Installing and Configuring Suricata on Centos 7

2018/01/23 17:23

1/28

Installing and Configuring Suricata on CentOS 7

Installing and Configuring Suricata on CentOS 7 Configuring the new Kernel We need to disable some services on CentOS 7. systemctl stop firewalld.service systemctl disable firewalld.service We need to install the kernel with suport to work with huge values on network throughput. Let's add the new repository rpm -ivh http://elrepo.org/linux/elrepo/el7/x86_64/RPMS/elrepo-release-7.0-2.el7.elre po.noarch.rpm Now we need to install the new kernel yum --enablerepo=elrepo-kernel install kernel-ml -y Now it'd better clean up the /boot with the other kernels and recreate the grub with the follow command. grub2-mkconfig -o /boot/grub2/grub.cfg Now need to reboot the server reboot

Installing the Suricata Prerequisites: CentOS 7 working as Suricata IP: 192.168.1.252 Debian Wheezy working as Snorby IP: 192.168.1.251 Debian Wheezy working as Apache IP: 192.168.1.250 Now we need to install the dependences dependences for Suricata, let's update the repositories yum check-update

DQS CONSULTORIA E TREINAMENTOS - http://wiki.douglasqsantos.com.br/

Last update: installing_and_configuring_suricata_on_cento installing_and_configuring_suricata_on_centos7_en s7_en http://wiki.douglasqsantos.com.br/do http://wiki.douglasqsantos.com.br/doku.php/installing_and_con ku.php/installing_and_configuring_suricata_on_cento figuring_suricata_on_centos7_en s7_en 2017/09/05 12:18

Now we need to install the dependences dependences like this yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel mariadb-devel GeoIP-devel \ zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel libnetfilter_queue-devel ethtool -y Now we need to fetch the suricata tarball and decompress it. cd /usr/src wget http://wiki.douglasqsantos.com.br/Downloads/snort/suricata-2.0.7.tar.gz tar -xvzf suricata-2.0.7.tar.gz cd suricata-2.0.7 Now we need to configure the the sources to compile the suricata as IPS I PS ./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc -localstatedir=/var --enable-geoip Now let's compile the suricata like this make && make install-full Now let's update the libraries. ldconfig Whether you have some problems with the rules we can get it with the follow command wget -qO http://rules.emergingthreats.net/open/suricata-2.0/emerging.rules.tar.gz | tar -x -z -C "/etc/suricata/" -f Now we need to configure the suricata main file like this vim /etc/suricata/suricata.yaml [...] - drop: enabled: yes [...] - dns-log: enabled: yes [...] #line 784   outputs: - console: enabled: yes - file: enabled: yes http://wiki.douglasqsantos.com.br/

Printed on 2018/01/23 17:23

2018/01/23 17:23

3/28

Installing and Configuring Suricata on CentOS 7

filename: /var/log/suricata/suricata.log [...] classification-file: /etc/suricata/rules/classification.config reference-config-file: /etc/suricata/rules/reference.config [...] # Here we need to set up the networks in our company like below. HOME_NET: "[192.168.1.0/24]" [...] host-os-policy: # Make the default policy windows. windows: [0.0.0.0/0] bsd: [] bsd-right: [] old-linux: [] linux: [192.168.1.0/24, 192.168.1.252] old-solaris: [] solaris: ["::1"] hpux10: [] hpux11: [] irix: [] macos: [] vista: [] windows2k3: [] Now we need to adjust some variables on the kernel that able work with a huge amount of packets per second. modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_nat_ftp echo 1000000 > /sys/module/nf_conntrack/parameters/hashsize echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/tcp_timestamps echo 1 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose echo 2000000 > /proc/sys/net/netfilter/nf_conntrack_max PSNI=/proc/sys/net/ipv4 for END in $PSNI/conf/*/rp_filter ; do echo 1 > $END ; done echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts PSNI=/proc/sys/net/ipv6 for END in $PSNI/conf/*/disable_ipv6 ; do echo 1 > $END ; done echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper As we are enabling the ips/ids we need to disable the interface to filtering the packets and send all of  them to ips/ids. ethtool ethtool ethtool ethtool

-K -K -K -K

enp0s3 enp0s3 enp0s3 enp0s3

tx off tso off gro off rxvlan off

DQS CONSULTORIA E TREINAMENTOS - http://wiki.douglasqsantos.com.br/

Last update: installing_and_configuring_suricata_on_centos7_en http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_centos7_en 2017/09/05 12:18

ethtool -K enp0s3 txvlan off Now we can star the Suricata suricata -c /etc/suricata/suricata.yaml -i enp0s3 -D Now we need to redirect the connetion to the port 80 to another server that I shall use the Apache iptables -t nat -A PREROUTING -d 192.168.1.252 -p tcp --dport 80 -j DNAT -to 192.168.1.250 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE Here we made the redirect the incoming connection that arrive in Suricata to Apache server and after that we need to masquerade the network. Now on the Apache server we need to configure it to use the Suricata as Gateway. route del default route add default gw 192.168.1.252 Now we need to test the connection with the internet like this ping 8.8.8.8 Now on suricata let's open the http log files like this tail -f /var/log/suricata/http.log Now from another computer we need to open a test attack like this nikto -h 192.168.1.252 -C all In the log files we'll get something like this 04/13/2015-17:08:43.040495 192.168.1.252 [**] /Script/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003562) [**] 192.168.1.254:34356 -> 192.168.1.252:80 04/13/2015-17:08:43.040511 192.168.1.252 [**] /Script/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003562) [**] 192.168.1.252:34356 -> 192.168.1.250:80 04/13/2015-17:08:43.041728 192.168.1.252 [**] /sites/all/modules/fckeditor/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003562) [**] 192.168.1.254:34356 -> 192.168.1.252:80 04/13/2015-17:08:43.041742 192.168.1.252 [**] /sites/all/modules/fckeditor/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003562) [**] http://wiki.douglasqsantos.com.br/

