| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 |
- Kibana
- miniconda
- freebsd
- bash
- endpoint security
- 보안양파
- 한글가이드
- proxycfg
- G-suite
- ansible
- GitLab
- Kibana server is not ready yet
- ELASTIC
- 로그인불가
- macos
- hardening
- PlayBook
- Elasticsearch
- elastic stack
- x-pack
- ssh key 배포
- xe guest utilities
- docker
- application security
- centos 8
- Proxy
- Windows
- XCP-ng
- pfsense
- Today
- Total
선 밖에 선 자유인
Suricata IDS 구축 본문
기본 패키지 설치
# rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
# yum -y install libpcap libpcap-devel libnet libnet-devel pcre pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml libyaml-devel zlib zlib-devel file-devel
# yum -y install nss-util nss-util-devel nss-devel nspr-devel nspr GeoIP-devel GeoIP python-simplejson python-setuptools python-instant python-distutils-extra
패킷 캡쳐를 위한 libcap-ng
# wget http://people.redhat.com/sqrubb/libcap-ng/libcap-ng-0.7.4.tar.gz
# ./configure && make clean && make && make install
json 사용을 위한 jansson
# wget http://www.digip.org/jansson/releases/jansson-2.7.tar.gz
# ./configure --prefix=/usr/ && make clean && make && make install
HTP 라이브러리
#wget https://github.com/OISF/libhtp/releases/download/0.5.16/htp-0.5.16.tar.gz --no-check-certificate
# ./configure && make && make install
IPS 구성을 위한 Netfileter 라이브러리
# yum install -y libnetfilter_queue libnetfilter_queu-devel libnfnetlink libnfnetlink-devel libnetfilter_acct libnetfilter_acct-devel libnetfilter_conntrack libnetfilter_conntrack-devel libnetfilter_cthelper libnetfilter_cthelper-devel
suricata 설치
# wget http://www.openinfosecfoundation.org/download/suricata-2.0.6.tar.gz
# ./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ \
--enable-unix-socket --enable-profilling --enable-geoip \
--with-libnss-libraries=/usr/lib64 --with-libnss-includes=/usr/include/nss3 \
--with-libnspr-libraries=/usr/lib64 --with-libnspr-includes=/usr/include/nspr4 \
# make && make install && ldconfig
# maek install-full
설치 내용 확인
# suricata --build-info
작동 확인
# suricata -c /etc/suricata/suricata.yaml -i eth0
시스템 성능 설정
# vi /etc/suricata/suricata.yaml
저사양 => detect-engine : profile: low
보통사양 => detect-engine : profile: medium
고사양 => detect-engine : profile: high
Rule 자동 업데이트
# wget http://prdownloads.sourceforge.net/oinkmaster/oinkmaster-2.0.tar.gz
# tar oinkmaster-2.0.tar.gz
# cd oinkmakster-2.0
# cp oinkmaster.pl /usr/local/bin/
# cp oinkmaster.conf /etc/suricata/
# vi /etc/suricata/oinkmaster.conf
추가=>
url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
# oinkmaster.pl -C /etc/suricata/oinkmaster.conf -o /etc/suricata/rules
crontab에 등록
/etc/crontab 에 추가
00 2 * * * root /usr/local/bin/oinkmaster.pl -o /etc/suricat/rules -C /etc/suricata/oinkmaster.conf
# /etc/init.d/crond restart
* IP 평판 기능
suricata.yaml 에서 IP Reputation 항목을 활성화
IP Reputation
reputation-categories-file: /etc/suricata/iprep/categories.txt
default-reputation-path: /etc/suricata/iprep
reputation-files:
- reputation.list
default-rule-path: /etc/suricata/rules
rule-files:
- ipre.rules
# mkdir /etc/suricata/iprep