ÔõÑùʹÓÃÍøÂçIDS±£»¤CentOSЧÀÍÆ÷ÃâÊÜÍøÂç¹¥»÷
ÔõÑùʹÓÃÍøÂçids±£»¤centosЧÀÍÆ÷ÃâÊÜÍøÂç¹¥»÷
µ¼ÑÔ£º
Ëæ×ÅÍøÂçµÄ¿ìËÙÉú³¤ºÍʹÓã¬ÔÚ»¥ÁªÍøÉϱ£»¤Ð§ÀÍÆ÷ÃâÊÜÖÖÖÖÍøÂç¹¥»÷µÄÖ÷ÒªÐÔÓú¿ªÕ¹ÏÖ¡£ÍøÂçÈëÇÖ¼ì²âϵͳ£¨Intrusion Detection System£¬IDS£©ÊÇÒ»ÖÖÓÃÓÚ¼ì²âºÍ×èÖ¹¶ñÒâÍøÂçÔ˶¯µÄÖ÷Òª¹¤¾ß¡£±¾ÎĽ«ÏòÄúÏÈÈÝÔõÑùÔÚCentOSЧÀÍÆ÷ÉÏʹÓÃÍøÂçIDSÀ´±£»¤ÄúµÄЧÀÍÆ÷ÃâÊÜÍøÂç¹¥»÷¡£
Ò»¡¢Ê²Ã´ÊÇÍøÂçIDS£¿
ÍøÂçIDSÊÇÒ»ÖÖÓÃÓÚ¼à¿ØÍøÂçÁ÷Á¿ºÍ¼ì²âDZÔڵĹ¥»÷ÐÐΪµÄϵͳ¡£Ëü¿ÉÒÔͨ¹ý¼ì²âÐÐΪģʽºÍÌض¨µÄ¹¥»÷ÌØÕ÷À´Ê¶±ð¹¥»÷£¬ÒÔ±ãʵʱ½ÓÄÉÏìÓ¦µÄ²½·¥¡£
¶þ¡¢CentOSЧÀÍÆ÷ÉϵÄÍøÂçIDS×°ÖÃ
Ê×ÏÈ£¬ÎÒÃÇÐèÒªÔÚCentOSЧÀÍÆ÷ÉÏ×°ÖÃÍøÂçIDSÈí¼þ¡£ÔÚ±¾Ê¾ÀýÖУ¬ÎÒÃÇÑ¡ÔñSuricata×÷ΪÍøÂçIDS¡£Ö´ÐÐÒÔÏÂÏÂÁîÀ´×°ÖÃSuricata£º
sudo yum install epel-release sudo yum install suricata
µÇ¼ºó¸´ÖÆ
×°ÖÃÍê³Éºó£¬ÎÒÃÇÐèÒªÉèÖÃSuricataÒÔ¼à¿ØÍøÂçÁ÷Á¿¡£·¿ªSuricataÉèÖÃÎļþ/etc/suricata/suricata.yaml£¬²¢¾ÙÐÐÏìÓ¦µÄµ÷½â£¬ÈçÖ¸¶¨Òª¼à¿ØµÄÍøÂç½Ó¿Ú¡¢ÉèÖÃÈÕÖ¾Îļþ·¾¶µÈ¡£
Èý¡¢ÉèÖÃÍøÂçIDS¹æÔò
ÍøÂçIDSÒÀÀµÓÚIDS¹æÔòÀ´¼ì²âDZÔڵĹ¥»÷ÐÐΪ¡£SuricataʹÓùæÔòÎļþ¾ÙÐÐÍøÂçIDS¼ì²â¡£Ä¬ÈÏÇéÐÎÏ£¬Suricata»á´Ó/etc/suricata/rulesĿ¼¼ÓÔعæÔòÎļþ¡£
Äú¿ÉÒÔ±àд×Ô½ç˵¹æÔò£¬Ò²¿ÉÒÔ´Ó»¥ÁªÍøÉÏÏÂÔØÒÑÓеĹæÔò¡£ÏÂÃæÊÇÒ»¸öʾÀý¹æÔò£¬ÓÃÓÚ¼ì²âSSH±©Á¦Æƽ⹥»÷£º