Printed on 2018/01/23 17:23

2018/01/23 17:23

5/28

Installing and Configuring Suricata on CentOS 7

192.168.1.252:34356 -> 192.168.1.250:80 04/13/2015-17:08:43.043356 192.168.1.252 [**] /modules/fckeditor/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003562) [**] 192.168.1.254:34356 -> 192.168.1.252:80 04/13/2015-17:08:43.043366 192.168.1.252 [**] /modules/fckeditor/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003562) [**] 192.168.1.252:34356 -> 192.168.1.250:80 04/13/2015-17:08:43.044312 192.168.1.252 [**] /class/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003562) [**] 192.168.1.254:34356 -> 192.168.1.252:80 04/13/2015-17:08:43.044312 192.168.1.252 [**] /class/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003562) [**] 192.168.1.252:34356 -> 192.168.1.250:80 04/13/2015-17:08:43.045458 192.168.1.252 [**] /inc/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003562) [**] 192.168.1.254:34356 -> 192.168.1.252:80 04/13/2015-17:08:43.045487 192.168.1.252 [**] /inc/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003562) [**] 192.168.1.252:34356 -> 192.168.1.250:80 04/13/2015-17:08:43.046864 192.168.1.252 [**] /sites/all/libraries/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003562) [**] 192.168.1.254:34356 -> 192.168.1.252:80 04/13/2015-17:08:43.046878 192.168.1.252 [**] /sites/all/libraries/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003562) [**] 192.168.1.252:34356 -> 192.168.1.250:80 04/13/2015-17:08:43.047958 192.168.1.252 [**] /FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**] 192.168.1.254:34356 -> 192.168.1.252:80 04/13/2015-17:08:43.047965 192.168.1.252 [**] /FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**] 192.168.1.252:34356 -> 192.168.1.250:80 04/13/2015-17:08:43.049023 192.168.1.252 [**] /Script/fckeditor/editor/filemanager/browser/default/connectors/asp/connecto r.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**] 192.168.1.254:34356 -> 192.168.1.252:80 04/13/2015-17:08:43.049023 192.168.1.252 [**] /Script/fckeditor/editor/filemanager/browser/default/connectors/asp/connecto r.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**] 192.168.1.252:34356 -> 192.168.1.250:80 04/13/2015-17:08:43.050128 192.168.1.252 [**] /sites/all/modules/fckeditor/fckeditor/editor/filemanager/browser/default/co nnectors/asp/connector.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**] 192.168.1.254:34356 -> 192.168.1.252:80 04/13/2015-17:08:43.050128 192.168.1.252 [**] /sites/all/modules/fckeditor/fckeditor/editor/filemanager/browser/default/co DQS CONSULTORIA E TREINAMENTOS - http://wiki.douglasqsantos.com.br/

Last update: installing_and_configuring_suricata_on_centos7_en http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_centos7_en 2017/09/05 12:18

nnectors/asp/connector.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**] 192.168.1.252:34356 -> 192.168.1.250:80 04/13/2015-17:08:43.051718 192.168.1.252 [**] /modules/fckeditor/fckeditor/editor/filemanager/browser/default/connectors/a sp/connector.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**] 192.168.1.254:34356 -> 192.168.1.252:80 04/13/2015-17:08:43.051819 192.168.1.252 [**] /modules/fckeditor/fckeditor/editor/filemanager/browser/default/connectors/a sp/connector.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**] 192.168.1.252:34356 -> 192.168.1.250:80 04/13/2015-17:08:43.054704 192.168.1.252 [**] /class/fckeditor/editor/filemanager/browser/default/connectors/asp/connector .asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**] 192.168.1.254:34356 -> 192.168.1.252:80 04/13/2015-17:08:43.054727 192.168.1.252 [**] /class/fckeditor/editor/filemanager/browser/default/connectors/asp/connector .asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**] 192.168.1.252:34356 -> 192.168.1.250:80 04/13/2015-17:08:43.056559 192.168.1.252 [**] /inc/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.a sp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**] 192.168.1.254:34356 -> 192.168.1.252:80 04/13/2015-17:08:43.056605 192.168.1.252 [**] /inc/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.a sp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**] 192.168.1.252:34356 -> 192.168.1.250:80 04/13/2015-17:08:43.058358 192.168.1.252 [**] /sites/all/libraries/fckeditor/editor/filemanager/browser/default/connectors /asp/connector.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**] 192.168.1.254:34356 -> 192.168.1.252:80 04/13/2015-17:08:43.058358 192.168.1.252 [**] /sites/all/libraries/fckeditor/editor/filemanager/browser/default/connectors /asp/connector.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**] 192.168.1.252:34356 -> 192.168.1.250:80 Now on Suricata let's open another log file. tail -f /var/log/suricata/eve.json Now from another machine let's open a Scanner to the Suricata like this nmap -sS -v -n -A 192.168.1.252 -T4 In the logs we'll get something like this {"timestamp":"2015-04-13T17:11:31.308899","event_type":"http","src_ip":"192. 168.1.254","src_port":34461,"dest_ip":"192.168.1.252","dest_port":80,"proto" :"TCP","http":{"url":"\/","http_content_type":"text\/html","http_method":"GE T","protocol":"HTTP\/1.0","status":"200","length":177}} http://wiki.douglasqsantos.com.br/

Printed on 2018/01/23 17:23

2018/01/23 17:23

7/28

Installing and Configuring Suricata on CentOS 7

{"timestamp":"2015-04-13T17:11:31.308910","event_type":"http","src_ip":"192. 168.1.252","src_port":34461,"dest_ip":"192.168.1.250","dest_port":80,"proto" :"TCP","http":{"url":"\/","http_content_type":"text\/html","http_method":"GE T","protocol":"HTTP\/1.0","status":"200","length":177}} {"timestamp":"2015-04-13T17:11:31.310502","event_type":"fileinfo","src_ip":" 192.168.1.250","src_port":80,"dest_ip":"192.168.1.252","dest_port":34461,"pr oto":"TCP","http":{"url":"\/"},"fileinfo":{"filename":"\/","state":"CLOSED", "stored":false,"size":177}} {"timestamp":"2015-04-13T17:11:31.310528","event_type":"fileinfo","src_ip":" 192.168.1.252","src_port":80,"dest_ip":"192.168.1.254","dest_port":34461,"pr oto":"TCP","http":{"url":"\/"},"fileinfo":{"filename":"\/","state":"CLOSED", "stored":false,"size":177}} {"timestamp":"2015-04-13T17:11:32.011592","event_type":"alert","src_ip":"192 .168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:32.011676","event_type":"alert","src_ip":"192 .168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:32.287971","event_type":"alert","src_ip":"192 .168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:32.288004","event_type":"alert","src_ip":"192 .168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:32.538840","event_type":"alert","src_ip":"192 .168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:32.538873","event_type":"alert","src_ip":"192 .168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:32.790094","event_type":"alert","src_ip":"192 .168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:32.790130","event_type":"alert","src_ip":"192 .168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:34.779427","event_type":"alert","src_ip":"192 .168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:34.779493","event_type":"alert","src_ip":"192 .168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig DQS CONSULTORIA E TREINAMENTOS - http://wiki.douglasqsantos.com.br/

Last update: installing_and_configuring_suricata_on_centos7_en http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_centos7_en 2017/09/05 12:18

nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:34.955370","event_type":"alert","src_ip":"192 .168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:34.955402","event_type":"alert","src_ip":"192 .168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:35.081111","event_type":"alert","src_ip":"192 .168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:35.081145","event_type":"alert","src_ip":"192 .168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:35.231245","event_type":"alert","src_ip":"192 .168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:35.231273","event_type":"alert","src_ip":"192 .168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:37.107218","event_type":"alert","src_ip":"192 .168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:37.107283","event_type":"alert","src_ip":"192 .168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:41.356211","event_type":"alert","src_ip":"192 .168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:41.356276","event_type":"alert","src_ip":"192 .168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:41.856659","event_type":"alert","src_ip":"192 .168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:41.856711","event_type":"alert","src_ip":"192 .168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} http://wiki.douglasqsantos.com.br/

