Giter Site home page Giter Site logo

githubfoam / suricata-sandbox Goto Github PK

View Code? Open in Web Editor NEW
1.0 1.0 0.0 53 KB

network security monitoring NIDS HIDS CTI DFIR

License: GNU General Public License v3.0

network-security-monitoring nids hids host-based network-based artificial-intelligence digital-forensics-incident-response digital-forensic-readiness cyber-threat-intelligence

suricata-sandbox's Introduction

suricata-sandbox

ubuntu-19.04 / Debian GNU/Linux 10 (buster)

cd /tmp/suricata-5.0.0/
sudo make install-full

error: rules not installed as suricata-update not available
make[1]: *** [Makefile:937: install-rules] Error 1
make[1]: Leaving directory '/tmp/suricata-5.0.0'
make: *** [Makefile:918: install-full] Error 2

centos-7.7

[vagrant@vg-suricata-04 ~]$ sudo LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata-update
[vagrant@vg-suricata-04 ~]$ sudo LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata-update update-sources
7/12/2019 -- 12:23:13 - <Info> -- Using data-directory /var/lib/suricata.
7/12/2019 -- 12:23:13 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
7/12/2019 -- 12:23:13 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
7/12/2019 -- 12:23:13 - <Info> -- Found Suricata version 5.0.0 at /usr/bin/suricata.
7/12/2019 -- 12:23:13 - <Info> -- Downloading https://www.openinfosecfoundation.org/rules/index.yaml
7/12/2019 -- 12:23:15 - <Info> -- Saved /var/lib/suricata/update/cache/index.yaml
[vagrant@vg-suricata-04 ~]$ sudo ethtool -K eth1 tso off
[vagrant@vg-suricata-04 ~]$ sudo ethtool -K eth1 tx off
[vagrant@vg-suricata-04 ~]$ sudo ethtool -K eth1 gro off

[vagrant@vg-suricata-04 ~]$ sudo LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -D -c /etc/suricata/suricata.yaml -i eth1
7/12/2019 -- 12:24:20 - <Notice> - This is Suricata version 5.0.0 RELEASE running in SYSTEM mode
[vagrant@vg-suricata-04 ~]$

# smoketesting
vagrant@vg-suricata-03:~$ sudo hping3 -S -p 80 --flood --rand-source vg-suricata-04


# monitoring
vagrant@vg-suricata-01:~$ sudo tail -f /var/log/suricata/fast.log
vagrant@vg-suricata-01:/var/log/suricata$ cd /var/log/suricata && tail -f http.log stats.log


ubuntu-16.04

vagrant@vg-suricata-01:~$ sudo suricata-update
vagrant@vg-suricata-01:~$ sudo suricata-update update-sources
vagrant@vg-suricata-01:~$ sudo ethtool -K eth1 tso off
vagrant@vg-suricata-01:~$ sudo ethtool -K eth1 tx off
vagrant@vg-suricata-01:~$ sudo ethtool -K eth1 gro off

vagrant@vg-suricata-01:~$ sudo cp /vagrant/custom_rules/my.rules /var/lib/suricata/rules
vagrant@vg-suricata-01:~$ sudo cp /vagrant/custom_rules/test-ddos.rules /var/lib/suricata/rules
vagrant@vg-suricata-01:~$ sudo ls /var/lib/suricata/rules
my.rules  suricata.rules  test-ddos.rules

vagrant@vg-suricata-01:~$ sudo suricata -D -c /etc/suricata/suricata.yaml -i eth1
7/12/2019 -- 11:00:35 - <Notice> - This is Suricata version 5.0.0 RELEASE running in SYSTEM mode


# smoketesting
vagrant@vg-suricata-03:~$ sudo hping3 -S -p 80 --flood --rand-source vg-suricata-01
HPING vg-suricata-01 (eth1 192.168.18.9): S set, 40 headers + 0 data bytes
hping in flood mode, no replies will be shown

# monitoring
vagrant@vg-suricata-01:~$ sudo tail -f /var/log/suricata/fast.log
vagrant@vg-suricata-01:/var/log/suricata$ cd /var/log/suricata && tail -f http.log stats.log

The configuration file
/etc/suricata/suricata.yaml

$ sudo cat /etc/suricata/suricata.yaml
    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" # internal network to be proctected
    EXTERNAL_NET: "!$HOME_NET"
You can now start suricata by running as root something like:
  /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0

If a library like libhtp.so is not found, you can run suricata with:
  LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0

The Emerging Threats Open rules are now installed. Rules can be
updated and managed with the suricata-update tool.

