matching (mpm).
首先安装一下hyperscan:
apt-get install cmake ragelapt-get install libboost-devsudo apt-get python-dev libbz2-devwget /boostorg/release/1.66.0/source/boost_1_66_0.tar.gztar xvzf boost_1_66_0.tar.gzcd boost_1_66_0./bootstrap.sh --prefix=~/tmp/boost-1.66./b2 installgit clone /intel/hyperscancd hyperscanmkdir buildcd buildcmake -DBUILD_STATIC_AND_SHARED=1 ../cmake -DBUILD_STATIC_AND_SHARED=1 -DBOOST_ROOT=~/tmp/boost-1.66 ../makesudo make install
其次默认情况suricata在编译时没有启用hyperscan, 我们需要显示的编译suricata时加入命令:–with-libhs-includes=/usr/local/include/hs/ –with-libhs-libraries=/usr/local/lib/然后再suricata.yaml中修改 mpm-algo and spm-algo values to ‘hs’.
High Performance Confifiguration
If you have enough RAM, consider the following options in
suricata.yaml detect: profile: custom custom-values:
toclient-groups: 200 toserver-groups: 200 sgh-mpm-context: auto
inspection-recursion-limit: 3000
Statistics
每隔8s中会向stats.log file写入包数数据:
关闭suricata时,也可以看到总的收发包数和丢包数
capture mode不同,显示的数目有可能有差别:
In AF_PACKET mode: • kernel_packets is the number of packets correctly
sent to userspace • kernel_drops is the number of packets that have
been discarded instead of being sent to userspace In PF_RING mode: •
kernel_packets is the total number of packets seen by pf_ring •
kernel_drops is the number of packets that have been discarded instead
of being sent to userspace
Ignoring Traffific
可通过配置bpf文件进行忽略某些类型的流量
echo “not host 1.2.3.4” > capture-filter.bpf
suricata -i ens5f0 -F capture-filter.bpf
语法类似于:“not (host IP1 or IP2 or IP3 or net NET/24)”或 “ tcp or udp”
或者也可根据suricata规则即可:
pass/drop ip 1.2.3.4 any <> any any (msg:“pass all traffic from/to 1.2.3.4”; sid:1;)
设置tls关键字,可以将https握手之后的流量全部放行,不去检测:
app-layer.protocols.tls.encryption-handling