Printed on 2018/01/23 17:23

2018/01/23 17:23

9/28

Installing and Configuring Suricata on CentOS 7

{"timestamp":"2015-04-13T17:11:42.184192","event_type":"alert","src_ip":"192 .168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:42.184238","event_type":"alert","src_ip":"192 .168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:42.514244","event_type":"alert","src_ip":"192 .168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:42.514282","event_type":"alert","src_ip":"192 .168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:44.588082","event_type":"alert","src_ip":"192 .168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:44.588140","event_type":"alert","src_ip":"192 .168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:44.838373","event_type":"alert","src_ip":"192 .168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:44.838415","event_type":"alert","src_ip":"192 .168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:45.017505","event_type":"alert","src_ip":"192 .168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:45.017541","event_type":"alert","src_ip":"192 .168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:45.244572","event_type":"alert","src_ip":"192 .168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:45.244597","event_type":"alert","src_ip":"192 .168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}} {"timestamp":"2015-04-13T17:11:45.792743","event_type":"http","src_ip":"192. 168.1.254","src_port":34475,"dest_ip":"192.168.1.252","dest_port":80,"proto" :"TCP","http":{"hostname":"192.168.1.252","url":"\/","http_user_agent":"Mozi DQS CONSULTORIA E TREINAMENTOS - http://wiki.douglasqsantos.com.br/

Last update: installing_and_configuring_suricata_on_centos7_en http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_centos7_en 2017/09/05 12:18

lla\/5.0 (compatible; Nmap Scripting Engine; http:\/\/nmap.org\/book\/nse.html)","http_content_type":"text\/html","http_m ethod":"GET","protocol":"HTTP\/1.1","status":"200","length":177}} {"timestamp":"2015-04-13T17:11:45.792753","event_type":"http","src_ip":"192. 168.1.252","src_port":34475,"dest_ip":"192.168.1.250","dest_port":80,"proto" :"TCP","http":{"hostname":"192.168.1.252","url":"\/","http_user_agent":"Mozi lla\/5.0 (compatible; Nmap Scripting Engine; http:\/\/nmap.org\/book\/nse.html)","http_content_type":"text\/html","http_m ethod":"GET","protocol":"HTTP\/1.1","status":"200","length":177}} {"timestamp":"2015-04-13T17:11:45.792766","event_type":"fileinfo","src_ip":" 192.168.1.250","src_port":80,"dest_ip":"192.168.1.252","dest_port":34475,"pr oto":"TCP","http":{"url":"\/","hostname":"192.168.1.252","http_user_agent":" Mozilla\/5.0 (compatible; Nmap Scripting Engine; http:\/\/nmap.org\/book\/nse.html)"},"fileinfo":{"filename":"\/","state":"CL OSED","stored":false,"size":177}} {"timestamp":"2015-04-13T17:11:45.792771","event_type":"fileinfo","src_ip":" 192.168.1.252","src_port":80,"dest_ip":"192.168.1.254","dest_port":34475,"pr oto":"TCP","http":{"url":"\/","hostname":"192.168.1.252","http_user_agent":" Mozilla\/5.0 (compatible; Nmap Scripting Engine; http:\/\/nmap.org\/book\/nse.html)"},"fileinfo":{"filename":"\/","state":"CL OSED","stored":false,"size":177}} We can check in the Apache server too that we have a lot of connections like this. tail -f /var/log/apache2/access.log 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgi-915/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404 543 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /bin/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404 539 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgi/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404 539 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /mpcgi/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404 541 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgibin/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404 543 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /owsbin/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404 543 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgisys/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404 543 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgilocal/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404 545 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)" http://wiki.douglasqsantos.com.br/

Printed on 2018/01/23 17:23

2018/01/23 17:23

11/28

Installing and Configuring Suricata on CentOS 7

192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /htbin/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404 541 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgibin/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404 542 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgis/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404 540 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /scripts/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404 543 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgiwin/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404 543 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /fcgibin/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404 544 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgiexe/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404 543 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgihome/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404 544 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgiperl/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404 544 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /scgibin/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404 544 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /sitemap.gz HTTP/1.1" 404 526 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003582)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /content/sitemap.gz HTTP/1.1" 404 534 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003583)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /icons/README HTTP/1.1" 200 5375 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003584)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /localstart.asp HTTP/1.1" 404 530 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003585)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /ampache/update.php HTTP/1.1" 404 534 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003586)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /ampache/login.php HTTP/1.1" 404 533 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003587)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /ampache/docs/README HTTP/1.1" 404 535 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003588)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgi-bin/webcgi/about HTTP/1.1" 404 536 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) DQS CONSULTORIA E TREINAMENTOS - http://wiki.douglasqsantos.com.br/

Last update: installing_and_configuring_suricata_on_centos7_en http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_centos7_en 2017/09/05 12:18

(Test:003589)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /webservices/IlaWebServices HTTP/1.1" 404 541 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003590)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /SoundBridgeStatus.html HTTP/1.1" 404 537 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003591)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /CFIDE/componentutils/cfcexplorer.cfc HTTP/1.1" 404 551 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003592)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /phone/ HTTP/1.1" 404 521 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003593)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /Host/Portals/tabid/19/ctl/Login/portalid/0/Default.aspx HTTP/1.1" 404 570 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003594)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /jspexamples/jsp2/jspx/textRotate.jspx?name=<script>alert(111) HTTP/1.1" 404 553 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003595)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /jspexamples/jsp2/el/implicit-objects.jsp?foo=<script>alert(112) HTTP/1.1" 404 556 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003596)" 192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /jspexamples/jsp2/el/functions.jsp?foo=<script>alert(113) HTTP/1.1" 404 549 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003597)"

Now let's put the Suricata to work as IPS, let's change some informations in the suricata main file only for testing here. vim /etc/suricata/suricata.yaml [...] HOME_NET: "any" #HOME_NET: "[192.168.1.0/24]" EXTERNAL_NET: "any" #EXTERNAL_NET: "!$HOME_NET" Now we need to make a back up of the rule files cp -Rfa /etc/suricata/rules ~/rules Now we need to drop some kind of attacks like this sed -i 's/^alert/drop/g' sed -i 's/^alert/drop/g' sed -i 's/^alert/drop/g' web_specific_apps.rules sed -i 's/^alert/drop/g' http://wiki.douglasqsantos.com.br/

/etc/suricata/rules/emerging-scan.rules /etc/suricata/rules/emerging-web_server.rules /etc/suricata/rules/emerging/etc/suricata/rules/emerging-web_client.rules Printed on 2018/01/23 17:23

2018/01/23 17:23

sed sed sed sed sed sed

-i -i -i -i -i -i

13/28

Installing and Configuring Suricata on CentOS 7

's/^alert/drop/g' 's/^alert/drop/g' 's/^alert/drop/g' 's/^alert/drop/g' 's/^alert/drop/g' 's/^alert/drop/g'

/etc/suricata/rules/drop.rules /etc/suricata/rules/stream-events.rules /etc/suricata/rules/emerging-policy.rules /etc/suricata/rules/emerging-shellcode.rules /etc/suricata/rules/decoder-events.rules /etc/suricata/rules/emerging-exploit.rules