For more information please see:
  https://suricata.readthedocs.io/en/latest/rule-management/index.html

make[1]: Leaving directory '/tmp/suricata-5.0.0'
vagrant@vg-suricata-01:~$ sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth1
6/12/2019 -- 23:49:49 - <Notice> - This is Suricata version 5.0.0 RELEASE running in SYSTEM mode
6/12/2019 -- 23:49:49 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve-log dns version not found, forcing it to version 2
6/12/2019 -- 23:49:49 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - eve-log dns version not found, forcing it to version 2
6/12/2019 -- 23:50:04 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
 download the Emerging Threats Open ruleset
 sudo suricata-update
 download the ruleset into
 /var/lib/suricata/rules/

 $ sudo suricata-update update-sources
 6/12/2019 -- 23:56:24 - <Info> -- Using data-directory /var/lib/suricata.
 6/12/2019 -- 23:56:24 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
 6/12/2019 -- 23:56:24 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
 6/12/2019 -- 23:56:24 - <Info> -- Found Suricata version 5.0.0 at /usr/bin/suricata.
 6/12/2019 -- 23:56:24 - <Info> -- Downloading https://www.openinfosecfoundation.org/rules/index.yaml
 6/12/2019 -- 23:56:25 - <Info> -- Saved /var/lib/suricata/update/cache/index.yaml

what is available
$ sudo suricata-update list-sources

enable rules that are disabled by default
/etc/suricata/enable.conf
disable rules
/etc/suricata/disable.conf

custom rulesets

default-rule-path: /var/lib/suricata/rules

rule-files:
  - suricata.rules
# Custom Test rules
  - test-ddos.rules  
  - my.rules

disable packet offload features on the network interface on which Suricata is listen
ethtool -K eth1 gro off lro off

$ sudo ethtool -K eth1 gro off lro off
Cannot change large-receive-offload

$ ethtool -k eth1 | grep large
large-receive-offload: off [fixed]

ethtool -K eth1 tso off
ethtool -K eth1 tx off
ethtool -K eth1 gro off

various modes in which Suricata can run
suricata --list-runmodes

run Suricata in PCAP live mode
  suricata -D -c /etc/suricata/suricata.yaml -i eth1

Tests for errors rule Very recommended --init-errors-fatal
sudo suricata -c /etc/suricata/suricata.yaml -i eth1 --init-errors-fatal

Suricata logs on Suricata host
tail -f /var/log/suricata/fast.log

tail -f /var/log/suricata/http.log
tail -f /var/log/suricata/stats.log

cd /var/log/suricata && tail -f http.log stats.log

smoketesting suricata

remote client

perform SYN FLOOD attack against Suricata server
hping3 -S -p 80 --flood --rand-source vg-suricata-01

Nmap scan against Suricata server
nmap -sS -v -n -A vg-suricata-01 -T4

perform SSH connection attemt from the remote machine
ssh vg-suricata-01

perform test attack against Suricata server
nikto -h vg-suricata-01 -C all


roles

suricata
test_suricata

upgrade

suricata_version: 5.0.0
provisioning\roles\suricata\vars\main.yml
<https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Installation>

suricata-sandbox's People

Contributors

githubfoam avatar

Stargazers

 avatar

Watchers

 avatar

suricata-sandbox's Issues

Security Policy violation SECURITY.md

This issue was automatically created by Allstar.

Security Policy Violation
Security policy not enabled.
A SECURITY.md file can give users information about what constitutes a vulnerability and how to report one securely so that information about a bug is not publicly visible. Examples of secure reporting methods include using an issue tracker with private issue support, or encrypted email with a published key.

To fix this, add a SECURITY.md file that explains how to handle vulnerabilities found in your repository. Go to https://github.com/githubfoam/suricata-sandbox/security/policy to enable.

For more information, see https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository.


This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.