Suricata 2.0: 审计下载文件

Shawn the R0ck 写道
“Suricata是一个高性能的开源IDS/IPS项目,Suricata 1.0的发布到现在已经有一段时间了,BRO和最近的Suricata版本都可以实现保存HTTP流量中的指定后缀或者特定格式的文件,比如jpg, pdf, exe等。这个特性对希望抓去恶意软件样本的黑客( 或安全研究人员)会有兴趣,还是按照老规矩,在最简易的Debian中来测试一下。
下载一个最小版本的Debian镜像,在虚拟机( vmware/virtualbox)中进行安装,模拟2块网卡: eth0, eth1。eth0使用NAT模式用于与host通信,eth1使用bridge模式不需要分配IP地址用于抓包。安装完成Debian后,安装一些依赖的包:
#apt-get install vim openssh-server ethtool libpcap-dev libnfnetlink-dev libnetfilter-queue-dev libdnet-dev libdumbnet-dev libpcre3-dev libpcre3-dbg bison flex make zlib1g-dev autoconf libtool libnss3-dev libnspr4-dev libjansson4 libjansson-dev libyaml-dev libcap-ng0 libcap-ng-dev libnet1-dev libmagic-dev build-essential
获取Suricata的源代码:
#cd /tmp
#wget wget http://www.openinfosecfoundation.org/download/suricata-2.0.tar.gz
#tar zxvf suricata-2.0.tar.gz
#cd suricata-2.0
编译与安装:
#./configure –enable-nfqueue –enable-gccprotect –prefix=/usr/local/suricata –localstatedir=/var
#make -j3
#make make-full
编辑配置文件suricata.yaml:
1, 设置以下2项大一点:
request-body-limit: 1gb #3072
response-body-limit: 1gb #3072
2, 启动文件保存功能:
– file-store:
enabled: yes # set to yes to enable
log-dir: files # directory to store the files
force-magic: no # force logging magic on all stored files
force-md5: no # force logging of md5 checksums
waldo: file.waldo # waldo file to store the file_id across runs
# output module to log files tracked in a easily parsable json format
– file-log:
enabled: yes
filename: files-json.log
append: yes #filetype: regular # ‘regular’, ‘unix_stream’ or ‘unix_dgram’
3, 增加我们的测试文件( test.rules)到”default-rule-path:”, 像下面这样:
default-rule-path: /usr/local/suricata/etc/suricata/rules
rule-files: – test.rules – botcc.rules
创建测试规则文件:
/usr/local/suricata/etc/suricata/rules/test.rules
加一行测试规则到test.rules,这行规则会保存jpg文件 :
alert http any any -> any any (msg:”FILESTORE jpg”; fileext:”jpg”; filestore; sid:6; rev:1;)
启动eth1:
#ifconfig eth1 up
根据Suricata社区的wiki,我们必须关闭TCP GSO:
ethtool -K eth1 tso off
ethtool -K eth1 gro off
ethtool -K eth1 lro off
ethtool -K eth1 gso off
ethtool -K eth1 rx off
ethtool -K eth1 tx off
ethtool -K eth1 sg off
ethtool -K eth1 rxvlan off
ethtool -K eth1 txvlan off
ethtool -N eth1 rx-flow-hash udp4 sdfn
ethtool -N eth1 rx-flow-hash udp6 sdfn
ethtool -n eth1 rx-flow-hash udp6
ethtool -n eth1 rx-flow-hash udp4
ethtool -C eth1 rx-usecs 1000
ethtool -C eth1 adaptive-rx off
现在可以运行Suricata: /usr/local/suricata/bin/suricata -c /usr/local/suricata/etc/suricata//suricata.yaml -i eth1
在HOST系统上使用Firefox/Chrome访问一些网站,比如这些链接。之后你应该能在/var/log/suricata/files文件夹下面看到美女图片了。感谢Suricata社区的黑客们为自由软件社区所作的贡献。”

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s