Now we need to kill the suricata process like this PSU=$(pidof suricata);

kill -9 $PSU

Now we need to start the suricata in the inline mode (IPS) like this suricata -c /etc/suricata/suricata.yaml -q 0 -D Now we need to redirect all connection in the port 80 to the queue afterwards the Suricata will process all of them and decide what will happen with the packet. iptables -P FORWARD DROP iptables -A FORWARD -p tcp --dport 80 -j NFQUEUE iptables -A FORWARD -p tcp --sport 80 -j NFQUEUE Now we can open the logs of the suricata like this tail -f /var/log/suricata/fast.log /var/log/suricata/drop.log Now we need to open an test attack from another machine against the Suricata like this. nikto -h 192.168.1.252 -C all Now we can check in the Suricata log files like this tail -f /var/log/suricata/fast.log /var/log/suricata/drop.log ==> /var/log/suricata/fast.log <== 04/13/2015-17:21:44.772236 [Drop] [**] [1:2002677:13] ET SCAN Nikto Web App Scan in Progress [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.1.254:34840 -> 192.168.1.250:80 ==> /var/log/suricata/drop.log <== 04/13/2015-17:21:44.772236: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=200 TOS=0x00 TTL=63 ID=7455 PROTO=TCP SPT=34840 DPT=80 SEQ=812639632 ACK=3464940515 WINDOW=262 ACK PSH RES=0x00 URGP=0 04/13/2015-17:21:47.918031: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=586 TOS=0x00 TTL=63 ID=47579 PROTO=TCP SPT=80 DPT=34840 SEQ=3464939981 ACK=812639632 WINDOW=2346 ACK PSH RES=0x00 URGP=0 04/13/2015-17:21:54.774944: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=200 TOS=0x00 TTL=63 ID=23285 PROTO=TCP SPT=34845 DPT=80 SEQ=1536905794 ACK=3348384629 WINDOW=229 ACK PSH RES=0x00 URGP=0 04/13/2015-17:21:55.772148: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34845 SEQ=3348384628 DQS CONSULTORIA E TREINAMENTOS - http://wiki.douglasqsantos.com.br/

Last update: installing_and_configuring_suricata_on_centos7_en http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_centos7_en 2017/09/05 12:18

ACK=1536905794 WINDOW=14480 SYN ACK RES=0x00 URGP=0 04/13/2015-17:22:04.779775: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=202 TOS=0x00 TTL=63 ID=49545 PROTO=TCP SPT=34858 DPT=80 SEQ=1308021760 ACK=1100202517 WINDOW=229 ACK PSH RES=0x00 URGP=0 04/13/2015-17:22:05.972261: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34858 SEQ=1100202516 ACK=1308021760 WINDOW=14480 SYN ACK RES=0x00 URGP=0 04/13/2015-17:22:14.790753: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=202 TOS=0x00 TTL=63 ID=3168 PROTO=TCP SPT=34866 DPT=80 SEQ=3727036513 ACK=3268194257 WINDOW=229 ACK PSH RES=0x00 URGP=0 04/13/2015-17:22:16.171470: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34866 SEQ=3268194256 ACK=3727036513 WINDOW=14480 SYN ACK RES=0x00 URGP=0 04/13/2015-17:22:24.795966: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=199 TOS=0x00 TTL=63 ID=50075 PROTO=TCP SPT=34878 DPT=80 SEQ=3459769758 ACK=1952858872 WINDOW=229 ACK PSH RES=0x00 URGP=0 04/13/2015-17:22:25.971993: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34878 SEQ=1952858871 ACK=3459769758 WINDOW=14480 SYN ACK RES=0x00 URGP=0 04/13/2015-17:22:34.808455: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=199 TOS=0x00 TTL=63 ID=57943 PROTO=TCP SPT=34885 DPT=80 SEQ=2584071583 ACK=1252079019 WINDOW=229 ACK PSH RES=0x00 URGP=0 04/13/2015-17:22:36.172188: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34885 SEQ=1252079018 ACK=2584071583 WINDOW=14480 SYN ACK RES=0x00 URGP=0 ==> /var/log/suricata/fast.log <== 04/13/2015-17:22:44.827179 [Drop] [**] [1:2002677:13] ET SCAN Nikto Web App Scan in Progress [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.1.254:34894 -> 192.168.1.250:80 ==> /var/log/suricata/drop.log <== 04/13/2015-17:22:44.827179: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=201 TOS=0x00 TTL=63 ID=51878 PROTO=TCP SPT=34894 DPT=80 SEQ=675935592 ACK=4002722971 WINDOW=262 ACK PSH RES=0x00 URGP=0 04/13/2015-17:22:47.995799: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=580 TOS=0x00 TTL=63 ID=5199 PROTO=TCP SPT=80 DPT=34894 SEQ=4002722443 ACK=675935592 WINDOW=2346 ACK PSH RES=0x00 URGP=0 04/13/2015-17:22:54.829643: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=201 TOS=0x00 TTL=63 ID=26662 PROTO=TCP SPT=34897 DPT=80 SEQ=3048942461 ACK=420962227 WINDOW=229 ACK PSH RES=0x00 URGP=0 04/13/2015-17:22:56.372487: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34897 SEQ=420962226 ACK=3048942461 WINDOW=14480 SYN ACK RES=0x00 URGP=0 04/13/2015-17:23:04.838129: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=200 TOS=0x00 TTL=63 ID=13814 PROTO=TCP SPT=34900 DPT=80 SEQ=292845803 ACK=2369351393 WINDOW=229 ACK PSH RES=0x00 URGP=0 04/13/2015-17:23:06.172247: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34900 SEQ=2369351392 http://wiki.douglasqsantos.com.br/

Printed on 2018/01/23 17:23

2018/01/23 17:23

15/28

Installing and Configuring Suricata on CentOS 7

ACK=292845803 WINDOW=14480 SYN ACK RES=0x00 URGP=0 04/13/2015-17:23:14.849031: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=200 TOS=0x00 TTL=63 ID=10016 PROTO=TCP SPT=34909 DPT=80 SEQ=2092855804 ACK=2654305631 WINDOW=229 ACK PSH RES=0x00 URGP=0 04/13/2015-17:23:15.972834: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34909 SEQ=2654305630 ACK=2092855804 WINDOW=14480 SYN ACK RES=0x00 URGP=0 04/13/2015-17:23:24.859782: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=200 TOS=0x00 TTL=63 ID=37382 PROTO=TCP SPT=34912 DPT=80 SEQ=4239520425 ACK=1204384680 WINDOW=229 ACK PSH RES=0x00 URGP=0 04/13/2015-17:23:26.372347: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34912 SEQ=1204384679 ACK=4239520425 WINDOW=14480 SYN ACK RES=0x00 URGP=0 04/13/2015-17:23:34.867725: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=200 TOS=0x00 TTL=63 ID=20552 PROTO=TCP SPT=34917 DPT=80 SEQ=821639733 ACK=3031914370 WINDOW=229 ACK PSH RES=0x00 URGP=0 04/13/2015-17:23:36.172463: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34917 SEQ=3031914369 ACK=821639733 WINDOW=14480 SYN ACK RES=0x00 URGP=0 ==> /var/log/suricata/fast.log <== 04/13/2015-17:23:44.916071 [Drop] [**] [1:2002677:13] ET SCAN Nikto Web App Scan in Progress [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.1.254:34927 -> 192.168.1.250:80 ==> /var/log/suricata/drop.log <== 04/13/2015-17:23:44.916071: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=201 TOS=0x00 TTL=63 ID=37617 PROTO=TCP SPT=34927 DPT=80 SEQ=2943871269 ACK=1547692160 WINDOW=262 ACK PSH RES=0x00 URGP=0 04/13/2015-17:23:48.076577: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=580 TOS=0x00 TTL=63 ID=4861 PROTO=TCP SPT=80 DPT=34927 SEQ=1547691632 ACK=2943871269 WINDOW=2346 ACK PSH RES=0x00 URGP=0 04/13/2015-17:23:54.927989: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=201 TOS=0x00 TTL=63 ID=4771 PROTO=TCP SPT=34930 DPT=80 SEQ=1683975337 ACK=473377258 WINDOW=229 ACK PSH RES=0x00 URGP=0 04/13/2015-17:23:56.172266: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34930 SEQ=473377257 ACK=1683975337 WINDOW=14480 SYN ACK RES=0x00 URGP=0 04/13/2015-17:24:04.939915: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=200 TOS=0x00 TTL=63 ID=27939 PROTO=TCP SPT=34933 DPT=80 SEQ=539880178 ACK=2700461480 WINDOW=229 ACK PSH RES=0x00 URGP=0 04/13/2015-17:24:06.372664: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34933 SEQ=2700461479 ACK=539880178 WINDOW=14480 SYN ACK RES=0x00 URGP=0 As we can see here in the fast.log we have the [Drop] that indicates the packet was dropped and won't sent to the Apache Server in the drop.log we have the connections that were dropped. Whether we check the apache log files now we will get a little access unlike before without the IPS. tail -f /var/log/apache2/access.log DQS CONSULTORIA E TREINAMENTOS - http://wiki.douglasqsantos.com.br/

