«

mac 安装使用Suricata 用于实时流量分析(IDS/IPS/NSM),深度检查网络流量,识别恶意行为

时间:2025-6-16 09:54     作者:wanzi     分类: php

关于Suricata

Suricata 是一个高性能的开源网络威胁检测引擎 ,用于实时流量分析(IDS/IPS/NSM),支持多种操作系统(如Linux、Windows、BSD等)。它能够深度检查网络流量,识别恶意活动,并支持灵活的规则系统来定义威胁特征。

安装流程

brew

brew install suricata

快速设置

1、测试配置文件

sudo suricata -T -c /opt/homebrew/etc/suricata/suricata.yaml -v
Notice: suricata: This is Suricata version 7.0.10 RELEASE running in SYSTEM mode
Info: cpu: CPUs/cores online: 8
Info: suricata: Running suricata under test mode
Info: suricata: Setting engine mode to IDS mode by default
Info: exception-policy: master exception-policy set to: auto
Info: logopenfile: fast output device (regular) initialized: fast.log
Info: logopenfile: eve-log output device (regular) initialized: eve.json
Info: logopenfile: stats output device (regular) initialized: stats.log
Info: detect-fast-pattern: fast_pattern is ineffective with base64_data
Info: detect-fast-pattern: fast_pattern is ineffective with base64_data
Info: detect: 1 rule files processed. 42580 rules successfully loaded, 0 rules failed, 0
Info: threshold-config: Threshold config parsed: 0 rule(s) found
Info: detect: 42583 signatures processed. 1270 are IP-only rules, 4333 are inspecting packet payload, 36763 inspect application layer, 109 are decoder event only
Notice: suricata: Configuration provided was successfully loaded. Exiting.

监听网卡

在您的活动接口上运行 Suricata(例如 en0), 可以使用route get default | grep interface查看。然后监听命令:

sudo suricata -i en0 -c  /opt/homebrew/etc/suricata/suricata.yaml -vv

查看eve.json

tail -f /opt/homebrew/var/log/suricata/eve.json

rules

默认配置:

default-rule-path: /opt/homebrew/var/lib/suricata/rules

rule-files:
  - suricata.rules

增加测试rule 来触发alert

默认的rules 威胁不好触发,有32m的rule文件。我们可以自己加一个,在配置文件的开头:

alert http any any -> any any (msg:"Test Rule Triggered"; content:"X-Test-Trigger"; http_header; sid:1000001; rev:1; classtype:protocol-command-decode;)

然后,更新:sudo suricata-update,接着,再次监听,监听后我们去看eve.json,如果alert字段有内容,就表示监测到了:

{"timestamp":"2025-06-16T11:06:11.398263+0800","flow_id":886352148818695,"in_iface":"en12","event_type":"alert","src_ip":"10.6.8.209","src_port":63486,"dest_ip":"45.142.165.81","dest_port":443,"proto":"TCP","pkt_src":"wire/pcap","metadata":{"flowbits":["tcp.retransmission.alerted"],"flowints":{"tcp.retransmission.count":11}},"alert":{"action":"allowed","gid":1,"signature_id":2210054,"rev":1,"signature":"SURICATA STREAM excessive retransmissions","category":"Generic Protocol Command Decode","severity":3},"app_proto":"tls","direction":"to_server","flow":{"pkts_toserver":20,"pkts_toclient":8,"bytes_toserver":4549,"bytes_toclient":3214,"start":"2025-06-16T11:06:11.075297+0800","src_ip":"10.6.8.209","dest_ip":"45.142.165.81","src_port":63486,"dest_port":443}}

编写业务

我们可以通过n多方式,扫描最新的eve.json或者其他方式将记录存储到我们db里,同时还可以针对alert信息,做一些数据清洗