【笔记】Suricata学习笔记

发表于 更新于 阅读次数:

前言

Suricata学习笔记

下载项目

1
2
3
wget https://www.openinfosecfoundation.org/download/suricata-7.0.8.tar.gz
tar -zxvf suricata-7.0.8.tar.gz
cd suricata-7.0.8

下载依赖

Linux

Debian

1
apt install libpcre2-dev libyaml-dev libjansson-dev libpcap-dev rustc cargo zlib1g-dev

CentOS

1
yum install pcre2-devel libyaml-devel jansson-devel libpcap-devel rustc cargo zlib-devel

Fedora

1
dnf install pcre2-devel libyaml-devel jansson-devel libpcap-devel rustc cargo zlib-devel

编译并安装

1
2
3
./configure
make
make install

修改配置文件

/etc/suricata/suricata.yaml
1
2
3
vars:
  address-groups:
    HOME_NET: "[192.168.0.0/24]"

启动Suricata

-i ens33:指定网卡
-c /etc/suricata/suricata.yaml:指定配置文件
-s /etc/suricata/rules/<file>.rules:指定规则文件

1
suricata -i ens33 -c /etc/suricata/suricata.yaml -s /etc/suricata/rules/<file>.rules

添加自定义规则

  • 完全兼容Snort的规则
  • 支持使用Lua脚本访问数据包、负载、HTTP缓冲区等

CobaltStrike规则

cobaltstrike.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# http-beacon-staging,向c2服务器发起get请求,下载大小约200多kb的stager,请求地址符合checksum8规则
# 调用lua检查uri是否符合checksum8规则:计算uri的ascii之和并与256做取余计算,余数为92则符合规则
alert http any any -> any any (gid: 3333; sid: 30001; rev: 1; msg: "http-beacon-checksum8-path-parse:触发Checksum8规则被发现"; classtype: http-beacon; flow: established, to_server; urilen: 4<>6; luajit: checksum8_check.lua;)

# http-beacon上线/心跳请求,匹配敏感路径
alert http any any -> any any (gid: 3333; sid: 30003; rev: 1; msg: "http-beacon-get-data:CS心跳数据包被发现"; classtype: http-beacon; flow: to_server; http.method; content: "GET"; http.accept; content: "*/*"; http.uri; pcre: "/\/ca|\/dpixel|\/__utm.gif|\/pixel.gif|\/g.pixel|\/dot.gif|\/updates.rss|\/fwlink|\/cm|\/cx|\/pixel|\/match|\/visit.js|\/load|\/push|\/ptj|\/j.ad|\/ga.js|\/en_US\/all.js|\/activity|\/IE9CompatViewList.xml/"; http.user_agent; pcre: "/Mozilla\/5.0 \(compatible/";)


# http-beacon执行完下发的命令后,通过post方式向c2服务器发起数据回传请求
alert http any any -> any any (gid: 3333; sid: 30004; rev: 1; msg: "http-beacon-post-data:CS下发指令被发现"; classtype: http-beacon; flow: to_server; http.method; content: "POST"; http.uri; content: "/submit.php?id="; http.accept; content: "*/*"; http.content_type; content: "application/octet-stream"; http.connection; content: "keep-alive"; nocase; http.request_body; content: "|00 00 00|"; startswith;)


# https-beacon-ja3指纹,client-hello
alert tls any any -> any any (gid: 6666; sid: 30005; rev: 1; msg: "https-beacon-ja3-hash:触发ja3规则被发现"; classtype: https-beacon; ja3.hash; pcre: "/72a589da586844d7f0818ce684948eea|4d5efa96609dc906f796e63cff009c2a|db36bad574044a5104a59b0c676991ef|652358a663590cfc624787f06b82d9ae|4d93395b1c1b9ad28122fb4d09f28c5e|a0e9f5d64349fb13191bc781f81f42e1/";)


# https-beacon-ja3s指纹,server-hello
alert tls any any -> any any (gid: 6666; sid: 30006; rev: 1; msg: "https-beacon-ja3s-hash:触发ja3s规则被发现"; classtype: https-beacon; ja3s.hash; pcre: "/fd4bc6cea4877646ccd62f0792ec0b62|15af977ce25de452b96affa2addb1036|2253c82f03b621c5144709b393fde2c9|b742b407517bac9536a77a7b0fee28e9/";)


# https-beacon-cert指纹,subject、cert_issuer,默认为空
alert tls any any -> any any (gid: 6666; sid: 30007; rev: 1; msg: "https-beacon-tls-cert-issuer"; classtype: https-beacon; tls.cert_subject; content: "C=, ST=, L=, O=, OU=, CN="; nocase; tls.cert_issuer; content: "C=, ST=, L=, O=, OU=, CN="; nocase; tls_cert_notbefore: 2015-05-20T18: 26: 24; tls_cert_notafter: 2025-05-17T18: 26: 24;)


