不多说,直接上干货!
我这里呢,分两种常用的Suricata。
一、源码编译安装的Suricata
这里不多说,大家可以去看我下面写的博客
使用 Suricata 进行入侵监控(一个简单小例子访问百度)
[root@suricata suricata]# ls
certs eve.json fast.log files stats.log suricata.log
[root@suricata suricata]# cat suricata.log
9/8/2017 -- 21:13:33 - <Notice> - This is Suricata version 3.1 RELEASE
9/8/2017 -- 21:13:42 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/tls-events.rules
9/8/2017 -- 21:13:42 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/test.rules
9/8/2017 -- 21:13:42 - <Error> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/test.rules
9/8/2017 -- 21:13:49 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
9/8/2017 -- 21:19:41 - <Notice> - Signal Received. Stopping engine.
9/8/2017 -- 21:19:41 - <Notice> - Stats for 'eth0': pkts: 11525, drop: 0 (0.00%), invalid chksum: 0
[root@suricata suricata]# pwd
/var/log/suricata
[root@suricata suricata]#
二、SELKS里的Suricata
root@SELKS:/var/log/suricata# pwd /var/log/suricata root@SELKS:/var/log/suricata# ll total 109860 drwxr-xr-x 2 logstash logstash 4096 Jul 4 22:26 certs drwxr-xr-x 2 logstash logstash 4096 Jul 4 22:26 core -rw-r----- 1 logstash logstash 97807380 Aug 17 16:30 eve.json -rw-r----- 1 logstash logstash 152359 Aug 17 16:29 fast.log drwxr-xr-x 2 logstash logstash 4096 Jul 4 22:26 files drwxr-xr-x 2 logstash logstash 4096 Jul 10 19:36 StatsByDate -rw-r----- 1 logstash logstash 14484655 Aug 17 16:30 stats.log -rw-r--r-- 1 root root 9281 Aug 17 16:17 suricata.log -rw-r--r-- 1 root root 1835 Aug 17 09:54 suricata-start.log root@SELKS:/var/log/suricata#
这里,建议大家如我这样,先保留一份默认的权限。免得以后自己修改后了,返回去会有权限问题。
好比,我这里想把eve.json下载下来,查看。
最好比如这里eve.json本来的权限是640,则可建议先chmod 777 eve.json,用完之后,再640回去即可。
{"timestamp":"2017-08-17T16:32:04.007125+0800","flow_id":103619646764957,"event_type":"flow","src_ip":"192.168.1.106","src_port":63978,"dest_ip":"192.168.1.110","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":10,"pkts_toclient":8,"bytes_toserver":2138,"bytes_toclient":1568,"start":"2017-08-17T16:30:52.309149+0800","end":"2017-08-17T16:31:02.250921+0800","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}}
{"timestamp":"2017-08-17T16:32:04.007306+0800","flow_id":1397549411647698,"event_type":"flow","src_ip":"192.168.1.106","src_port":63980,"dest_ip":"192.168.1.110","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":10,"pkts_toclient":8,"bytes_toserver":2140,"bytes_toclient":1629,"start":"2017-08-17T16:30:52.311506+0800","end":"2017-08-17T16:31:02.250232+0800","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}}
{"timestamp":"2017-08-17T16:32:04.007491+0800","flow_id":1397549411647698,"event_type":"flow","src_ip":"192.168.1.106","src_port":63980,"dest_ip":"192.168.1.110","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":10,"pkts_toclient":8,"bytes_toserver":2140,"bytes_toclient":1629,"start":"2017-08-17T16:30:52.311506+0800","end":"2017-08-17T16:31:02.250232+0800","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}}
{"timestamp":"2017-08-17T16:32:05.056241+0800","flow_id":865016420342619,"in_iface":"enp0s3","event_type":"http","src_ip":"192.168.1.106","src_port":64002,"dest_ip":"121.14.88.17","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"121.14.88.17","url":"/gchatpic_new/4178047381/4178047381-2618102286-9FB3C79268791082715EA1BC1E0E710B/0?vuin=1138410364&term=1&srvver=26719&rf=naio","http_user_agent":"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)","accept":"*/*","accept_encoding":"gzip, deflate","cache_control":"no-cache","http_refer":"http://im.qq.com","http_method":"GET","protocol":"HTTP/1.1","length":0}}