Last update: installing_and_configuring_suricata_on_centos7_en http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_centos7_en 2017/09/05 12:18

192.168.1.252 - - [13/Apr/2015:17:22:45 -0300] "GET /PIzR7b1c.el HTTP/1.1" 404 527 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)" 192.168.1.252 - - [13/Apr/2015:17:22:45 -0300] "GET /PIzR7b1c.axd HTTP/1.1" 404 528 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)" 192.168.1.252 - - [13/Apr/2015:17:23:45 -0300] "GET /PIzR7b1c.jse HTTP/1.1" 404 529 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)" 192.168.1.252 - - [13/Apr/2015:17:23:45 -0300] "GET /PIzR7b1c.tmp HTTP/1.1" 404 528 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)" 192.168.1.252 - - [13/Apr/2015:17:23:45 -0300] "GET /PIzR7b1c.dpgs HTTP/1.1" 404 529 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)" 192.168.1.252 - - [13/Apr/2015:17:23:45 -0300] "GET /PIzR7b1c.mdb HTTP/1.1" 404 528 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)" 192.168.1.252 - - [13/Apr/2015:17:24:46 -0300] "GET /PIzR7b1c.shtml HTTP/1.1" 404 531 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)" 192.168.1.252 - - [13/Apr/2015:17:24:46 -0300] "GET /PIzR7b1c.cfg HTTP/1.1" 404 528 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)" 192.168.1.252 - - [13/Apr/2015:17:24:46 -0300] "GET /PIzR7b1c.bas:ShowVolume HTTP/1.1" 404 539 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)" 192.168.1.252 - - [13/Apr/2015:17:24:46 -0300] "GET /PIzR7b1c.chl+ HTTP/1.1" 404 529 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)"  Testing ddos. Note: Be aware the it can shutdown the switch or router.

We can test the syn flood with the following commands t50 192.168.1.252 --flood -S --turbo --dport 80 or we can use the follow command hping3 -S 192.168.1.252 -p 80 --flood

Installing and Configuring the Barnyard2 Barnyard2 will feed the Snorby database with the logs let's install this guy need to install on the Suricata Server. We need to fetch the tarball and decompress it. cd /usr/src wget -c http://wiki.douglasqsantos.com.br/Downloads/ips/barnyard2-1.9.tar.gz tar -zxf barnyard2-1.9.tar.gz && cd barnyard2-1.9 Now we need to configure the packet to work with MySQL http://wiki.douglasqsantos.com.br/

Printed on 2018/01/23 17:23

2018/01/23 17:23

17/28

Installing and Configuring Suricata on CentOS 7

./configure --with-mysql --with-mysql-libraries=/usr/lib64 -sysconfdir=/etc/suricata --prefix=/usr --localstatedir=/var Now let's compile it. make && make install clean Now we need to create the barnyard log directory like this mkdir /var/log/barnyard2 Now let's make some changes in barnyard configuration file vim /etc/suricata/barnyard2.conf [...] config reference_file: /etc/suricata/rules/reference.config config classification_file: /etc/suricata/rules/classification.config config gen_file: /etc/suricata/rules/gen-msg.map config sid_file: /etc/suricata/rules/sid-msg.map [...] config hostname: ips01 config interface: enp0s3 [...] output alert_fast #Let's input this line below in the end of the file, change the values whether you need. output database: log, mysql, user=snorby password=senha dbname=snorby host=192.168.1.251 Now we need to kill the suricata PSU=$(pidof suricata);

kill -9 $PSU

Now let's start the barnyard2 and the suricata daemons. suricata -c /etc/suricata/suricata.yaml -q 0 -D barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f unified2.alert -w /var/log/suricata/suricata.waldo -D

Configuring the SystemD Now we need to kill the process of the suricata and barnyard2 like this PSU=$(pidof suricata); kill -9 $PSU PSU=$(pidof barnyard2); kill -9 $PSU Now we need to create the scripts to work with SystemD and enable the suricata and barnyard to DQS CONSULTORIA E TREINAMENTOS - http://wiki.douglasqsantos.com.br/

Last update: installing_and_configuring_suricata_on_centos7_en http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_centos7_en 2017/09/05 12:18

launch on boot time. vim /usr/lib/systemd/system/suricata.service [Unit] Description=Suricata Intrusion Detection Service After=syslog.target network.target auditd.service [Service] ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml $OPTIONS EnvironmentFile=-/etc/sysconfig/suricata [Install] WantedBy=multi-user.target Now let's create the sysconfig file to suricata like this vim /etc/sysconfig/suricata # The following parameters are the most commonly needed to configure # # suricata. A full list can be seen by running /sbin/suricata --help # # -i # # --user # # --group # # # Add options to be passed to the daemon OPTIONS="-q 0 " Now we need to enable the service like this systemctl enable suricata.service We can start the service like this systemctl start suricata.service We can display the status like this systemctl status suricata.service We can display the services that is current running with the follow command systemd-cgls -l We can display the services available with the follow command systemctl list-units --type service Now we need to create the service for barnyard2 like this

http://wiki.douglasqsantos.com.br/

Printed on 2018/01/23 17:23

2018/01/23 17:23

19/28

Installing and Configuring Suricata on CentOS 7

vim /usr/lib/systemd/system/barnyard2.service [Unit] Description=Barnyard2 Spooler Service After=syslog.target suricata.service [Service] ExecStart=/usr/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata \ -f unified2.alert -w /var/log/suricata/suricata.waldo $OPTIONS EnvironmentFile=-/etc/sysconfig/barnyard2 [Install] WantedBy=multi-user.target Now let's create the sysconfig for barnyard2 like this vim /etc/sysconfig/barnyard2 # The following parameters are the most commonly needed to configure # barnyard2. A full list can be seen by running /usr/local/bin/barnyard2 -help # Add options to be passed to the daemon OPTIONS=" " Now we need to enable the barnyard2 service like this systemctl enable barnyard2.service Let's start the barnyard2 service like this systemctl start barnyard2.service Let's display its status like this systemctl status barnyard2.service Now we need to create the firewall service script like this vim /usr/lib/systemd/system/firewall.service [Unit] Description=Firewall ConfiServ After=barnyard2.service [Service] Type=oneshot RemainAfterExit=yes ExecStart=/etc/firewall/firewall-start ExecStop=/etc/firewall/firewall-stop [Install] DQS CONSULTORIA E TREINAMENTOS - http://wiki.douglasqsantos.com.br/