alert tcp any any -> $HOME_NET 22 (msg: "Possible SSH Brute Force Attack"; flow: established,to_server; content: "SSH-"; threshold: type threshold, track by_src, count 5, seconds 60; sid: 1000001; rev: 1;)
µÇ¼ºó¸´ÖÆ
½«Õâ¸ö¹æÔòÉúÑĵ½/etc/suricata/rulesĿ¼ÏµÄcustom.rulesÎļþÖС£
ËÄ¡¢Æô¶¯ÍøÂçIDS
ÔÚÍê³ÉÉèÖú͹æÔòÉèÖúó£¬ÎÒÃÇ¿ÉÒÔÆô¶¯SuricataÀ´¼à¿ØÍøÂçÁ÷Á¿²¢¾ÙÐй¥»÷¼ì²â¡£Ö´ÐÐÒÔÏÂÏÂÁîÀ´Æô¶¯Suricata£º
sudo systemctl start suricata
µÇ¼ºó¸´ÖÆ
ͨ¹ýÒÔÏÂÏÂÁÄú¿ÉÒÔ¼ì²éSuricataµÄ״̬£º
sudo systemctl status suricata
µÇ¼ºó¸´ÖÆ
Îå¡¢¼à¿ØºÍÏìÓ¦ÍøÂç¹¥»÷
Ò»µ©Suricata×îÏȼà¿ØÍøÂçÁ÷Á¿£¬Ëü½«ÔÚ¼ì²âµ½Ç±ÔÚ¹¥»÷ʱ·¢³ö¾¯±¨¡£Äú¿ÉÒÔʹÓÃSuricataÌṩµÄÈÕÖ¾ÎļþÀ´¼à¿Ø¾¯±¨ºÍ¹¥»÷ÊÂÎñ¡£Éó²éSuricataÈÕÖ¾ÎļþµÄ·¾¶¿ÉÒÔÔÚÉèÖÃÎļþÖоÙÐе÷½â¡£
µ±ÍøÂçIDS·¢Ã÷¹¥»÷ÐÐΪʱ£¬¿ÉÒÔ½ÓÄɶàÖÖÏìÓ¦²½·¥£¬Èç¶Ï¿ªÅþÁ¬¡¢·â±Õ¹¥»÷ÕßIPµÈ¡£Äú¿ÉÒÔÉèÖÃSuricataÒÔʵÏÖÌض¨µÄÏìÓ¦ÐÐΪ¡£
½áÂÛ£º
ͨ¹ýÔÚCentOSЧÀÍÆ÷ÉÏʹÓÃÍøÂçIDS£¬ÎÒÃÇ¿ÉÒÔÓÐÓõر£»¤Ð§ÀÍÆ÷ÃâÊÜÍøÂç¹¥»÷¡£±¾ÎÄÏÈÈÝÁËÔõÑù×°Öá¢ÉèÖúÍʹÓÃSuricata×÷ΪÍøÂçIDSµÄʾÀý¡£Í¨¹ý׼ȷÉèÖùæÔò²¢¼à¿ØºÍÏìÓ¦¾¯±¨£¬Äú¿ÉÒÔÌá¸ßЧÀÍÆ÷µÄÇå¾²ÐÔ²¢±£»¤Ð§ÀÍÆ÷ÄÚµÄÃô¸ÐÊý¾Ý¡£Çë¼Ç×Å£¬ÍøÂçIDSÖ»ÊÇÇ徲ϵͳÖеÄÒ»²¿·Ö£¬»¹ÐèÒªÆäËûÇå¾²²½·¥À´ÖÜÈ«±£»¤Ð§ÀÍÆ÷¡£
ÒÔÉϾÍÊÇÔõÑùʹÓÃÍøÂçIDS±£»¤CentOSЧÀÍÆ÷ÃâÊÜÍøÂç¹¥»÷µÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