# https-beacon-cert指纹,fingerprint
alert tls any any -> any any (gid: 6666; sid: 30008; rev: 1; msg: "https-beacon-tls-cert-fingerprint"; classtype: https-beacon; tls.cert_fingerprint; content: "6e:ce:5e:ce:41:92:68:3d:2d:84:e2:5b:0b:a7:e0:4f:9c:b7:eb:7c" ;)

# https-beacon-cert指纹,serialNumber
alert tls any any -> any any (gid: 6666; sid: 30009; rev: 1; msg: "https-beacon-tls-cert-fingerprint"; classtype: https-beacon; tls.cert_serial; content: "08:BB:00:EE";)


# dns-beacon,匹配dns-beacon发起上线/心跳请求后,c2服务器的返回包
# Type: A, Class: IN, 0.0.0.0
alert dns any any -> any any (gid: 9999; sid: 30010; rev: 1; msg: "dns-beacon-live-response"; classtype: dns-beacon; content: "|00 01 00 01 00 00 00|"; content: "|00 00 00 00|"; endswith;)


# dns-beacon,匹配dns-beacon发起上线/心跳请求后,c2服务器的返回包,选择后续使用A记录
# Type: A, Class: IN, 0.0.0.241
alert dns any any -> any any (gid: 9999; sid: 30011; rev: 1; msg: "dns-beacon-live-response"; classtype: dns-beacon; content: "|00 01 00 01 00 00 00|"; content: "|00 00 00 f1|"; nocase; endswith;)


# dns-beacon,匹配dns-beacon发起上线/心跳请求后,c2服务器的返回包,选择后续使用TXT记录
# Type: A, Class: IN, 0.0.0.243
alert dns any any -> any any (gid: 9999; sid: 30012; rev: 1; msg: "dns-beacon-live-response"; classtype: dns-beacon; content: "|00 01 00 01 00 00 00|"; content: "|00 00 00 f3|"; nocase; endswith;)


# dns-beacon,匹配dns-beacon发起上线/心跳请求后,c2服务器的返回包,选择后续使用AAAA记录
# Type: A, Class: IN, 0.0.0.245
alert dns any any -> any any (gid: 9999; sid: 30013; rev: 1; msg: "dns-beacon-live-response"; classtype: dns-beacon; content: "|00 01 00 01 00 00 00|"; content: "|00 00 00 f5|"; nocase; endswith;)


# dns-beacon,匹配dns-beacon发起元数据提交请求后,c2服务器的确认返回包
# 以www开头0.0.0.0结尾的A记录查询返回包
# Type: A, Class: IN, 0.0.0.0
alert udp any any -> any any (gid: 9999; sid: 30014; rev: 1; msg: "dns-beacon-metadata-response"; classtype: dns-beacon; flow: to_client; content: "www"; content: "|00 01 00 01 00 00 00|"; content: "|00 00 00 00|"; nocase; endswith;)


# dns-beacon,匹配dns-beacon使用AAAA、TXT方式向c2服务器发起payload下载请求后,c2服务器的返回包
# www6 ==> AAAA 、api ==> TXT
# Type: A, Class: IN, 0.0.0.80
alert udp any any -> any any (gid: 9999; sid: 30015; rev: 1; msg: "dns-beacon-getpayload-response"; classtype: dns-beacon; flow: to_client; pcre: "/www6|api/"; content: "|00 01 00 01 00 00 00|"; content: "|00 00 00 50|"; endswith;)


# dns-beacon,匹配dns-beacon使用A方式向c2服务器发起payload下载请求后,c2服务器的返回包
# cdn ==> A
# Type: A, Class: IN, 0.0.0.64
alert udp any any -> any any (gid: 9999; sid: 30016; rev: 1; msg: "dns-beacon-getpayload-response"; classtype: dns-beacon; flow: to_client; pcre: "/cdn/"; content: "|00 01 00 01 00 00 00|"; content: "|00 00 00 40|"; endswith;)


# dns-beacon,匹配dns-beacon使用执行完payload后,向c2服务器执行结果数据,c2服务器的返回包
# post ==> put_output
# Type: A, Class: IN, 0.0.0.00
alert udp any any -> any any (gid: 9999; sid: 30017; rev: 1; msg: "dns-beacon-output-response"; classtype: dns-beacon; flow: to_client; content: "post"; content: "|00 01 00 01 00 00 00|"; content: "|00 00 00 00|"; nocase; endswith;)
checksum8_check.lua
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
function init (args)
    local needs = {}
    needs["http.uri"] = tostring(true)
    return needs
end

function match(args)
    local uri_raw = tostring(args["http.uri"])
    local uri = string.sub(uri_raw, 2, -1) -- 去除uri中的"/"
    local sum = 0

    for i=1,#uri do
        local x = string.sub(uri,i,i)
        sum = sum + string.byte(x)
    end

    if (sum % 256) == 93 then
        return 1 -- 符合checksum8规则,匹配成功
    else 
        return 0 -- 不符合checksum8规则,匹配失败
    end
end

查看告警日志

1
cat /var/log/suricata/fast.log

第三方规则

完成

参考文献

installati.one
CSDN——xiaomaotian
CSDN——zby-枣菠鱼
CSDN——InWho
CSDN——立 夏
suricata官方文档