如何在 Rocky Linux 上安装 Suricata IDS

Suricata 是一款适用于 Linux 的免费开源入侵检测 (IDS)、入侵防御 (IPS) 和网络安全监控 (NSM) 工具。它使用一组签名和规则来检查和处理网络流量。当它检测到服务器上任意数量的服务的可疑数据包时，它们会立即被阻止。默认情况下，Suricata 作为被动入侵检测系统，扫描服务器上的流量以查找可疑数据包。但是，您也可以将其用作主动入侵防御系统（IPS）来记录、报告和完全阻止符合某些规则的网络流量。

本教程将展示我如何在 Rocky Linux 服务器上安装 Suricata IDS。

要求

• 运行 Rocky Linux 8 或 9 的服务器
• 服务器上配置了 root 密码。

在 Rocky Linux 上安装 Suricata

Suricata 不包含在 Rocky Linux 默认存储库中。因此，您需要从 EPEL 存储库安装它。

首先，使用以下命令安装 EPEL 存储库：

dnf install epel-release -y

安装 EPEL 后，使用以下命令检查 Suricata 包信息：

dnf info suricata

您将得到以下输出：

Available Packages
Name         : suricata
Version      : 5.0.8
Release      : 1.el8
Architecture : x86_64
Size         : 2.3 M
Source       : suricata-5.0.8-1.el8.src.rpm
Repository   : epel
Summary      : Intrusion Detection System
URL          : https://suricata-ids.org/
License      : GPLv2
Description  : The Suricata Engine is an Open Source Next Generation Intrusion
             : Detection and Prevention Engine. This engine is not intended to
             : just replace or emulate the existing tools in the industry, but
             : will bring new ideas and technologies to the field. This new Engine
             : supports Multi-threading, Automatic Protocol Detection (IP, TCP,
             : UDP, ICMP, HTTP, TLS, FTP and SMB! ), Gzip Decompression, Fast IP
             : Matching, and GeoIP identification.

接下来，使用以下命令安装 Suricata：

dnf install suricata -y

安装成功后，即可进行下一步。

配置Suricata

Suricata 包含许多称为签名的规则来检测威胁。所有规则都位于目录 /etc/suricata/rules/ 中。

运行以下命令列出所有规则：

ls /etc/suricata/rules/

您将得到以下输出：

app-layer-events.rules  dnp3-events.rules  http-events.rules      modbus-events.rules  smb-events.rules     tls-events.rules
decoder-events.rules    dns-events.rules   ipsec-events.rules     nfs-events.rules     smtp-events.rules
dhcp-events.rules       files.rules        kerberos-events.rules  ntp-events.rules     stream-events.rules

接下来，运行以下命令来更新所有规则：

suricata-update

您将得到以下输出：

19/9/2023 -- 05:28:15 -  -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules
19/9/2023 -- 05:28:15 -  -- Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules
19/9/2023 -- 05:28:15 -  -- Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules
19/9/2023 -- 05:28:15 -  -- Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules
19/9/2023 -- 05:28:15 -  -- Loading distribution rule file /usr/share/suricata/rules/dns-events.rules
19/9/2023 -- 05:28:15 -  -- Loading distribution rule file /usr/share/suricata/rules/files.rules
19/9/2023 -- 05:28:15 -  -- Loading distribution rule file /usr/share/suricata/rules/http-events.rules
19/9/2023 -- 05:28:15 -  -- Loading distribution rule file /usr/share/suricata/rules/ipsec-events.rules
19/9/2023 -- 05:28:15 -  -- Loading distribution rule file /usr/share/suricata/rules/kerberos-events.rules
19/9/2023 -- 05:28:15 -  -- Loading distribution rule file /usr/share/suricata/rules/modbus-events.rules
19/9/2023 -- 05:28:15 -  -- Loading distribution rule file /usr/share/suricata/rules/nfs-events.rules
19/9/2023 -- 05:28:15 -  -- Loading distribution rule file /usr/share/suricata/rules/ntp-events.rules
19/9/2023 -- 05:28:15 -  -- Loading distribution rule file /usr/share/suricata/rules/smb-events.rules
19/9/2023 -- 05:28:15 -  -- Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules
19/9/2023 -- 05:28:15 -  -- Loading distribution rule file /usr/share/suricata/rules/stream-events.rules
19/9/2023 -- 05:28:15 -  -- Loading distribution rule file /usr/share/suricata/rules/tls-events.rules
19/9/2023 -- 05:28:15 -  -- Ignoring file rules/emerging-deleted.rules
19/9/2023 -- 05:28:20 -  -- Loaded 32403 rules.
19/9/2023 -- 05:28:20 -  -- Disabled 14 rules.
19/9/2023 -- 05:28:20 -  -- Enabled 0 rules.
19/9/2023 -- 05:28:20 -  -- Modified 0 rules.
19/9/2023 -- 05:28:20 -  -- Dropped 0 rules.
19/9/2023 -- 05:28:21 -  -- Enabled 131 rules for flowbit dependencies.
19/9/2023 -- 05:28:21 -  -- Backing up current rules.
19/9/2023 -- 05:28:26 -  -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 32403; enabled: 25008; added: 0; removed 0; modified: 0
19/9/2023 -- 05:28:27 -  -- Writing /var/lib/suricata/rules/classification.config
19/9/2023 -- 05:28:27 -  -- No changes detected, exiting.