Last update: installing_and_configuring_suricata_on_centos7_en http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_centos7_en 2017/09/05 12:18

WantedBy=multi-user.target Now we need to create the directory that will store all the scripts files like this mkdir /etc/firewall Now let's create the firewall-start script file vim /etc/firewall/firewall-start #!/bin/bash ### Loading some modules modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_nat_ftp ### Adjusting some variables echo 1000000 > /sys/module/nf_conntrack/parameters/hashsize echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/tcp_timestamps echo 1 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose echo 2000000 > /proc/sys/net/netfilter/nf_conntrack_max PSNI=/proc/sys/net/ipv4 for END in $PSNI/conf/*/rp_filter ; do echo 1 > $END ; done echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts PSNI=/proc/sys/net/ipv6 for END in $PSNI/conf/*/disable_ipv6 ; do echo 1 > $END ; done echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper ### Cleaning up the interface ethtool -K enp0s3 tx off ethtool -K enp0s3 tso off ethtool -K enp0s3 gro off ethtool -K enp0s3 rxvlan off ethtool -K enp0s3 txvlan off ### Cleaning up iptables -t filter -F iptables -t filter -X iptables -t nat -F iptables -t nat -X iptables -t raw -F iptables -t raw -X ### INPUT iptables -P INPUT DROP iptables -t filter -A INPUT -m state --state INVALID -j DROP http://wiki.douglasqsantos.com.br/

Printed on 2018/01/23 17:23

2018/01/23 17:23

iptables iptables iptables iptables

-A -t -t -t

21/28

Installing and Configuring Suricata on CentOS 7

INPUT -f -j DROP filter -A INPUT -p tcp --dport 22022 -j NFQUEUE --queue-num 0 filter -A INPUT -p tcp --sport 22022 -j NFQUEUE --queue-num 0 filter -A INPUT -p all -s 192.168.1.0/24 -j ACCEPT

### NAT iptables -t nat -A PREROUTING -d 192.168.1.252 -p tcp --dport 80 -j DNAT -to 192.168.1.250 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE

### FORWARD iptables -P FORWARD DROP iptables -t filter -A FORWARD -p tcp -m tcp --dport 80 -j NFQUEUE --queuenum 0 iptables -t filter -A FORWARD -p tcp -m tcp --sport 80 -j NFQUEUE --queuenum 0 Now we need to create the firewall-stop script like this vim /etc/firewall/firewall-stop #!/bin/bash iptables iptables iptables iptables iptables iptables

-t -t -t -t -P -P

filter -F filter -X raw -F raw -X INPUT ACCEPT FORWARD ACCEPT

Now we need to set up the execution permission to our script like this chmod +x /etc/firewall/firewall* Now we need to enable our new service like this systemctl enable firewall.service Note: Be aware that when you start the service yours sshd connection will be shutdown because we need to make sure that all connection on this port pass by suricata.

Now we need to start the service like this systemctl start firewall.service  To check the status of the script we can use the following command systemctl status firewall.service

DQS CONSULTORIA E TREINAMENTOS - http://wiki.douglasqsantos.com.br/

Last update: installing_and_configuring_suricata_on_centos7_en http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_centos7_en 2017/09/05 12:18

Sample FW Here let's get one sample of production Let's take a look at variables vim /etc/firewall/variables ### VARIABLES ### PATH PSNI="/proc/sys/net/ipv4" PSNN="/proc/sys/net/netfilter" ### COMMANDS MODPROBE="/sbin/modprobe" ETHTOOL="/sbin/ethtool" IPTABLES="/sbin/iptables" ### NETWORKS LAN_NETWORK="10.23.0.0/24" ### SERVERS ZABBIX="10.23.0.117" BACULA="10.23.0.198" WAPP01="10.23.0.247" KACE_INT="172.33.0.194" KACE_EXT="200.200.200.34" EXT_FTP01="200.200.200.46" DMZ_FTP01="10.23.0.147" DMZ_FTP02="10.23.0.246" DMZ_HTTP02="10.23.0.143" DMZ_HTTP01="10.23.0.247" ## EXTERNAL IP EXT_F10="177.177.177.10" EXT_F14="177.177.177.14" ### PORTS BACULA_PORT="9102" ZABBIX_PORT="10050" DEV_PORT="2000" WTS_PORT="3389" SSH_PORT="22022" VOIP_TCP_PORTS="5060:5061" VOIP_UDP_PORTS="5040:5081,10000:20000" KACE_PORTS="80,139,443,445,52230" FTP_PORTS="20,21,12000:12100" HTTP_PORT="80" http://wiki.douglasqsantos.com.br/

Printed on 2018/01/23 17:23

2018/01/23 17:23

23/28

Installing and Configuring Suricata on CentOS 7

HTTP_PORTS="80,443" HTTPS_PORT="443" WEB_PORTS="80,443,3306" DNS_PORT="53" ### ALIAS PRE_EXT="${IPTABLES} -t nat -A PREROUTING -i eno2 " POS_EXT="${IPTABLES} -t nat -A POSTROUTING -o eno2 " COM="-m comment --comment" TCP="-p tcp -m tcp" UDP="-p udp -m udp" ICMP="-p icmp --icmp-type" LIMIT="-m limit --limit" DMULTIPORT="-m multiport --dports" SMULTIPORT="-m multiport --sports" LOG="LOG --log-prefix" LOG_LEV="--log-level info" SURICATA="--queue-num 0" Let's take a look at firewall-start vim /etc/firewall/firewall-start #!/bin/bash ### Loading variables . /etc/firewall/variables ### Loading ${MODPROBE} ${MODPROBE} ${MODPROBE}

some modules ip_conntrack ip_conntrack_ftp ip_nat_ftp

### Adjusting some variables echo 1000000 > /sys/module/nf_conntrack/parameters/hashsize echo 1 > ${PSNI}/tcp_syncookies echo 1 > ${PSNI}/tcp_timestamps echo 1 > ${PSNI}/ip_forward echo 0 > ${PSNN}/nf_conntrack_tcp_loose echo 2000000 > ${PSNN}/nf_conntrack_max for END in ${PSNI}/conf/*/rp_filter ; do echo 1 > ${END} ; done echo 0 > ${PSNI}/icmp_echo_ignore_all echo 1 > ${PSNI}/icmp_echo_ignore_broadcasts PSNI=/proc/sys/net/ipv6 for END in ${PSNI}/conf/*/disable_ipv6 ; do echo 1 > ${END} ; done ## IF ENABLE THE VARIABLE BELOW THE NAT DOES NOT WORK PROPERLY AND FTP DOESNT WORK IN EXPLORER OR NAUTILUS #echo 0> ${PSNN}/nf_conntrack_helper ### Cleaning up the interface ${ETHTOOL} -K eno1 tx off ${ETHTOOL} -K eno1 tso off ${ETHTOOL} -K eno1 gro off DQS CONSULTORIA E TREINAMENTOS - http://wiki.douglasqsantos.com.br/

Last update: installing_and_configuring_suricata_on_centos7_en http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_centos7_en 2017/09/05 12:18

