Suricata : ネットワーク型 IDS2025/08/17 |
|
ネットワーク型 IDS (Intrusion Detection System)、Suricata のインストールと設定です。 |
|
| [1] | Suricata をインストールします。 |
|
root@dlp:~# apt -y install suricata jq
|
| [2] | Suricata の設定です。 |
|
root@dlp:~#
vi /etc/suricata/suricata.yaml
# 18行目 : 自身のローカルネットワークに変更
HOME_NET: "[10.0.0.0/24]"
# 24行目 : 外部ネットワークを指定可
# デフォルトは上で指定したローカルネットワーク以外
EXTERNAL_NET: "!$HOME_NET"
#EXTERNAL_NET: "any"
# 622行目 : 自身のネットワークインターフェース名に変更
af-packet:
- interface: enp1s0
# update rules root@dlp:~# suricata-update 16/8/2025 -- 11:53:43 - <Info> -- Using data-directory /var/lib/suricata. 16/8/2025 -- 11:53:43 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml 16/8/2025 -- 11:53:43 - <Info> -- Using /etc/suricata/rules for Suricata provided rules. 16/8/2025 -- 11:53:43 - <Info> -- Found Suricata version 7.0.10 at /usr/bin/suricata. 16/8/2025 -- 11:53:43 - <Info> -- Loading /etc/suricata/suricata.yaml 16/8/2025 -- 11:53:43 - <Info> -- Disabling rules for protocol pgsql 16/8/2025 -- 11:53:43 - <Info> -- Disabling rules for protocol modbus 16/8/2025 -- 11:53:43 - <Info> -- Disabling rules for protocol dnp3 16/8/2025 -- 11:53:43 - <Info> -- Disabling rules for protocol enip 16/8/2025 -- 11:53:43 - <Info> -- No sources configured, will use Emerging Threats Open 16/8/2025 -- 11:53:43 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-7.0.10/emerging.rules.tar.gz. ..... .....root@dlp:~# systemctl restart suricata |
| [3] | アラートログは [/var/log/suricata] 配下に保管されます。. 例えば、Suricata の公式ドキュメントにあるように、他ホストから HTTP アクセスで [(Suricata ホスト)/uid/index.html] へアクセスすると、検知の動作を確認できます。 |
|
root@dlp:~# ll /var/log/suricata total 12 -rw-r--r-- 1 root root 0 Aug 16 11:50 eve.json -rw-r--r-- 1 root root 0 Aug 16 11:50 fast.log -rw-r--r-- 1 root root 0 Aug 16 11:50 stats.log -rw-r--r-- 1 root root 11108 Aug 16 11:55 suricata.logroot@dlp:~# cat /var/log/suricata/fast.log
03/25/2025-00:44:54.901080 [**] [1:2034567:1] ET HUNTING curl User-Agent to Dotted Quad [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.0.0.211:41470 -> 10.0.0.30:80
root@dlp:~# cat /var/log/suricata/eve.json | jq 'select(.event_type=="alert")'
{
"timestamp": "2025-08-16T12:03:24.726143+0900",
"flow_id": 1146939758689087,
"in_iface": "enp1s0",
"event_type": "alert",
"src_ip": "10.0.0.230",
"src_port": 41668,
"dest_ip": "10.0.0.30",
"dest_port": 80,
"proto": "TCP",
"pkt_src": "wire/pcap",
"metadata": {
"flowbits": [
"http.dottedquadhost"
]
},
"tx_id": 0,
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 2034567,
"rev": 1,
"signature": "ET HUNTING curl User-Agent to Dotted Quad",
"category": "Potentially Bad Traffic",
"severity": 2,
"metadata": {
"attack_target": [
"Client_Endpoint"
],
"confidence": [
"Medium"
],
"created_at": [
"2021_12_01"
],
"deployment": [
"Perimeter"
],
"signature_severity": [
"Informational"
],
"updated_at": [
"2021_12_01"
]
}
},
"http": {
"hostname": "10.0.0.30",
"url": "/uid/index.html",
"http_user_agent": "curl/8.14.1",
"http_content_type": "text/html",
"http_method": "GET",
"protocol": "HTTP/1.1",
"status": 404,
"length": 271
},
"app_proto": "http",
"direction": "to_server",
"flow": {
"pkts_toserver": 4,
"pkts_toclient": 3,
"bytes_toserver": 359,
"bytes_toclient": 638,
"start": "2025-08-16T12:03:24.725794+0900",
"src_ip": "10.0.0.230",
"dest_ip": "10.0.0.30",
"src_port": 41668,
"dest_port": 80
}
}
|
| Sponsored Link |
|
|