接下来，编辑 Suricata 配置文件并定义服务器 IP、规则路径和网络接口：

nano /etc/suricata/suricata.yaml

更改以下行：

    #HOME_NET: "[192.198.0.0/19,10.0.0.0/8,172.19.0.0/12]"
    HOME_NET: "[192.198.1.48]"
    #HOME_NET: "[192.198.0.0/19]"
    #HOME_NET: "[10.0.0.0/8]"
    #HOME_NET: "[172.19.0.0/12]"
    #HOME_NET: "any"

    EXTERNAL_NET: "!$HOME_NET"
    #EXTERNAL_NET: "any"

af-packet:
  - interface: eth0

default-rule-path: /var/lib/suricata/rules

rule-files:
  - suricata.rules

完成后保存并关闭文件，并使用以下命令禁用卸载：

ethtool -K eth0 gro off lro off

管理 Suricata 服务

接下来，启动 Suricata 服务并使用以下命令启用它，以便它在系统重新启动时启动：

systemctl start suricata
systemctl enable suricata

您可以使用以下命令检查 Suricata 的状态：

systemctl status suricata

您将得到以下输出：

? suricata.service - Suricata Intrusion Detection Service
   Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2022-03-19 10:06:20 UTC; 5s ago
     Docs: man:suricata(1)
  Process: 24047 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
 Main PID: 24049 (Suricata-Main)
    Tasks: 1 (limit: 23696)
   Memory: 232.9M
   CGroup: /system.slice/suricata.service
           ??24049 /sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -i eth0 --user suricata

Sep 19 10:06:20 rockylinux systemd[1]: Starting Suricata Intrusion Detection Service...
Sep 19 10:06:20 rockylinux systemd[1]: Started Suricata Intrusion Detection Service.
Sep 19 10:06:20 rockylinux suricata[24049]: 19/9/2023 -- 10:06:20 -  - This is Suricata version 5.0.8 RELEASE running in SYSTEM mode

要检查 Suricata 进程日志，请运行以下命令：

tail /var/log/suricata/suricata.log

您应该看到以下输出：

19/9/2023 -- 10:06:23 -  - Running in live mode, activating unix socket
19/9/2023 -- 10:06:23 -  - SSSE3 support not detected, disabling Hyperscan for SPM
19/9/2023 -- 10:06:23 -  - 1 rule files processed. 24930 rules successfully loaded, 0 rules failed
19/9/2023 -- 10:06:23 -  - Threshold config parsed: 0 rule(s) found
19/9/2023 -- 10:06:23 -  - 24933 signatures processed. 1283 are IP-only rules, 4109 are inspecting packet payload, 19340 inspect application layer, 105 are decoder event only
19/9/2023 -- 10:06:23 -  - Going to use 2 thread(s)
19/9/2023 -- 10:06:23 -  - Running in live mode, activating unix socket
19/9/2023 -- 10:06:23 -  - Using unix socket file '/var/run/suricata/suricata-command.socket'
19/9/2023 -- 10:06:23 -  - all 2 packet processing threads, 4 management threads initialized, engine started.
19/9/2023 -- 10:06:23 -  - All AFP capture threads are running.

您可以使用以下命令检查 Suricata 警报日志：

tail -f /var/log/suricata/fast.log

您应该看到以下输出：

19/19/2022-10:06:23.059177  [**] [1:2402000:6215] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 45.155.205.43:54612 -> 209.23.8.4:14381
09/19/2023-10:06:23.059177  [**] [1:2403342:73004] ET CINS Active Threat Intelligence Poor Reputation IP group 43 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 45.155.205.43:54612 -> 209.23.8.4:14381

要检查 Suricata 统计日志，请使用以下命令：

tail -f /var/log/suricata/stats.log

您应该看到以下输出：

------------------------------------------------------------------------------------
Counter                                       | TM Name                   | Value
------------------------------------------------------------------------------------
capture.kernel_packets                        | Total                     | 651
decoder.pkts                                  | Total                     | 651
decoder.bytes                                 | Total                     | 51754
decoder.ipv4                                  | Total                     | 398
decoder.ipv6                                  | Total                     | 251
decoder.ethernet                              | Total                     | 651

测试 Suricata IDS

安装Suricata IDS后，您还需要测试Suricata IDS是否工作。为此，请登录另一个系统并安装 hping3 实用程序以执行 DDoS 攻击。

dnf install hping3

安装hping3后，运行以下命令进行DDoS攻击：

hping3 -S -p 22 --flood --rand-source suricata-ip

现在进入 Suricata 系统并使用以下命令检查警报日志：

tail -f /var/log/suricata/fast.log

您应该看到以下输出：

09/19/2023-10:08:18.049526  [**] [1:2403393:73004] ET CINS Active Threat Intelligence Poor Reputation IP group 94 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 89.248.193.194:44217 -> 209.23.8.4:37394
09/19/2023-10:08:52.933947  [**] [1:2402000:6215] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 197.248.133.173:24721 -> 209.23.8.4:9307
09/19/2023-10:09:52.284374  [**] [1:2402000:6215] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 89.248.195.202:57104 -> 209.23.8.4:6061
09/19/2023-10:10:52.284374  [**] [1:2403393:73004] ET CINS Active Threat Intelligence Poor Reputation IP group 94 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 89.248.195.202:57104 -> 209.23.8.4:6061
09/19/2023-10:10:19.951353  [**] [1:2403341:73004] ET CINS Active Threat Intelligence Poor Reputation IP group 42 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 45.137.21.208:42694 -> 209.23.8.4:57335
09/19/2023-10:11:21.477358  [**] [1:2403369:73004] ET CINS Active Threat Intelligence Poor Reputation IP group 70 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 61.190.237.40:48539 -> 209.23.8.4:2375

结论

恭喜！您已在 Rocky Linux 上成功安装并配置 Suricata IDS。现在，您知道如何安装 Suricata 并将其用作 IDS 和 IPS 系统来检测和阻止恶意请求。