${ETHTOOL} -K eno1 rxvlan off ${ETHTOOL} -K eno1 txvlan off ${ETHTOOL} ${ETHTOOL} ${ETHTOOL} ${ETHTOOL} ${ETHTOOL}

-K -K -K -K -K

eno2 eno2 eno2 eno2 eno2

tx off tso off gro off rxvlan off txvlan off

### Cleaning up ${IPTABLES} -t filter -F ${IPTABLES} -t filter -X ${IPTABLES} -t nat -F ${IPTABLES} -t nat -X ${IPTABLES} -t raw -F ${IPTABLES} -t raw -X ### ALLOWING LOOPBACK ${IPTABLES} -A INPUT -s 127.0.0.1/32 -j ACCEPT ## Given more priority to VOIP ${IPTABLES} -t mangle -A OUTPUT -p udp -j DSCP --set-dscp-class EF ${IPTABLES} -t mangle -A FORWARD -p udp -j DSCP --set-dscp-class EF ### INPUT ${IPTABLES} ${IPTABLES} ${IPTABLES} ${IPTABLES} ${SURICATA}

-P -t -A -A

INPUT DROP filter -A INPUT -m state --state INVALID -j DROP INPUT -f -j DROP INPUT -p tcp -m state --state ESTABLISHED,RELATED -j NFQUEUE

### FORWARD ${IPTABLES} -P FORWARD DROP ${IPTABLES} -t filter -A FORWARD -m state --state INVALID -j DROP ${IPTABLES} -A FORWARD -f -j DROP ${IPTABLES} -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j NFQUEUE ${SURICATA} ### Allowing access to SSH ${IPTABLES} -t filter -A INPUT -p tcp --dport ${SSH_PORT} -j NFQUEUE ${SURICATA} ${IPTABLES} -t filter -A INPUT -p tcp --sport ${SSH_PORT} -j NFQUEUE ${SURICATA} ### DEV ACCESS TO WTS ${PRE_EXT} -d ${EXT_F10} -p tcp --dport ${DEV_PORT} -j DNAT --to ${WAPP01}:${WTS_PORT} ${COM} "DEV access to WTS" ${POS_EXT} -d ${WAPP01} ${TCP} --dport ${WTS_PORT} -j SNAT --to ${EXT_F10}:${DEV_PORT} ${COM} "DEV access to WTS" http://wiki.douglasqsantos.com.br/

Printed on 2018/01/23 17:23

2018/01/23 17:23

25/28

Installing and Configuring Suricata on CentOS 7

${IPTABLES} -t filter -A FORWARD ${TCP} ${SMULTIPORT} ${DEV_PORT},${WTS_PORT} -j NFQUEUE ${SURICATA} ${IPTABLES} -t filter -A FORWARD ${TCP} ${DMULTIPORT} ${DEV_PORT},${WTS_PORT} -j NFQUEUE ${SURICATA} ### ALLOWING VOIP ${IPTABLES} -A FORWARD ${SURICATA} ${IPTABLES} -A FORWARD ${SURICATA} ${IPTABLES} -A FORWARD ${SURICATA} ${IPTABLES} -A FORWARD ${SURICATA}

${TCP} ${DMULTIPORT} ${VOIP_TCP_PORTS} -j NFQUEUE ${TCP} ${SMULTIPORT} ${VOIP_TCP_PORTS} -j NFQUEUE ${UDP} ${DMULTIPORT} ${VOIP_UDP_PORTS} -j NFQUEUE ${UDP} ${SMULTIPORT} ${VOIP_UDP_PORTS} -j NFQUEUE

### ALLOWING KACE ${IPTABLES} -A FORWARD -s ${LAN_NETWORK} ${KACE_PORTS} -j NFQUEUE ${SURICATA} ${IPTABLES} -A FORWARD -s ${LAN_NETWORK} ${KACE_PORTS} -j NFQUEUE ${SURICATA} ${IPTABLES} -A FORWARD -s ${LAN_NETWORK} ${KACE_PORTS} -j NFQUEUE ${SURICATA} ${IPTABLES} -A FORWARD -s ${LAN_NETWORK} ${KACE_PORTS} -j NFQUEUE ${SURICATA}

-d ${KACE_INT} ${TCP} ${DMULTIPORT} -d ${KACE_INT} ${TCP} ${SMULTIPORT} -d ${KACE_EXT} ${TCP} ${DMULTIPORT} -d ${KACE_EXT} ${TCP} ${SMULTIPORT}

### ALLOWING ZABBIX ${IPTABLES} -A INPUT ${TCP} --dport ${ZABBIX_PORT} -s ${ZABBIX} -j NFQUEUE ${SURICATA} ${IPTABLES} -A OUTPUT ${TCP} --sport ${ZABBIX_PORT} -d ${ZABBIX} -j NFQUEUE ${SURICATA} ### ALLOWING BACULA ${IPTABLES} -A INPUT ${TCP} --dport ${BACULA_PORT} -s ${BACULA} -j NFQUEUE ${SURICATA} ${IPTABLES} -A OUTPUT ${TCP} --sport ${BACULA_PORT} -d ${BACULA} -j NFQUEUE ${SURICATA} ### ALLOWING FTP ${IPTABLES} -A FORWARD -d ${EXT_FTP01} -j NFQUEUE ${SURICATA} ${IPTABLES} -A FORWARD -s ${EXT_FTP01} -j NFQUEUE ${SURICATA} ### ALLOWING FTP 02 ${PRE_EXT} -d ${EXT_F10} ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j DNAT --to ${DMZ_FTP01} ${COM} "FTP 01" ${IPTABLES} -A FORWARD -s ${DMZ_FTP01} -j NFQUEUE ${SURICATA} ${IPTABLES} -A FORWARD -d ${DMZ_FTP01} -j NFQUEUE ${SURICATA} ${POS_EXT} -s ${DMZ_FTP01} ${TCP} ${SMULTIPORT} ${FTP_PORTS} -j SNAT --to ${EXT_F10} ${COM} "FTP 01" ${POS_EXT} -s ${DMZ_FTP01} ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j SNAT --to ${EXT_F10} ${COM} "FTP 01"

DQS CONSULTORIA E TREINAMENTOS - http://wiki.douglasqsantos.com.br/

Last update: installing_and_configuring_suricata_on_centos7_en http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_centos7_en 2017/09/05 12:18