{"timestamp":"2017-08-17T16:32:05.102122+0800","flow_id":521803437291278,"in_iface":"enp0s3","event_type":"http","src_ip":"192.168.1.106","src_port":64013,"dest_ip":"121.14.88.53","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"121.14.88.53","url":"/gchatpic_new/4178047381/4178047381-2618102286-9FB3C79268791082715EA1BC1E0E710B/0?vuin=1138410364&term=1&srvver=26719&rf=naio","http_user_agent":"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)","http_content_type":"image/jpeg","accept":"*/*","accept_encoding":"gzip, deflate","cache_control":"no-cache","connection":"keep-alive","content_length":"7248","content_type":"image/jpeg","last_modified":"Thu, 17 Aug 2017 16:31:00 GMT","server":"ImgHttp3.0.0","http_refer":"http://im.qq.com","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":7248}}
{"timestamp":"2017-08-17T16:32:06.004897+0800","flow_id":972635414974457,"event_type":"flow","src_ip":"fe80:0000:0000:0000:39ab:5a7f:5970:65bd","src_port":63925,"dest_ip":"ff02:0000:0000:0000:0000:0000:0001:0003","dest_port":5355,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":2,"pkts_toclient":0,"bytes_toserver":172,"bytes_toclient":0,"start":"2017-08-17T16:31:35.446457+0800","end":"2017-08-17T16:31:35.547314+0800","age":0,"state":"new","reason":"timeout","alerted":false}}
{"timestamp":"2017-08-17T16:32:06.005310+0800","flow_id":972635414974457,"event_type":"flow","src_ip":"fe80:0000:0000:0000:39ab:5a7f:5970:65bd","src_port":63925,"dest_ip":"ff02:0000:0000:0000:0000:0000:0001:0003","dest_port":5355,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":2,"pkts_toclient":0,"bytes_toserver":172,"bytes_toclient":0,"start":"2017-08-17T16:31:35.446457+0800","end":"2017-08-17T16:31:35.547314+0800","age":0,"state":"new","reason":"timeout","alerted":false}}
{"timestamp":"2017-08-17T16:32:07.001918+0800","flow_id":2233910525860426,"event_type":"flow","src_ip":"192.168.1.106","src_port":55498,"dest_ip":"119.29.29.29","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":71,"bytes_toclient":279,"start":"2017-08-17T16:27:06.957002+0800","end":"2017-08-17T16:27:06.983538+0800","age":0,"state":"established","reason":"timeout","alerted":false}}
{"timestamp":"2017-08-17T16:32:07.002123+0800","flow_id":2233910525860426,"event_type":"flow","src_ip":"192.168.1.106","src_port":55498,"dest_ip":"119.29.29.29","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":71,"bytes_toclient":279,"start":"2017-08-17T16:27:06.957002+0800","end":"2017-08-17T16:27:06.983538+0800","age":0,"state":"established","reason":"timeout","alerted":false}}
{"timestamp":"2017-08-17T16:32:08.000546+0800","event_type":"stats","stats":{"uptime":23772,"capture":{"kernel_packets":1715548,"kernel_packets_delta":62,"kernel_drops":25337,"kernel_drops_delta":0},"decoder":{"pkts":1690227,"pkts_delta":78,"bytes":1218368913,"bytes_delta":17271,"invalid":0,"invalid_delta":0,"ipv4":1668211,"ipv4_delta":74,"ipv6":20521,"ipv6_delta":4,"ethernet":1690227,"ethernet_delta":78,"raw":0,"raw_delta":0,"null":0,"null_delta":0,"sll":0,"sll_delta":0,"tcp":1392495,"tcp_delta":47,"udp":294382,"udp_delta":31,"sctp":0,"sctp_delta":0,"icmpv4":98,"icmpv4_delta":0,"icmpv6":469,"icmpv6_delta":0,"ppp":0,"ppp_delta":0,"pppoe":0,"pppoe_delta":0,"gre":0,"gre_delta":0,"vlan":0,"vlan_delta":0,"vlan_qinq":0,"vlan_qinq_delta":0,"teredo":6,"teredo_delta":0,"ipv4_in_ipv6":0,"ipv4_in_ipv6_delta":0,"ipv6_in_ipv6":0,"ipv6_in_ipv6_delta":0,"mpls":0,"mpls_delta":0,"avg_pkt_size":720,"avg_pkt_size_delta":0,"max_pkt_size":1514,"max_pkt_size_delta":0,"erspan":0,"erspan_delta":0,"ipraw":{"invalid_ip_version":0,"invalid_ip_version_delta":0},"ltnull":{"pkt_too_small":0,"pkt_too_small_delta":0,"unsupported_type":0,"unsupported_type_delta":0},"dce":{"pkt_too_small":0,"pkt_too_small_delta":0}},"flow":{"memcap":0,"memcap_delta":0,"tcp":20064,"tcp_delta":1,"udp":22510,"udp_delta":4,"icmpv4":0,"icmpv4_delta":0,"icmpv6":85,"icmpv6_delta":0,"spare":10000,"spare_delta":0,"emerg_mode_entered":0,"emerg_mode_entered_delta":0,"emerg_mode_over":0,"emerg_mode_over_delta":0,"tcp_reuse":0,"tcp_reuse_delta":0,"memuse":7102240,"memuse_delta":-864},"defrag":{"ipv4":{"fragments":0,"fragments_delta":0,"reassembled":0,"reassembled_delta":0,"timeouts":0,"timeouts_delta":0},"ipv6":{"fragments":0,"fragments_delta":0,"reassembled":0,"reassembled_delta":0,"timeouts":0,"timeouts_delta":0},"max_frag_hits":0,"max_frag_hits_delta":0},"tcp":{"sessions":19993,"sessions_delta":1,"ssn_memcap_drop":0,"ssn_memcap_drop_delta":0,"pseudo":0,"pseudo_delta":0,"pseudo_failed":0,"pseudo_failed_delta":0,"invalid_checksum":0,"invalid_checksum_delta":0,"no_flow":0,"no_flow_delta":0,"syn":20057,"syn_delta":1,"synack":20006,"synack_delta":1,"rst":5022,"rst_delta":0,"segment_memcap_drop":0,"segment_memcap_drop_delta":0,"stream_depth_reached":35,"stream_depth_reached_delta":0,"reassembly_gap":31,"reassembly_gap_delta":0,"overlap":4848,"overlap_delta":0,"overlap_diff_data":0,"overlap_diff_data_delta":0,"insert_data_normal_fail":0,"insert_data_normal_fail_delta":0,"insert_data_overlap_fail":0,"insert_data_overlap_fail_delta":0,"insert_list_fail":0,"insert_list_fail_delta":0,"memuse":573440,"memuse_delta":0,"reassembly_memuse":256000,"reassembly_memuse_delta":-12288},"detect":{"alert":586,"alert_delta":0},"app_layer":{"flow":{"http":3320,"http_delta":1,"ftp":0,"ftp_delta":0,"smtp":0,"smtp_delta":0,"tls":15264,"tls_delta":0,"ssh":5,"ssh_delta":0,"imap":0,"imap_delta":0,"msn":0,"msn_delta":0,"smb":0,"smb_delta":0,"dcerpc_tcp":0,"dcerpc_tcp_delta":0,"dns_tcp":0,"dns_tcp_delta":0,"failed_tcp":274,"failed_tcp_delta":0,"dcerpc_udp":0,"dcerpc_udp_delta":0,"dns_udp":1893,"dns_udp_delta":0,"failed_udp":20617,"failed_udp_delta":4},"tx":{"http":5380,"http_delta":1,"ftp":0,"ftp_delta":0,"smtp":0,"smtp_delta":0,"tls":0,"tls_delta":0,"ssh":0,"ssh_delta":0,"smb":0,"smb_delta":0,"dcerpc_tcp":0,"dcerpc_tcp_delta":0,"dns_tcp":0,"dns_tcp_delta":0,"dcerpc_udp":0,"dcerpc_udp_delta":0,"dns_udp":2126,"dns_udp_delta":0}},"flow_mgr":{"closed_pruned":19173,"closed_pruned_delta":5,"new_pruned":20458,"new_pruned_delta":4,"est_pruned":2932,"est_pruned_delta":0,"bypassed_pruned":0,"bypassed_pruned_delta":0,"flows_checked":2,"flows_checked_delta":-4,"flows_notimeout":2,"flows_notimeout_delta":-4,"flows_timeout":0,"flows_timeout_delta":0,"flows_timeout_inuse":0,"flows_timeout_inuse_delta":0,"flows_removed":0,"flows_removed_delta":0,"rows_checked":65536,"rows_checked_delta":0,"rows_skipped":65530,"rows_skipped_delta":2,"rows_empty":4,"rows_empty_delta":2,"rows_busy":0,"rows_busy_delta":0,"rows_maxlen":1,"rows_maxlen_delta":0},"file_store":{"open_files":0,"open_files_delta":0},"dns":{"memuse":8886,"memuse_delta":-856,"memcap_state":0,"memcap_state_delta":0,"memcap_global":0,"memcap_global_delta":0},"http":{"memuse":89608,"memuse_delta":32484,"memcap":0,"memcap_delta":0}}}
