前文: [DPI] suricata-4.0.3 安裝部署html
至此, 咱們已經擁有了suricata能夠運行的環境了.linux
接下來,咱們來研究一下它的功能, 首先,分析一下配置文件: bash
/suricata/etc/suricata/suricata.yamlsocket
能夠結合着默認配置文件的內容,同時讀它的描述文檔: http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.htmltcp
這樣更好理解.工具
快速瀏覽一遍配置以後, 基本上也就瞭解了suricata的主要功能. 配置項很豐富, 能力也很強大, 最簡單快速的能夠提供一個主管感覺的方法,就是先打開http記錄功能.測試
而後重啓,會發現, 多個一個日誌文件 /suricata/var/log/suricata/http.logui
而後試着訪問一個網頁,spa
[root@suricata ~]# wget -q www.baidu.com [root@suricata ~]#
該日誌中,便記錄下了這條http訪問日誌:日誌
[root@suricata suricata]# cat /suricata/var/log/suricata/http.log 02/08/2018-10:23:02.035401 www.baidu.com[**]/[**]Wget/1.14 (linux-gnu)[**]192.168.7.8:40578 -> 61.135.169.125:80 02/08/2018-10:23:05.893547 www.baidu.com[**]/[**]Wget/1.14 (linux-gnu)[**]192.168.7.8:38082 -> 61.135.169.121:80 [root@suricata suricata]#
其餘高級用法,能夠結合文檔, 嘗試着進行修改測試, 慢慢熟悉.
另外, suricata有很是多的運行模式, 詳見文檔, 不作贅述
[root@suricata ~]# /suricata/usr/bin/suricata --list-runmodes ------------------------------------- Runmodes ------------------------------------------ | RunMode Type | Custom Mode | Description |---------------------------------------------------------------------------------------- | PCAP_DEV | single | Single threaded pcap live mode | --------------------------------------------------------------------- | | autofp | Multi threaded pcap live mode. Packets from each flow are assigned to a single detect thread, unlike "pcap_live_auto" where packets from the same flow can be processed by any detect thread | --------------------------------------------------------------------- | | workers | Workers pcap live mode, each thread does all tasks from acquisition to logging |---------------------------------------------------------------------------------------- | PCAP_FILE | single | Single threaded pcap file mode | --------------------------------------------------------------------- | | autofp | Multi threaded pcap file mode. Packets from each flow are assigned to a single detect thread, unlike "pcap-file-auto" where packets from the same flow can be processed by any detect thread |---------------------------------------------------------------------------------------- | PFRING(DISABLED) | autofp | Multi threaded pfring mode. Packets from each flow are assigned to a single detect thread, unlike "pfring_auto" where packets from the same flow can be processed by any detect thread | --------------------------------------------------------------------- | | single | Single threaded pfring mode | --------------------------------------------------------------------- | | workers | Workers pfring mode, each thread does all tasks from acquisition to logging |---------------------------------------------------------------------------------------- | NFQ | autofp | Multi threaded NFQ IPS mode with respect to flow | --------------------------------------------------------------------- | | workers | Multi queue NFQ IPS mode with one thread per queue |---------------------------------------------------------------------------------------- | NFLOG | autofp | Multi threaded nflog mode | --------------------------------------------------------------------- | | single | Single threaded nflog mode | --------------------------------------------------------------------- | | workers | Workers nflog mode |---------------------------------------------------------------------------------------- | IPFW | autofp | Multi threaded IPFW IPS mode with respect to flow | --------------------------------------------------------------------- | | workers | Multi queue IPFW IPS mode with one thread per queue |---------------------------------------------------------------------------------------- | ERF_FILE | single | Single threaded ERF file mode | --------------------------------------------------------------------- | | autofp | Multi threaded ERF file mode. Packets from each flow are assigned to a single detect thread |---------------------------------------------------------------------------------------- | ERF_DAG | autofp | Multi threaded DAG mode. Packets from each flow are assigned to a single detect thread, unlike "dag_auto" where packets from the same flow can be processed by any detect thread | --------------------------------------------------------------------- | | single | Singled threaded DAG mode | --------------------------------------------------------------------- | | workers | Workers DAG mode, each thread does all tasks from acquisition to logging |---------------------------------------------------------------------------------------- | AF_PACKET_DEV | single | Single threaded af-packet mode | --------------------------------------------------------------------- | | workers | Workers af-packet mode, each thread does all tasks from acquisition to logging | --------------------------------------------------------------------- | | autofp | Multi socket AF_PACKET mode. Packets from each flow are assigned to a single detect thread. |---------------------------------------------------------------------------------------- | NETMAP(DISABLED) | single | Single threaded netmap mode | --------------------------------------------------------------------- | | workers | Workers netmap mode, each thread does all tasks from acquisition to logging | --------------------------------------------------------------------- | | autofp | Multi threaded netmap mode. Packets from each flow are assigned to a single detect thread. |---------------------------------------------------------------------------------------- [root@suricata ~]#
Detection-engine部分對規則引擎相關部分的講解,值得詳細的讀一下, 能夠幫助理解規則組織結構的內部實現.
http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#detection-engine
作一個自定義規則的配置測試:
修改配置文件,增長一個規則文件 my.rules
[root@suricata suricata]# grep -A 1 rule-files suricata.yaml rule-files: - my.rules [root@suricata suricata]# cat rules/my.rules
alert tcp any any -> any 80 (msg: "http test";)
[root@suricata suricata]#
重啓suricata以後,作一條http訪問, 將能在fast.log中,看見這條規則被命中.
[root@suricata suricata]# tailf /suricata/var/log/suricata/fast.log 02/08/2018-15:48:48.265375 [**] [1:0:0] http test [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.7.8:38274 -> 66.102.251.33:80
至此,基本前期準備已經完成, 接下來就是去讀源碼了.....
題外: 裝個splunk看一下, 結合suricata作分析,看一下.
安裝手冊: http://docs.splunk.com/Documentation/SplunkLight/7.0.2/Installation/InstallonLinux
提及了很簡單,只有三步
To follow these installation instructions, replace splunk_package_name.tgz with the name of the installer package you downloaded. 1. Move the .tgz file to the directory you want to install Splunk Light. For example, to install it into /opt/splunk, use: mv splunk_package_name.tgz /opt/splunk 2. In the installation directory, use the tar command to expand the file. tar xvzf splunk_package_name.tgz 3. Start Splunk Light. splunk start --accept-license
登陸: http://suricata:8000
配置也很簡單,都是圖像化操做, data input設置成 fast.log就行了.
而後,就是醬紫:
我想說, 這不就是個日誌分析工具麼?
我更喜歡,grep+sed+bash+awk --!!!!