### ALLOWING FTP 02 ${PRE_EXT} -d ${EXT_F14} ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j DNAT --to ${DMZ_FTP02} ${COM} "FTP 02" ${IPTABLES} -A FORWARD -s ${DMZ_FTP02} -j NFQUEUE ${SURICATA} ${IPTABLES} -A FORWARD -s ${DMZ_FTP02} -j NFQUEUE ${SURICATA} ${POS_EXT} -s ${DMZ_FTP02} ${TCP} ${SMULTIPORT} ${FTP_PORTS} -j SNAT --to ${EXT_F14} ${COM} "FTP 02" ${POS_EXT} -s ${DMZ_FTP02} ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j SNAT --to ${EXT_F14} ${COM} "FTP 02" ### ALLOWING HTTP ${PRE_EXT} -d ${EXT_F14} ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j DNAT --to ${DMZ_HTTP01} ${COM} "HTTP SERVER 01" ${POS_EXT} -s ${DMZ_HTTP01} ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j SNAT --to ${EXT_F14} ${COM} "HTTP SERVER 01" ${IPTABLES} -A FORWARD -s ${DMZ_HTTP01} ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j NFQUEUE ${SURICATA} ${IPTABLES} -A FORWARD -d ${DMZ_HTTP01} ${TCP} ${SMULTIPORT} ${HTTP_PORTS} -j NFQUEUE ${SURICATA} ### ALLOWING HTTP2 ${PRE_EXT} -d ${EXT_F10} ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j DNAT --to ${DMZ_HTTP02} ${COM} "HTTP SERVER 02" ${POS_EXT} -s ${DMZ_HTTP02} ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j SNAT --to ${EXT_F10} ${COM} "HTTP SERVER 02" ${IPTABLES} -A FORWARD -s ${DMZ_HTTP02} ${TCP} ${DMULTIPORT} ${HTTP_PORTS} j NFQUEUE ${SURICATA} ${IPTABLES} -A FORWARD -d ${DMZ_HTTP02} ${TCP} ${SMULTIPORT} ${HTTP_PORTS} j NFQUEUE ${SURICATA} ### ALLOWING ACCESS FROM LAN ${IPTABLES} -A INPUT -s ${LAN_NETWORK} -j ACCEPT ${COM} "ACCESS FROM LAN" ${IPTABLES} -A OUTPUT -d ${LAN_NETWORK} -j ACCEPT ${COM} "ACCESS FROM LAN" ### ALLOWING DNS QUERY ${IPTABLES} -A INPUT ${TCP} --sport ${DNS_PORT} -j NFQUEUE ${SURICATA} ${IPTABLES} -A INPUT ${UDP} --sport ${DNS_PORT} -j NFQUEUE ${SURICATA} ${IPTABLES} -A FORWARD ${TCP} --dport ${DNS_PORT} -j NFQUEUE ${SURICATA} ${IPTABLES} -A FORWARD ${TCP} --sport ${DNS_PORT} -j NFQUEUE ${SURICATA} ${IPTABLES} -A FORWARD ${UDP} --sport ${DNS_PORT} -j NFQUEUE ${SURICATA} ${IPTABLES} -A FORWARD ${UDP} --dport ${DNS_PORT} -j NFQUEUE ${SURICATA} ### ALLOWING HTTP AND FTP ACCESS ${IPTABLES} -A INPUT ${TCP} ${SMULTIPORT} ${HTTP_PORTS} -j NFQUEUE ${SURICATA} ${IPTABLES} -A INPUT ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j NFQUEUE ${SURICATA} ${IPTABLES} -A FORWARD ${TCP} ${SMULTIPORT} ${HTTP_PORTS} -j NFQUEUE ${SURICATA} http://wiki.douglasqsantos.com.br/

Printed on 2018/01/23 17:23

2018/01/23 17:23

${IPTABLES} ${SURICATA} ${IPTABLES} ${SURICATA} ${IPTABLES} ${SURICATA} ${IPTABLES} ${SURICATA} ${IPTABLES} ${SURICATA}

27/28

Installing and Configuring Suricata on CentOS 7

-A FORWARD ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j NFQUEUE -A INPUT ${TCP} ${SMULTIPORT} ${FTP_PORTS} -j NFQUEUE -A INPUT ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j NFQUEUE -A FORWARD ${TCP} ${SMULTIPORT} ${FTP_PORTS} -j NFQUEUE -A FORWARD ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j NFQUEUE

### ALLOWING ICMP ${IPTABLES} -A INPUT ${ICMP} 0 ${IPTABLES} -A INPUT ${ICMP} 8 ${IPTABLES} -A FORWARD ${ICMP} ${IPTABLES} -A FORWARD ${ICMP}

${LIMIT} 1/s -j NFQUEUE ${SURICATA} ${LIMIT} 1/s -j NFQUEUE ${SURICATA} 0 ${LIMIT} 1/s -j NFQUEUE ${SURICATA} 8 ${LIMIT} 1/s -j NFQUEUE ${SURICATA}

### MASQUERADE ${IPTABLES} -t nat -A POSTROUTING -s ${LAN_NETWORK} -j MASQUERADE Let's take a look at firewall-stop cat /etc/firewall/firewall-stop #!/bin/bash ### Loading variables . /etc/firewall/variables ### Cleaning up the rules ${IPTABLES} -t filter -F ${IPTABLES} -t filter -X ${IPTABLES} -t raw -F ${IPTABLES} -t raw -X ${IPTABLES} -P INPUT ACCEPT ${IPTABLES} -P FORWARD ACCEPT Here we have the rules with some fixes: http://wiki.douglasqsantos.com.br/Downloads/ips/rules.tar.xz

References 1. http://techminded.net/blog/using-snort-as-service-ips.html 2. http://www.symantec.com/connect/articles/detection-sql-injection-and-cross-site-scripting-attac ks 3. http://repo.hackerzvoice.net/depot_madchat/reseau/ids|nids/snort_rules.html 4. http://books.gigatux.nl/mirror/snortids/0596006616/snortids-CHP-7-SECT-3.html 5. http://manual.snort.org/node27.html 6. https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml 7. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Tuning_and_  Optimizing_Red_Hat_Enterprise_Linux_for_Oracle_9i_and_10g_Databases/sectDQS CONSULTORIA E TREINAMENTOS - http://wiki.douglasqsantos.com.br/

Last update: installing_and_configuring_suricata_on_centos7_en http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_centos7_en 2017/09/05 12:18

8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26.

Oracle_9i_and_10g_Tuning_Guide-Adjusting_Network_SettingsFlow_Control_for_e1000_Network_Interface_Cards.html http://docs.oracle.com/cd/E24290_01/coh.371/e22838/tune_perftune.htm#COHAG5263 https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_7_Installation http://www.darknet.org.uk/ http://www.spamhaus.org/drop/ http://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time http://myip.ms/files/blacklist/csf/latest_blacklist.txt http://www10.org/cdrom/papers/409/ https://r00t-services.net/knowledgebase/14/Homemade-DDoS-Protection-Using-IPTables-SYNPR OXY.html http://hackerzelite.blogspot.com.br/2014/01/top-10-ddos-and-dos-attacking-tools.html http://ddoshackingarticles.blogspot.com.br/2014/07/how-to-use-metagoofil-on-kali-linux.html http://www.kalitutorials.net/2014/03/denial-of-service-attacks-explained-for.html http://www.darkmoreops.com/2014/08/21/dos-using-hping3-spoofed-ip-kali-linux/ http://null-byte.wonderhowto.com/how-to/become-elite-hacker-part-3-easy-ddos-0147212/ http://ha.ckers.org/slowloris/ http://www.r00tsec.com/2012/02/ddos-tool-list-from-anonymous.html https://www.frozentux.net/iptables-tutorial/iptables-tutorial.htmlhttps://www.frozentux.net/iptabl es-tutorial/iptables-tutorial.html https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#NETFILTERHACKINGHOWTO http://www.ibm.com/developerworks/library/se-intrusion/index.html http://rules.emergingthreats.net/open/

From: http://wiki.douglasqsantos.com.br/ - DQS CONSULTORIA E TREINAMENTOS Permanent link: http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_centos7_en Last update: 2017/09/05 12:18

http://wiki.douglasqsantos.com.br/

Printed on 2018/01/23 17:23