{"timestamp":"2017-08-17T16:32:08.006119+0800","flow_id":506341535463440,"event_type":"flow","src_ip":"192.168.1.106","src_port":55262,"dest_ip":"119.29.29.29","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":71,"bytes_toclient":279,"start":"2017-08-17T16:27:07.210960+0800","end":"2017-08-17T16:27:07.237152+0800","age":0,"state":"established","reason":"timeout","alerted":false}}
{"timestamp":"2017-08-17T16:32:08.006255+0800","flow_id":506341535463440,"event_type":"flow","src_ip":"192.168.1.106","src_port":55262,"dest_ip":"119.29.29.29","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":71,"bytes_toclient":279,"start":"2017-08-17T16:27:07.210960+0800","end":"2017-08-17T16:27:07.237152+0800","age":0,"state":"established","reason":"timeout","alerted":false}}
08/17/2017-16:43:00.188090 [**] [1:2003492:28] ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 192.168.1.106:64548 -> 211.159.130.105:80 08/17/2017-16:43:00.312554 [**] [1:2003492:28] ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 192.168.1.106:64549 -> 211.159.130.105:80 08/17/2017-16:43:35.606046 [**] [1:2014726:97] ET POLICY Outdated Flash Version M1 [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.1.106:64574 -> 14.18.245.211:80 08/17/2017-16:44:26.198737 [**] [1:2013926:8] ET POLICY HTTP traffic on port 443 (POST) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.1.106:64617 -> 183.3.235.188:443 08/17/2017-16:45:01.181590 [**] [1:2014726:97] ET POLICY Outdated Flash Version M1 [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.1.106:64659 -> 14.18.245.211:80 08/17/2017-16:46:51.709411 [**] [1:2013926:8] ET POLICY HTTP traffic on port 443 (POST) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.1.106:64751 -> 183.3.235.188:443 08/17/2017-16:46:53.182341 [**] [1:2014726:97] ET POLICY Outdated Flash Version M1 [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.1.106:64753 -> 14.18.245.211:80 08/17/2017-16:47:34.097124 [**] [1:2013926:8] ET POLICY HTTP traffic on port 443 (POST) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.1.106:64785 -> 183.3.235.188:443 08/17/2017-16:48:41.476584 [**] [1:2014726:97] ET POLICY Outdated Flash Version M1 [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.1.106:64851 -> 14.18.245.211:80 08/17/2017-16:48:41.476584 [**] [1:2014726:97] ET POLICY Outdated Flash Version M1 [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.1.106:64851 -> 14.18.245.211:80 08/17/2017-16:49:25.114492 [**] [1:2013926:8] ET POLICY HTTP traffic on port 443 (POST) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.1.106:64878 -> 183.3.235.188:443 08/17/2017-16:49:25.114492 [**] [1:2013926:8] ET POLICY HTTP traffic on port 443 (POST) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.1.106:64878 -> 183.3.235.188:443
------------------------------------------------------------------------------------ Date: 8/16/2017 -- 08:44:54 (uptime: 0d, 00h 00m 08s) ------------------------------------------------------------------------------------ Counter | TM Name | Value ------------------------------------------------------------------------------------ capture.kernel_packets | Total | 40 decoder.pkts | Total | 40 decoder.bytes | Total | 6076 decoder.ipv4 | Total | 35 decoder.ethernet | Total | 40 decoder.tcp | Total | 32 decoder.udp | Total | 3 decoder.avg_pkt_size | Total | 151 decoder.max_pkt_size | Total | 1350 flow.tcp | Total | 12 flow.udp | Total | 2 tcp.sessions | Total | 10 tcp.syn | Total | 12 tcp.synack | Total | 2 tcp.rst | Total | 2 app_layer.flow.tls | Total | 2 app_layer.flow.failed_udp | Total | 2 flow.spare | Total | 10000 flow_mgr.rows_checked | Total | 65536 flow_mgr.rows_skipped | Total | 65536 tcp.memuse | Total | 573440 tcp.reassembly_memuse | Total | 98304 dns.memuse | Total | 450 flow.memuse | Total | 7078336 ------------------------------------------------------------------------------------ Date: 8/16/2017 -- 08:45:01 (uptime: 0d, 00h 00m 15s) ------------------------------------------------------------------------------------ Counter | TM Name | Value ------------------------------------------------------------------------------------ capture.kernel_packets | Total | 485 decoder.pkts | Total | 487 decoder.bytes | Total | 305350 decoder.ipv4 | Total | 419 decoder.ipv6 | Total | 57 decoder.ethernet | Total | 487 decoder.tcp | Total | 402 decoder.udp | Total | 57 decoder.icmpv6 | Total | 17 decoder.avg_pkt_size | Total | 627 decoder.max_pkt_size | Total | 1514 flow.tcp | Total | 21 flow.udp | Total | 27 flow.icmpv6 | Total | 5 tcp.sessions | Total | 19 tcp.syn | Total | 21 tcp.synack | Total | 11 tcp.rst | Total | 9 app_layer.flow.http | Total | 5 app_layer.tx.http | Total | 5 app_layer.flow.tls | Total | 6 app_layer.flow.dns_udp | Total | 1 app_layer.tx.dns_udp | Total | 1 app_layer.flow.failed_udp | Total | 26 flow.spare | Total | 10000 flow_mgr.flows_checked | Total | 1 flow_mgr.flows_notimeout | Total | 1 flow_mgr.rows_checked | Total | 65536 flow_mgr.rows_skipped | Total | 65535 flow_mgr.rows_maxlen | Total | 1 tcp.memuse | Total | 573440 tcp.reassembly_memuse | Total | 149504 dns.memuse | Total | 450 http.memuse | Total | 2935 flow.memuse | Total | 7090720 ------------------------------------------------------------------------------------ Date: 8/16/2017 -- 08:45:08 (uptime: 0d, 00h 00m 22s) ------------------------------------------------------------------------------------ Counter | TM Name | Value ------------------------------------------------------------------------------------ capture.kernel_packets | Total | 2019 decoder.pkts | Total | 2024 decoder.bytes | Total | 1442928 decoder.ipv4 | Total | 1900 decoder.ipv6 | Total | 102 decoder.ethernet | Total | 2024 decoder.tcp | Total | 1769 decoder.udp | Total | 181 decoder.icmpv6 | Total | 33 decoder.avg_pkt_size | Total | 712 decoder.max_pkt_size | Total | 1514 flow.tcp | Total | 50 flow.udp | Total | 61 flow.icmpv6 | Total | 5 tcp.sessions | Total | 43 tcp.syn | Total | 50 tcp.synack | Total | 30 tcp.rst | Total | 21 app_layer.flow.http | Total | 5 app_layer.tx.http | Total | 5 app_layer.flow.tls | Total | 25 app_layer.flow.dns_udp | Total | 1 app_layer.tx.dns_udp | Total | 1 app_layer.flow.failed_udp | Total | 60 flow.spare | Total | 10000 flow_mgr.flows_checked | Total | 6 flow_mgr.flows_notimeout | Total | 6 flow_mgr.rows_checked | Total | 65536 flow_mgr.rows_skipped | Total | 65530 flow_mgr.rows_maxlen | Total | 1 tcp.memuse | Total | 573440 tcp.reassembly_memuse | Total | 286720 dns.memuse | Total | 450 http.memuse | Total | 2935 flow.memuse | Total | 7107712 ------------------------------------------------------------------------------------
对于其他的,大家自己去看吧!
我这里主要讲的是eve.json和fast.log的区别
在2281行。
eve.json(即包括所有类型的数据)
2017年8月16日的上午8点54分07秒
fast.log(即只是报警数据)
